discordrat | hxxps://github[.]com/moom825/Discord-RAT-2[.]0/releases/tag/2[.]0

Resubmissions

08-09-2024 13:23

240908-qna2qsyark 10

Analysis

max time kernel
1048s
max time network
1037s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
08-09-2024 13:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/moom825/Discord-RAT-2.0/releases/tag/2.0

Score

10^/10

discordrat discovery persistence rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTI3NjlwNjc5NjM4NTU1NDUyNA.GR2_ZP_qgu0KpGKYZG7rojSDuBmHwDqWT3AC9MQNXhXg
server_id
1276206514943823989

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat

Executes dropped EXE 5 IoCs

pid	Process
948	Client-built.exe
4396	Client-built.exe
3476	Client-built.exe
192	Client-built.exe
1068	Client-built.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	builder.exe

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings	firefox.exe

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\Downloads\release.zip:Zone.Identifier	firefox.exe

Suspicious use of AdjustPrivilegeToken 18 IoCs

description	pid	Process
Token: SeDebugPrivilege	980	firefox.exe
Token: SeDebugPrivilege	980	firefox.exe
Token: SeDebugPrivilege	980	firefox.exe
Token: SeDebugPrivilege	980	firefox.exe
Token: SeDebugPrivilege	980	firefox.exe
Token: SeDebugPrivilege	980	firefox.exe
Token: SeDebugPrivilege	980	firefox.exe
Token: SeDebugPrivilege	980	firefox.exe
Token: SeDebugPrivilege	980	firefox.exe
Token: SeDebugPrivilege	980	firefox.exe
Token: SeDebugPrivilege	948	Client-built.exe
Token: SeDebugPrivilege	4396	Client-built.exe
Token: SeDebugPrivilege	980	firefox.exe
Token: SeDebugPrivilege	980	firefox.exe
Token: SeDebugPrivilege	3476	Client-built.exe
Token: SeDebugPrivilege	192	Client-built.exe
Token: SeDebugPrivilege	980	firefox.exe
Token: SeDebugPrivilege	1068	Client-built.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
980	firefox.exe
980	firefox.exe
980	firefox.exe
980	firefox.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
980	firefox.exe
980	firefox.exe
980	firefox.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
980	firefox.exe
980	firefox.exe
980	firefox.exe
980	firefox.exe
980	firefox.exe
980	firefox.exe
980	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4956 wrote to memory of 980	4956	firefox.exe	75
PID 4956 wrote to memory of 980	4956	firefox.exe	75
PID 4956 wrote to memory of 980	4956	firefox.exe	75
PID 4956 wrote to memory of 980	4956	firefox.exe	75
PID 4956 wrote to memory of 980	4956	firefox.exe	75
PID 4956 wrote to memory of 980	4956	firefox.exe	75
PID 4956 wrote to memory of 980	4956	firefox.exe	75
PID 4956 wrote to memory of 980	4956	firefox.exe	75
PID 4956 wrote to memory of 980	4956	firefox.exe	75
PID 4956 wrote to memory of 980	4956	firefox.exe	75
PID 4956 wrote to memory of 980	4956	firefox.exe	75
PID 980 wrote to memory of 4788	980	firefox.exe	76
PID 980 wrote to memory of 4788	980	firefox.exe	76
PID 980 wrote to memory of 4688	980	firefox.exe	77
PID 980 wrote to memory of 4688	980	firefox.exe	77
PID 980 wrote to memory of 4688	980	firefox.exe	77
PID 980 wrote to memory of 4688	980	firefox.exe	77
PID 980 wrote to memory of 4688	980	firefox.exe	77
PID 980 wrote to memory of 4688	980	firefox.exe	77
PID 980 wrote to memory of 4688	980	firefox.exe	77
PID 980 wrote to memory of 4688	980	firefox.exe	77
PID 980 wrote to memory of 4688	980	firefox.exe	77
PID 980 wrote to memory of 4688	980	firefox.exe	77
PID 980 wrote to memory of 4688	980	firefox.exe	77
PID 980 wrote to memory of 4688	980	firefox.exe	77
PID 980 wrote to memory of 4688	980	firefox.exe	77
PID 980 wrote to memory of 4688	980	firefox.exe	77
PID 980 wrote to memory of 4688	980	firefox.exe	77
PID 980 wrote to memory of 4688	980	firefox.exe	77
PID 980 wrote to memory of 4688	980	firefox.exe	77
PID 980 wrote to memory of 4688	980	firefox.exe	77
PID 980 wrote to memory of 4688	980	firefox.exe	77
PID 980 wrote to memory of 4688	980	firefox.exe	77
PID 980 wrote to memory of 4688	980	firefox.exe	77
PID 980 wrote to memory of 4688	980	firefox.exe	77
PID 980 wrote to memory of 4688	980	firefox.exe	77
PID 980 wrote to memory of 4688	980	firefox.exe	77
PID 980 wrote to memory of 4688	980	firefox.exe	77
PID 980 wrote to memory of 4688	980	firefox.exe	77
PID 980 wrote to memory of 4688	980	firefox.exe	77
PID 980 wrote to memory of 4688	980	firefox.exe	77
PID 980 wrote to memory of 4688	980	firefox.exe	77
PID 980 wrote to memory of 4688	980	firefox.exe	77
PID 980 wrote to memory of 4688	980	firefox.exe	77
PID 980 wrote to memory of 4688	980	firefox.exe	77
PID 980 wrote to memory of 4688	980	firefox.exe	77
PID 980 wrote to memory of 4688	980	firefox.exe	77
PID 980 wrote to memory of 4688	980	firefox.exe	77
PID 980 wrote to memory of 4688	980	firefox.exe	77
PID 980 wrote to memory of 4688	980	firefox.exe	77
PID 980 wrote to memory of 4688	980	firefox.exe	77
PID 980 wrote to memory of 4688	980	firefox.exe	77
PID 980 wrote to memory of 4688	980	firefox.exe	77
PID 980 wrote to memory of 4688	980	firefox.exe	77
PID 980 wrote to memory of 4688	980	firefox.exe	77
PID 980 wrote to memory of 4688	980	firefox.exe	77
PID 980 wrote to memory of 4688	980	firefox.exe	77
PID 980 wrote to memory of 4688	980	firefox.exe	77
PID 980 wrote to memory of 4688	980	firefox.exe	77
PID 980 wrote to memory of 4688	980	firefox.exe	77
PID 980 wrote to memory of 4688	980	firefox.exe	77
PID 980 wrote to memory of 4568	980	firefox.exe	78
PID 980 wrote to memory of 4568	980	firefox.exe	78
PID 980 wrote to memory of 4568	980	firefox.exe	78

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "https://github.com/moom825/Discord-RAT-2.0/releases/tag/2.0"
1⤵
- Suspicious use of WriteProcessMemory
PID:4956
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url https://github.com/moom825/Discord-RAT-2.0/releases/tag/2.0
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:980
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="980.0.1134587939\1862818618" -parentBuildID 20221007134813 -prefsHandle 1720 -prefMapHandle 1708 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {148fe417-d4e2-47a7-875c-ef96e956ad47} 980 "\\.\pipe\gecko-crash-server-pipe.980" 1812 255537d8058 gpu
    3⤵
    PID:4788
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="980.1.820672042\1669378354" -parentBuildID 20221007134813 -prefsHandle 2204 -prefMapHandle 2200 -prefsLen 21608 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3cd147ea-db1d-4c37-8134-1f2d6f057e2a} 980 "\\.\pipe\gecko-crash-server-pipe.980" 2216 25553331458 socket
    3⤵
    PID:4688
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="980.2.1508385370\202574715" -childID 1 -isForBrowser -prefsHandle 2848 -prefMapHandle 2768 -prefsLen 21711 -prefMapSize 233444 -jsInitHandle 1092 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b25a8a10-7b5b-4abe-9ac4-42484d686c33} 980 "\\.\pipe\gecko-crash-server-pipe.980" 2784 255577cd858 tab
    3⤵
    PID:4568
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="980.3.1415719364\195815777" -childID 2 -isForBrowser -prefsHandle 3624 -prefMapHandle 3620 -prefsLen 26109 -prefMapSize 233444 -jsInitHandle 1092 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e99b8295-a3b3-4e51-b2d6-4541a20a0525} 980 "\\.\pipe\gecko-crash-server-pipe.980" 3632 2554876c458 tab
    3⤵
    PID:1988
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="980.4.660521112\77640204" -childID 3 -isForBrowser -prefsHandle 4780 -prefMapHandle 4760 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1092 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {fcbe40b8-20d7-4a81-8ac9-1579fd7b3f18} 980 "\\.\pipe\gecko-crash-server-pipe.980" 4796 2555ae3e558 tab
    3⤵
    PID:2916
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="980.5.1851733125\1881612531" -childID 4 -isForBrowser -prefsHandle 4936 -prefMapHandle 4940 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1092 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b5838f87-9021-4b63-985d-c1222c54c293} 980 "\\.\pipe\gecko-crash-server-pipe.980" 4924 2555ae3d658 tab
    3⤵
    PID:5108
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="980.6.218052834\993019211" -childID 5 -isForBrowser -prefsHandle 5124 -prefMapHandle 5128 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1092 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4fdd4546-918b-4ca1-9605-082994f38146} 980 "\\.\pipe\gecko-crash-server-pipe.980" 4908 2555aefe258 tab
    3⤵
    PID:5104

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2060

C:\Users\Admin\Downloads\release\builder.exe
"C:\Users\Admin\Downloads\release\builder.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:4892

C:\Users\Admin\Downloads\release\Client-built.exe
"C:\Users\Admin\Downloads\release\Client-built.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:948

C:\Users\Admin\Downloads\release\Client-built.exe
"C:\Users\Admin\Downloads\release\Client-built.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4396

C:\Users\Admin\Downloads\release\Client-built.exe
"C:\Users\Admin\Downloads\release\Client-built.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3476

C:\Users\Admin\Downloads\release\Client-built.exe
"C:\Users\Admin\Downloads\release\Client-built.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:192

C:\Users\Admin\Downloads\release\Client-built.exe
"C:\Users\Admin\Downloads\release\Client-built.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
442KB

MD5
85430baed3398695717b0263807cf97c

SHA1
fffbee923cea216f50fce5d54219a188a5100f41

SHA256
a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e

SHA512
06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
8.0MB

MD5
a01c5ecd6108350ae23d2cddf0e77c17

SHA1
c6ac28a2cd979f1f9a75d56271821d5ff665e2b6

SHA256
345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42

SHA512
b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

Filesize
10KB

MD5
a5bf891b607bd12cbbc6b19000e99238

SHA1
d73f2edb30c0a22c2bdbe5dfd6761f22978c2de1

SHA256
1e47f79d401fb5675ae7c2bd05f11460629a185baea0c10e6cd368160fc7c03c

SHA512
e9edba356e3ba0a69e000cfc382593a8b7e7b3579615f377fdd3880a4105663e3650dec36d42017f2ad16e5a2600125d496421a273af4f19b22e2e03c2d958cf

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\datareporting\glean\db\data.safe.bin

Filesize
2KB

MD5
21eb2606295d30cf345d23245b878e5f

SHA1
c08faf6c424c14ba8d5d0fb183b3c8902b4a90c6

SHA256
8915ca6a16a78552806185f47745415028e7f27280c675fb76ed7bc725d71e81

SHA512
f7e12a785f6e4b0d4c2197c93902ac79fba9e8b78461aec61c30f9688b37d023753ab144379fcc011385ecc3dad83497ff05c17e85b901d5da66ebe6c7047429

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\datareporting\glean\pending_pings\3cddcd3d-375d-4617-b259-d54501a1f927

Filesize
10KB

MD5
cb8fb52762f158ad39b1587c24961eed

SHA1
8a8853c4cfa05b34254c63287ce5ed7f943d28a1

SHA256
59f91533ffe9dae4d199c952e5f6ad2c1253080d645857810246a419bf4100ad

SHA512
06d60fefff20b8b5067c87b4f82ba0b3724565be61d6044a9185235168f47597e0b75fc50628ab1a812ba25411a10fd61f2651278c07b72dde49b9bc839591e3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\datareporting\glean\pending_pings\c6a1da23-a1a7-4560-a0d9-24dc4fd96b4d

Filesize
746B

MD5
9d7800b7626619c0a056c722205d4727

SHA1
4097feecccdb87b7f5f8d1c593a826bab2c91221

SHA256
86fa1d74496d4509fb4b80c46f29225a7e04dcec2ab9a3508258df592f2363a5

SHA512
ab6125f6aa51bdae57617a9dfc2df85e3d9b299430e4fe492912533f1730de45560b2f1940c6e0530feeaa53141426c6c6ff98d964a38f93c5b30c21c18911d7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll

Filesize
997KB

MD5
fe3355639648c417e8307c6d051e3e37

SHA1
f54602d4b4778da21bc97c7238fc66aa68c8ee34

SHA256
1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e

SHA512
8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info

Filesize
116B

MD5
3d33cdc0b3d281e67dd52e14435dd04f

SHA1
4db88689282fd4f9e9e6ab95fcbb23df6e6485db

SHA256
f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b

SHA512
a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt

Filesize
479B

MD5
49ddb419d96dceb9069018535fb2e2fc

SHA1
62aa6fea895a8b68d468a015f6e6ab400d7a7ca6

SHA256
2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539

SHA512
48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json

Filesize
372B

MD5
8be33af717bb1b67fbd61c3f4b807e9e

SHA1
7cf17656d174d951957ff36810e874a134dd49e0

SHA256
e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd

SHA512
6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll

Filesize
11.8MB

MD5
33bf7b0439480effb9fb212efce87b13

SHA1
cee50f2745edc6dc291887b6075ca64d716f495a

SHA256
8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e

SHA512
d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib

Filesize
1KB

MD5
688bed3676d2104e7f17ae1cd2c59404

SHA1
952b2cdf783ac72fcb98338723e9afd38d47ad8e

SHA256
33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237

SHA512
7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig

Filesize
1KB

MD5
937326fead5fd401f6cca9118bd9ade9

SHA1
4526a57d4ae14ed29b37632c72aef3c408189d91

SHA256
68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81

SHA512
b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\prefs-1.js

Filesize
6KB

MD5
b1918d369400724a296513475d561920

SHA1
7c6873b3f1786c82dbeab16c00a3f55876b83136

SHA256
07381d0fa356086e72d3b5dd5e75d7347a73f764ae5dc33388e32271bed60f17

SHA512
a2271c4ab9f37b44969238fc4bc86b0320c72bb23e04dccbba33ebe32a2d5a297a922fdee1a20afcbbd5586ae708ae399c760c9a2f5f32d623c05b950ccb1b85

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\prefs-1.js

Filesize
7KB

MD5
37de393bdbfac94efce5b17647de53bc

SHA1
f8334681265eed3e1d8beac1e6a9f6f7a17ab986

SHA256
ceacbfbf1e19dbeb1cb5cef9296d2fa413df17563d176eed6ce9bfd125954931

SHA512
7d578787664c0330127e24c70aee755f12d72861e6d22e9950d128f004b4eb8e4783a7d0dad1f17f7d9b056683ab17614a5f3a670e7d127b3efa62dbf01b8b72

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\prefs.js

Filesize
6KB

MD5
d5353b8a237cede279bae6324e500d69

SHA1
b72a06ecb566006a8e516293421db9d7501f2268

SHA256
fddc4b1bc99e931da08e92d87f5873f3bea2971c81a636d582ccee9de95d8254

SHA512
2a8b90ae6d93a596cbb330e0d41a040a8066472afb47142260dc94695232bfac1839344ef0e912f33045b9dae0bd7e9b5550fe2e0c873a1bad214704e12e3744

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\prefs.js

Filesize
6KB

MD5
49784d8f4a125865f91f78e85919f71f

SHA1
b5159af4aed01af25cdbdf488f60c463c949efc0

SHA256
99afc75d9091569f428afe6b06d63c785fad0eb85c73e9795bcf9bb718605bd9

SHA512
bedb8d27c749dc9db4610152c53b6eaac0800a2fd5e51c901747c48153d73a004e541078f39901a24cb5f954c1a0f0dd15ae39c1d4ad150fad3d5e4ab9e7960f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
3KB

MD5
9bd189f96a1b34c94588bdd470691ace

SHA1
17c901595574bde2fcaef00409e3c195fc64babf

SHA256
8de1d1e87fe9729ed32c3a5c20a6616bc081eabc223465bd92d0047d299d83e5

SHA512
40cfc2f271f93fc92681af0480e4074061b7a36f9d7c81d9263643429bb32845bc1dc178155b8e6fe4c027b4b7ce5f1df66a40b1d43c41bbb0be746f7e7929fe

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
3KB

MD5
365b50d886b74fe676bb53a63aa6638f

SHA1
e31bf57e462ac99225e15983276179e720230470

SHA256
83e431c77e8e8527363458975ef6728e9a75c254918cab76ff57785e5cffe6e6

SHA512
05bd95bd45402387f186c92b90ddf23f8e6cbca3751572597b931f49f365920e6cbc845af7900587e8e8b00adeb15c71d57f2aedb650ab48de9cd85e4146bf1e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
3KB

MD5
0eb289428a14f7b12486dcd4d48e1283

SHA1
21370d39a9e7ecebbfd97ee8a4be731f45ed8873

SHA256
e9b5209c4c7acc92286fe29910052fe2b92613a05c6e0c0098467dd17cf0af09

SHA512
080b5800e030ed24cb2ad68a2fb2cbb895fbd96a4c71d2ee4ae96911f481eb53c26a8273832d8f687ca27b6a29cb60c4a3280b3c4f3b246dc35d483091fae90a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
192KB

MD5
8827a8abbb47b7202008849de1c6eb0e

SHA1
68dc9cb5b884808c107ea77bf476a5e96ee2e7c6

SHA256
004c87e4513265e8d64320982e3a6e22fd0be2ffe0544225c3614dac12dda96f

SHA512
a656947c41b0c644c9c2c9f805421723f3f1538354f5aa45bf394e9eb84b2af97ab87dbaa67cc1c3e5d8e9e28bf179e194aedac3cbdf91272b9ff9e4f5141f33

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
184KB

MD5
acb98d3d4e718735b97cfa91dc502aeb

SHA1
169e52e36b0118c591b2c7c4566f7d24bb48a1fe

SHA256
d7f03e1c2f27c7dcae5c28ea3c52ddb1d5c8086870d28206e8afc039d6779ce5

SHA512
a8aa54bcc302f0e67fc2d856e540696259ef259dfc9ca8cf59a02a9552f86e004a251129ea53acd0109f6c6e10395003c884bf45a25424a93165b1b25b883227

Download Submit
C:\Users\Admin\Downloads\release.uDBQyBEx.zip.part

Filesize
30KB

MD5
c015abec81bf6d567cf2067375d67ff5

SHA1
d8fad112d1093413b3ea4f9619287bf3fb6f0239

SHA256
fb79f74e1e059174acaaf2dd9d45ac1b30e5e1b49b423656232d711adce49fde

SHA512
9a091adccbc2de062c89b1f650430594649ba2a6616dbd1be737be8ca7db8ec217c2d90f619af7e9ad64b7825e448517653cef6dde79ccc90ce90402d9b5e115

Download Submit
C:\Users\Admin\Downloads\release\Client-built.exe

Filesize
78KB

MD5
08cd18f3a79da8de3d6f430dc884cade

SHA1
6a35b5e519a2da52e8a0a155024de9416d8fe240

SHA256
1b3664575f73cf3d928eb09af54b2d6f3fd14edc54eb6b9c719b1366312d26fa

SHA512
0e9c4c9c73d3132b5bdfe568be48dec8c2819439cb4ffc59a869dbb19455efc09071ec8f9665cfb4bc5ad72c991cc6a32f53ac2dd7a68f97b07c32c6c8f062a7

Download Submit
memory/948-501-0x00007FFEFC003000-0x00007FFEFC004000-memory.dmp

Filesize
4KB

Download
memory/948-502-0x0000014853BF0000-0x0000014853C08000-memory.dmp

Filesize
96KB

Download
memory/948-507-0x00007FFEFC000000-0x00007FFEFC9EC000-memory.dmp

Filesize
9.9MB

Download
memory/948-506-0x00007FFEFC003000-0x00007FFEFC004000-memory.dmp

Filesize
4KB

Download
memory/948-505-0x000001486E980000-0x000001486EEA6000-memory.dmp

Filesize
5.1MB

Download
memory/948-504-0x00007FFEFC000000-0x00007FFEFC9EC000-memory.dmp

Filesize
9.9MB

Download
memory/948-503-0x000001486E180000-0x000001486E342000-memory.dmp

Filesize
1.8MB

Download
memory/4892-274-0x000000007340E000-0x000000007340F000-memory.dmp

Filesize
4KB

Download
memory/4892-298-0x000000007340E000-0x000000007340F000-memory.dmp

Filesize
4KB

Download
memory/4892-299-0x0000000073400000-0x0000000073AEE000-memory.dmp

Filesize
6.9MB

Download
memory/4892-497-0x00000000083F0000-0x0000000008512000-memory.dmp

Filesize
1.1MB

Download
memory/4892-278-0x0000000004E70000-0x0000000004E7A000-memory.dmp

Filesize
40KB

Download
memory/4892-279-0x0000000073400000-0x0000000073AEE000-memory.dmp

Filesize
6.9MB

Download
memory/4892-277-0x0000000004E90000-0x0000000004F22000-memory.dmp

Filesize
584KB

Download
memory/4892-275-0x0000000000620000-0x0000000000628000-memory.dmp

Filesize
32KB

Download
memory/4892-276-0x00000000054D0000-0x00000000059CE000-memory.dmp

Filesize
5.0MB

Download