discordrat | hxxps://github[.]com/moom825/Discord-RAT-2[.]0/releases/tag/2[.]0 1286237969870618677 MTI4NjIzNzk2OTg3MDYxODY3Nw[.]G11301[.]n2fmRfg0yMoTqncd4GRV3VLKsrvwaWSC7q_6LA

Analysis

max time kernel
1799s
max time network
1796s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
19-09-2024 08:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/moom825/Discord-RAT-2.0/releases/tag/2.0 1286237969870618677 MTI4NjIzNzk2OTg3MDYxODY3Nw.G11301.n2fmRfg0yMoTqncd4GRV3VLKsrvwaWSC7q_6LA

Score

10^/10

discordrat credential_access discovery persistence rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTI4NjIzNzk2OTg3MDYxODY3Nw.G11301.n2fmRfg0yMoTqncd4GRV3VLKsrvwaWSC7q_6LA
server_id
1286237969870618677

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Executes dropped EXE 24 IoCs

pid	Process
4664	Client-built.exe
3604	Client-built.exe
2804	Client-built.exe
2320	Client-built.exe
3492	Client-built.exe
4040	Client-built.exe
3632	Client-built.exe
3052	Client-built.exe
376	Client-built.exe
4736	Client-built.exe
5200	Client-built.exe
5292	Client-built.exe
5384	Client-built.exe
5476	Client-built.exe
5572	Client-built.exe
5680	Client-built.exe
5772	Client-built.exe
5852	Client-built.exe
5936	Client-built.exe
6024	Client-built.exe
6124	Client-built.exe
6152	Client-built.exe
6228	Client-built.exe
6336	Client-built.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\rescache\_merged\4183903823\2290032291.pri	taskmgr.exe
File created	C:\Windows\rescache\_merged\1601268389\715946058.pri	taskmgr.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	builder.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 7 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	taskmgr.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings	firefox.exe

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\Downloads\release.zip:Zone.Identifier	firefox.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1504	taskmgr.exe
1504	taskmgr.exe
1504	taskmgr.exe
1504	taskmgr.exe
1504	taskmgr.exe
1504	taskmgr.exe
1504	taskmgr.exe
1504	taskmgr.exe
1504	taskmgr.exe
1504	taskmgr.exe
1504	taskmgr.exe
1504	taskmgr.exe
1504	taskmgr.exe
1504	taskmgr.exe
1504	taskmgr.exe
1504	taskmgr.exe
1504	taskmgr.exe
1504	taskmgr.exe
1504	taskmgr.exe
1504	taskmgr.exe
1504	taskmgr.exe
1504	taskmgr.exe
1504	taskmgr.exe
1504	taskmgr.exe
1504	taskmgr.exe
1504	taskmgr.exe
1504	taskmgr.exe
1504	taskmgr.exe
1504	taskmgr.exe
1504	taskmgr.exe
1504	taskmgr.exe
1504	taskmgr.exe
1504	taskmgr.exe
1504	taskmgr.exe
1504	taskmgr.exe
1504	taskmgr.exe
1504	taskmgr.exe
1504	taskmgr.exe
1504	taskmgr.exe
1504	taskmgr.exe
1504	taskmgr.exe
1504	taskmgr.exe
1504	taskmgr.exe
1504	taskmgr.exe
1504	taskmgr.exe
1504	taskmgr.exe
1504	taskmgr.exe
1504	taskmgr.exe
1504	taskmgr.exe
1504	taskmgr.exe
1504	taskmgr.exe
1504	taskmgr.exe
1504	taskmgr.exe
1504	taskmgr.exe
1504	taskmgr.exe
1504	taskmgr.exe
1504	taskmgr.exe
1504	taskmgr.exe
1504	taskmgr.exe
1504	taskmgr.exe
1504	taskmgr.exe
1504	taskmgr.exe
1504	taskmgr.exe
1504	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1504	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 40 IoCs

description	pid	Process
Token: SeDebugPrivilege	1988	firefox.exe
Token: SeDebugPrivilege	1988	firefox.exe
Token: SeDebugPrivilege	1988	firefox.exe
Token: SeDebugPrivilege	1988	firefox.exe
Token: SeDebugPrivilege	1988	firefox.exe
Token: SeDebugPrivilege	1988	firefox.exe
Token: SeDebugPrivilege	4664	Client-built.exe
Token: SeDebugPrivilege	1504	taskmgr.exe
Token: SeSystemProfilePrivilege	1504	taskmgr.exe
Token: SeCreateGlobalPrivilege	1504	taskmgr.exe
Token: SeDebugPrivilege	1988	firefox.exe
Token: SeDebugPrivilege	3604	Client-built.exe
Token: SeDebugPrivilege	1988	firefox.exe
Token: SeDebugPrivilege	2804	Client-built.exe
Token: SeDebugPrivilege	2320	Client-built.exe
Token: SeDebugPrivilege	1988	firefox.exe
Token: SeDebugPrivilege	1988	firefox.exe
Token: SeDebugPrivilege	3492	Client-built.exe
Token: SeDebugPrivilege	4040	Client-built.exe
Token: SeDebugPrivilege	3632	Client-built.exe
Token: SeDebugPrivilege	3052	Client-built.exe
Token: SeDebugPrivilege	376	Client-built.exe
Token: SeDebugPrivilege	4736	Client-built.exe
Token: SeDebugPrivilege	5200	Client-built.exe
Token: SeDebugPrivilege	5292	Client-built.exe
Token: SeDebugPrivilege	5384	Client-built.exe
Token: SeDebugPrivilege	5476	Client-built.exe
Token: SeDebugPrivilege	5572	Client-built.exe
Token: SeDebugPrivilege	5680	Client-built.exe
Token: SeDebugPrivilege	5772	Client-built.exe
Token: SeDebugPrivilege	5852	Client-built.exe
Token: SeDebugPrivilege	5936	Client-built.exe
Token: SeDebugPrivilege	6024	Client-built.exe
Token: SeDebugPrivilege	6124	Client-built.exe
Token: SeDebugPrivilege	6152	Client-built.exe
Token: SeDebugPrivilege	6228	Client-built.exe
Token: SeDebugPrivilege	6336	Client-built.exe
Token: SeDebugPrivilege	1988	firefox.exe
Token: SeDebugPrivilege	1988	firefox.exe
Token: SeDebugPrivilege	1988	firefox.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1988	firefox.exe
1988	firefox.exe
1988	firefox.exe
1988	firefox.exe
1504	taskmgr.exe
1504	taskmgr.exe
1504	taskmgr.exe
1504	taskmgr.exe
1504	taskmgr.exe
1504	taskmgr.exe
1504	taskmgr.exe
1504	taskmgr.exe
1504	taskmgr.exe
1504	taskmgr.exe
1504	taskmgr.exe
1504	taskmgr.exe
1504	taskmgr.exe
1504	taskmgr.exe
1504	taskmgr.exe
1504	taskmgr.exe
1504	taskmgr.exe
1504	taskmgr.exe
1504	taskmgr.exe
1504	taskmgr.exe
1504	taskmgr.exe
1504	taskmgr.exe
1504	taskmgr.exe
1504	taskmgr.exe
1504	taskmgr.exe
1504	taskmgr.exe
1504	taskmgr.exe
1504	taskmgr.exe
1504	taskmgr.exe
1504	taskmgr.exe
1504	taskmgr.exe
1504	taskmgr.exe
1504	taskmgr.exe
1504	taskmgr.exe
1504	taskmgr.exe
1504	taskmgr.exe
1504	taskmgr.exe
1504	taskmgr.exe
1504	taskmgr.exe
1504	taskmgr.exe
1504	taskmgr.exe
1504	taskmgr.exe
1504	taskmgr.exe
1504	taskmgr.exe
1504	taskmgr.exe
1504	taskmgr.exe
1504	taskmgr.exe
1504	taskmgr.exe
1504	taskmgr.exe
1504	taskmgr.exe
1504	taskmgr.exe
1504	taskmgr.exe
1504	taskmgr.exe
1504	taskmgr.exe
1504	taskmgr.exe
1504	taskmgr.exe
1504	taskmgr.exe
1504	taskmgr.exe
1504	taskmgr.exe
1504	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
1988	firefox.exe
1988	firefox.exe
1988	firefox.exe
1504	taskmgr.exe
1504	taskmgr.exe
1504	taskmgr.exe
1504	taskmgr.exe
1504	taskmgr.exe
1504	taskmgr.exe
1504	taskmgr.exe
1504	taskmgr.exe
1504	taskmgr.exe
1504	taskmgr.exe
1504	taskmgr.exe
1504	taskmgr.exe
1504	taskmgr.exe
1504	taskmgr.exe
1504	taskmgr.exe
1504	taskmgr.exe
1504	taskmgr.exe
1504	taskmgr.exe
1504	taskmgr.exe
1504	taskmgr.exe
1504	taskmgr.exe
1504	taskmgr.exe
1504	taskmgr.exe
1504	taskmgr.exe
1504	taskmgr.exe
1504	taskmgr.exe
1504	taskmgr.exe
1504	taskmgr.exe
1504	taskmgr.exe
1504	taskmgr.exe
1504	taskmgr.exe
1504	taskmgr.exe
1504	taskmgr.exe
1504	taskmgr.exe
1504	taskmgr.exe
1504	taskmgr.exe
1504	taskmgr.exe
1504	taskmgr.exe
1504	taskmgr.exe
1504	taskmgr.exe
1504	taskmgr.exe
1504	taskmgr.exe
1504	taskmgr.exe
1504	taskmgr.exe
1504	taskmgr.exe
1504	taskmgr.exe
1504	taskmgr.exe
1504	taskmgr.exe
1504	taskmgr.exe
1504	taskmgr.exe
1504	taskmgr.exe
1504	taskmgr.exe
1504	taskmgr.exe
1504	taskmgr.exe
1504	taskmgr.exe
1504	taskmgr.exe
1504	taskmgr.exe
1504	taskmgr.exe
1504	taskmgr.exe
1504	taskmgr.exe
1504	taskmgr.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1988	firefox.exe
1988	firefox.exe
1988	firefox.exe
1988	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2872 wrote to memory of 1988	2872	firefox.exe	73
PID 2872 wrote to memory of 1988	2872	firefox.exe	73
PID 2872 wrote to memory of 1988	2872	firefox.exe	73
PID 2872 wrote to memory of 1988	2872	firefox.exe	73
PID 2872 wrote to memory of 1988	2872	firefox.exe	73
PID 2872 wrote to memory of 1988	2872	firefox.exe	73
PID 2872 wrote to memory of 1988	2872	firefox.exe	73
PID 2872 wrote to memory of 1988	2872	firefox.exe	73
PID 2872 wrote to memory of 1988	2872	firefox.exe	73
PID 2872 wrote to memory of 1988	2872	firefox.exe	73
PID 2872 wrote to memory of 1988	2872	firefox.exe	73
PID 1988 wrote to memory of 2328	1988	firefox.exe	74
PID 1988 wrote to memory of 2328	1988	firefox.exe	74
PID 1988 wrote to memory of 4324	1988	firefox.exe	75
PID 1988 wrote to memory of 4324	1988	firefox.exe	75
PID 1988 wrote to memory of 4324	1988	firefox.exe	75
PID 1988 wrote to memory of 4324	1988	firefox.exe	75
PID 1988 wrote to memory of 4324	1988	firefox.exe	75
PID 1988 wrote to memory of 4324	1988	firefox.exe	75
PID 1988 wrote to memory of 4324	1988	firefox.exe	75
PID 1988 wrote to memory of 4324	1988	firefox.exe	75
PID 1988 wrote to memory of 4324	1988	firefox.exe	75
PID 1988 wrote to memory of 4324	1988	firefox.exe	75
PID 1988 wrote to memory of 4324	1988	firefox.exe	75
PID 1988 wrote to memory of 4324	1988	firefox.exe	75
PID 1988 wrote to memory of 4324	1988	firefox.exe	75
PID 1988 wrote to memory of 4324	1988	firefox.exe	75
PID 1988 wrote to memory of 4324	1988	firefox.exe	75
PID 1988 wrote to memory of 4324	1988	firefox.exe	75
PID 1988 wrote to memory of 4324	1988	firefox.exe	75
PID 1988 wrote to memory of 4324	1988	firefox.exe	75
PID 1988 wrote to memory of 4324	1988	firefox.exe	75
PID 1988 wrote to memory of 4324	1988	firefox.exe	75
PID 1988 wrote to memory of 4324	1988	firefox.exe	75
PID 1988 wrote to memory of 4324	1988	firefox.exe	75
PID 1988 wrote to memory of 4324	1988	firefox.exe	75
PID 1988 wrote to memory of 4324	1988	firefox.exe	75
PID 1988 wrote to memory of 4324	1988	firefox.exe	75
PID 1988 wrote to memory of 4324	1988	firefox.exe	75
PID 1988 wrote to memory of 4324	1988	firefox.exe	75
PID 1988 wrote to memory of 4324	1988	firefox.exe	75
PID 1988 wrote to memory of 4324	1988	firefox.exe	75
PID 1988 wrote to memory of 4324	1988	firefox.exe	75
PID 1988 wrote to memory of 4324	1988	firefox.exe	75
PID 1988 wrote to memory of 4324	1988	firefox.exe	75
PID 1988 wrote to memory of 4324	1988	firefox.exe	75
PID 1988 wrote to memory of 4324	1988	firefox.exe	75
PID 1988 wrote to memory of 4324	1988	firefox.exe	75
PID 1988 wrote to memory of 4324	1988	firefox.exe	75
PID 1988 wrote to memory of 4324	1988	firefox.exe	75
PID 1988 wrote to memory of 4324	1988	firefox.exe	75
PID 1988 wrote to memory of 4324	1988	firefox.exe	75
PID 1988 wrote to memory of 4324	1988	firefox.exe	75
PID 1988 wrote to memory of 4324	1988	firefox.exe	75
PID 1988 wrote to memory of 4324	1988	firefox.exe	75
PID 1988 wrote to memory of 4324	1988	firefox.exe	75
PID 1988 wrote to memory of 4324	1988	firefox.exe	75
PID 1988 wrote to memory of 4324	1988	firefox.exe	75
PID 1988 wrote to memory of 4324	1988	firefox.exe	75
PID 1988 wrote to memory of 4324	1988	firefox.exe	75
PID 1988 wrote to memory of 4324	1988	firefox.exe	75
PID 1988 wrote to memory of 2236	1988	firefox.exe	76
PID 1988 wrote to memory of 2236	1988	firefox.exe	76
PID 1988 wrote to memory of 2236	1988	firefox.exe	76

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "https://github.com/moom825/Discord-RAT-2.0/releases/tag/2.0 1286237969870618677 MTI4NjIzNzk2OTg3MDYxODY3Nw.G11301.n2fmRfg0yMoTqncd4GRV3VLKsrvwaWSC7q_6LA"
1⤵
- Suspicious use of WriteProcessMemory
PID:2872
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "https://github.com/moom825/Discord-RAT-2.0/releases/tag/2.0 1286237969870618677 MTI4NjIzNzk2OTg3MDYxODY3Nw.G11301.n2fmRfg0yMoTqncd4GRV3VLKsrvwaWSC7q_6LA"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1988
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1988.0.929143621\836384008" -parentBuildID 20221007134813 -prefsHandle 1732 -prefMapHandle 1724 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0a0ee52c-aff8-45ff-acca-e8846734f688} 1988 "\\.\pipe\gecko-crash-server-pipe.1988" 1812 1d4d7cd9f58 gpu
    3⤵
    PID:2328
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1988.1.1087145081\1099308562" -parentBuildID 20221007134813 -prefsHandle 2176 -prefMapHandle 2172 -prefsLen 21608 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e6fe56b6-6932-4d34-9e8b-8e9e49363acc} 1988 "\\.\pipe\gecko-crash-server-pipe.1988" 2188 1d4c597c558 socket
    3⤵
    PID:4324
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1988.2.1593663524\2121890351" -childID 1 -isForBrowser -prefsHandle 2816 -prefMapHandle 2832 -prefsLen 21646 -prefMapSize 233444 -jsInitHandle 1344 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {094cdc60-ac29-44e4-9742-f8e89013529f} 1988 "\\.\pipe\gecko-crash-server-pipe.1988" 2968 1d4dbec5a58 tab
    3⤵
    PID:2236
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1988.3.162485933\1779942012" -childID 2 -isForBrowser -prefsHandle 3724 -prefMapHandle 3720 -prefsLen 26109 -prefMapSize 233444 -jsInitHandle 1344 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {45c2b23a-ca68-4755-aa2f-6dbf950b9e70} 1988 "\\.\pipe\gecko-crash-server-pipe.1988" 3732 1d4dcee0058 tab
    3⤵
    PID:1088
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1988.4.2072706139\2016017342" -childID 3 -isForBrowser -prefsHandle 4952 -prefMapHandle 5000 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1344 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {22e91f80-38bc-43a0-9cd9-b47f98bac243} 1988 "\\.\pipe\gecko-crash-server-pipe.1988" 4968 1d4def74858 tab
    3⤵
    PID:2976
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1988.5.157956071\1206254904" -childID 4 -isForBrowser -prefsHandle 5112 -prefMapHandle 5116 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1344 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1e69459f-61f0-4c3c-84c9-42c0b5b231de} 1988 "\\.\pipe\gecko-crash-server-pipe.1988" 5100 1d4df0ee058 tab
    3⤵
    PID:2980
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1988.6.1824650071\2020016058" -childID 5 -isForBrowser -prefsHandle 5280 -prefMapHandle 4968 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1344 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {68a3ef41-4255-4d85-8fec-b75f93fab5fe} 1988 "\\.\pipe\gecko-crash-server-pipe.1988" 5320 1d4df3f9958 tab
    3⤵
    PID:4476

C:\Windows\system32\notepad.exe
"C:\Windows\system32\notepad.exe"
1⤵
PID:4136

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4552

C:\Users\Admin\Downloads\release\builder.exe
"C:\Users\Admin\Downloads\release\builder.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:4276

C:\Users\Admin\Downloads\release\Client-built.exe
"C:\Users\Admin\Downloads\release\Client-built.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4664

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1504

C:\Users\Admin\Downloads\release\Client-built.exe
"C:\Users\Admin\Downloads\release\Client-built.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3604

C:\Users\Admin\Downloads\release\Client-built.exe
"C:\Users\Admin\Downloads\release\Client-built.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2804

C:\Users\Admin\Downloads\release\Client-built.exe
"C:\Users\Admin\Downloads\release\Client-built.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2320

C:\Users\Admin\Downloads\release\Client-built.exe
"C:\Users\Admin\Downloads\release\Client-built.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3492

C:\Users\Admin\Downloads\release\Client-built.exe
"C:\Users\Admin\Downloads\release\Client-built.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4040

C:\Users\Admin\Downloads\release\Client-built.exe
"C:\Users\Admin\Downloads\release\Client-built.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3632

C:\Users\Admin\Downloads\release\Client-built.exe
"C:\Users\Admin\Downloads\release\Client-built.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3052

C:\Users\Admin\Downloads\release\Client-built.exe
"C:\Users\Admin\Downloads\release\Client-built.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:376

C:\Users\Admin\Downloads\release\Client-built.exe
"C:\Users\Admin\Downloads\release\Client-built.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4736

C:\Users\Admin\Downloads\release\Client-built.exe
"C:\Users\Admin\Downloads\release\Client-built.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5200

C:\Users\Admin\Downloads\release\Client-built.exe
"C:\Users\Admin\Downloads\release\Client-built.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5292

C:\Users\Admin\Downloads\release\Client-built.exe
"C:\Users\Admin\Downloads\release\Client-built.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5384

C:\Users\Admin\Downloads\release\Client-built.exe
"C:\Users\Admin\Downloads\release\Client-built.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5476

C:\Users\Admin\Downloads\release\Client-built.exe
"C:\Users\Admin\Downloads\release\Client-built.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5572

C:\Users\Admin\Downloads\release\Client-built.exe
"C:\Users\Admin\Downloads\release\Client-built.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5680

C:\Users\Admin\Downloads\release\Client-built.exe
"C:\Users\Admin\Downloads\release\Client-built.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5772

C:\Users\Admin\Downloads\release\Client-built.exe
"C:\Users\Admin\Downloads\release\Client-built.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5852

C:\Users\Admin\Downloads\release\Client-built.exe
"C:\Users\Admin\Downloads\release\Client-built.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5936

C:\Users\Admin\Downloads\release\Client-built.exe
"C:\Users\Admin\Downloads\release\Client-built.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:6024

C:\Users\Admin\Downloads\release\Client-built.exe
"C:\Users\Admin\Downloads\release\Client-built.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:6124

C:\Users\Admin\Downloads\release\Client-built.exe
"C:\Users\Admin\Downloads\release\Client-built.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:6152

C:\Users\Admin\Downloads\release\Client-built.exe
"C:\Users\Admin\Downloads\release\Client-built.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:6228

C:\Users\Admin\Downloads\release\Client-built.exe
"C:\Users\Admin\Downloads\release\Client-built.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:6336

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\cache2\doomed\9380

Filesize
15KB

MD5
f27c1114974c340133c28a9010a63ac5

SHA1
9ee1aac27b4a634fb9a65891deaf7f362b612e90

SHA256
c8395523cfcf74d567b342433f610b70ef8eea85287d347a29db312fa9df1a45

SHA512
edae3bd8bcda9fa0a791ffc1055fe562ad6645d731143ca00b69df590a6faf48984be0b2034c0cd75baf604090875891299fb630c3ab4f24f551dff2d148b2c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
442KB

MD5
85430baed3398695717b0263807cf97c

SHA1
fffbee923cea216f50fce5d54219a188a5100f41

SHA256
a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e

SHA512
06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
8.0MB

MD5
a01c5ecd6108350ae23d2cddf0e77c17

SHA1
c6ac28a2cd979f1f9a75d56271821d5ff665e2b6

SHA256
345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42

SHA512
b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

Filesize
12KB

MD5
eb4d12ec022a5935d35a867d7ca7d84d

SHA1
1155c0c519e332ec2367151f274d4c78a0959b53

SHA256
3502f57eeadf22474ece3058eb862f5dec91ca5ff91071569b18bdf6e5594762

SHA512
457e9da4fc1d07442cce99dc751b7b6ee3c5cc5a3879b6c76641aecebd5ba122459af03651a0dbcbe88109f6985aad4dc968e95806bdbf0591334883da73e113

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\SiteSecurityServiceState.txt

Filesize
623B

MD5
ddb4ab1e8ad99b96978c6c0617e58425

SHA1
8325533bf2c2950896be496bc33cf8318268fad0

SHA256
24872bd1226fc5ffd89d2180bb6240638888c803d11bfe121669db2393477e64

SHA512
e88bf8a9fac2d06cbc4ff0b8373e2133fe137ba0bf600c62ef49ff63b05d00a19b931535bc0dc24a6198cf64d9cafb24fef8f664dcdc7d638d6b75751785bf8b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\bookmarkbackups\bookmarks-2024-09-19_11_JYHA1IDH37kjW2ud4k03lA==.jsonlz4

Filesize
948B

MD5
7c618c5385632ed123b3929e89a9104a

SHA1
877eef304b5bca587c7f990c0b187b1fbe666e04

SHA256
0c052f029079668e4dc8f63800c6b2fd173fd97de4739e5a66d017df726f519c

SHA512
78e0c287f8367a1fb67e816d2ca7a675cf880d1a245ebc1f4633c52a54bd7fb8ba4564d7c07ceddd9f56c9efbaadb2da1ccc928f679645b3d91dcdac7c87d64e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\broadcast-listeners.json

Filesize
204B

MD5
72c95709e1a3b27919e13d28bbe8e8a2

SHA1
00892decbee63d627057730bfc0c6a4f13099ee4

SHA256
9cf589357fceea2f37cd1a925e5d33fd517a44d22a16c357f7fb5d4d187034aa

SHA512
613ca9dd2d12afe31fb2c4a8d9337eeecfb58dabaeaaba11404b9a736a4073dfd9b473ba27c1183d3cc91d5a9233a83dce5a135a81f755d978cea9e198209182

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\datareporting\glean\db\data.safe.bin

Filesize
2KB

MD5
3ee10cdf685e3e183aba4ef754bc3441

SHA1
f62bc2839488da3da4e9270560b9e443e916b80d

SHA256
f6bb8c59b8874972615482304c5e8960fed090625511d472ca12e44584c6bfa9

SHA512
cd41aa5418704a1aac73241414da495baabd42fd557b82741321318e35e7fcc84c2c8a0fed07c5970ed12ab6064623a86ca73c3092aa49962c2790c6b43618e2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\datareporting\glean\pending_pings\08b85cfc-8bec-4d9e-8a9f-648954b6f1f3

Filesize
11KB

MD5
abdd697ed8f3a10a21b9a534a3f6d841

SHA1
c741370f004cd751d763e458a9e25db6577a98a0

SHA256
1be923c671254ac79374676437f6abd11a04c49aaf5186f2536c97bfd54bb5ce

SHA512
6f406b9e508996f739bdaeed0a1ecd467daf4b5a44a6bd3791c1784bf328691a75c4f7a561e121025f882b64093d120206dcae33ee396b1f841c900446bf7808

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\datareporting\glean\pending_pings\e525f107-6090-428b-9544-2987b5afc53d

Filesize
746B

MD5
ed4bf7b26d5fda92286f61888f20cefb

SHA1
d530f0ebbb1c60f6f4609b47c441246ba5f2442b

SHA256
71cce31cc85500d570642dab8c5e98549905536a9b98062d4916e387791f9db0

SHA512
75e24471ef35e97daddbe36fcd813e1730b3af1dc362bf1fd27074c3b96d8ea4f081e4e22ec262b089f99ec5c9fe3fd784458a1198cdc7aad27294a5567cdd1c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll

Filesize
997KB

MD5
fe3355639648c417e8307c6d051e3e37

SHA1
f54602d4b4778da21bc97c7238fc66aa68c8ee34

SHA256
1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e

SHA512
8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info

Filesize
116B

MD5
3d33cdc0b3d281e67dd52e14435dd04f

SHA1
4db88689282fd4f9e9e6ab95fcbb23df6e6485db

SHA256
f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b

SHA512
a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt

Filesize
479B

MD5
49ddb419d96dceb9069018535fb2e2fc

SHA1
62aa6fea895a8b68d468a015f6e6ab400d7a7ca6

SHA256
2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539

SHA512
48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json

Filesize
372B

MD5
8be33af717bb1b67fbd61c3f4b807e9e

SHA1
7cf17656d174d951957ff36810e874a134dd49e0

SHA256
e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd

SHA512
6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll

Filesize
11.8MB

MD5
33bf7b0439480effb9fb212efce87b13

SHA1
cee50f2745edc6dc291887b6075ca64d716f495a

SHA256
8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e

SHA512
d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib

Filesize
1KB

MD5
688bed3676d2104e7f17ae1cd2c59404

SHA1
952b2cdf783ac72fcb98338723e9afd38d47ad8e

SHA256
33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237

SHA512
7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig

Filesize
1KB

MD5
937326fead5fd401f6cca9118bd9ade9

SHA1
4526a57d4ae14ed29b37632c72aef3c408189d91

SHA256
68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81

SHA512
b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\prefs-1.js

Filesize
7KB

MD5
2a531f75eedd36fc2d0c5121971386d7

SHA1
0d6d6c9417a6f8151475cce86fb547cdf356f219

SHA256
a11067c96dbc6a9394a91ac84735600e10c7f6a8ab42f3354d8b904974933f35

SHA512
02b572c39af1262a22b96df6415e3813fc44653725c310dd6738c5e6abe9c32c491ad93f8bd6ceadd5d17b133f12daa46b3dce3a841cdf37cc7b96167a8d3f96

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\prefs-1.js

Filesize
7KB

MD5
d2c376e4fd6256eb32e5b69d8e59b4dd

SHA1
d9a9d6b1dd05ef9db8f68cb5a82ff0dab910ea43

SHA256
18dc33ddab387556307cc2c87ebcf56b4a112a41d86d73cc752166ef79c199e8

SHA512
cedcd50ee4e69a9952d01749f747b6d74c01635c5cf5d4b0033efe5c580aaae451fe4b5aa6692af2205062d80604d3ffa4ef9b5e115cd4632774780d49255227

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\prefs.js

Filesize
6KB

MD5
8e6a097862a94a3840c63609d2ddd420

SHA1
22fae8b53e5c7674954f304409b6bd541e2f69b4

SHA256
2a814979347d27ea9b80c02c110258cde0f534674e4f6aa2e6d103f8dee98ece

SHA512
2116f2866ac3906c243f5f72aa6741b58b22ceb13ec97465feaf128447d413f54e85e8f656b656979a115ede074913ccf3167a2df934c03495c467377d3fe873

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\prefs.js

Filesize
6KB

MD5
95165c31b847bccf6e19d43f61ebfba9

SHA1
a1965688c7216c1d5752ab298cbdb25f99254e0f

SHA256
74c34a05d467b884721a60b0605080927474e73b02ed5f267da2cfea6a5a74b3

SHA512
181e9f41abc035cbe6aba7908a37f2b8bc203fa02bae8b0cda91537696c860bafaa9447e66fe3d2d4a28257aff6262e2b8338004e5bf0317f97411aa8c7ddd5c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\sessionCheckpoints.json

Filesize
90B

MD5
c4ab2ee59ca41b6d6a6ea911f35bdc00

SHA1
5942cd6505fc8a9daba403b082067e1cdefdfbc4

SHA256
00ad9799527c3fd21f3a85012565eae817490f3e0d417413bf9567bb5909f6a2

SHA512
71ea16900479e6af161e0aad08c8d1e9ded5868a8d848e7647272f3002e2f2013e16382b677abe3c6f17792a26293b9e27ec78e16f00bd24ba3d21072bd1cae2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
3KB

MD5
84aae008fb9d17948497333726e5d1f5

SHA1
aee1cdf19f18b7627eac176e4f330625d89ffd99

SHA256
ed898a2b0db3e8948f7bcfb57495b9d720c4e9db5cfe59c946597e68b0ebb25a

SHA512
ecd626e1988ff89bb678bb6047cf85e9269857b913942a72d9217e902c18968ab2fbaba6283b2a580043d9cbbd9aec1c8fbca44a4895cc5fb9e7ea958f94b576

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
3KB

MD5
a41445df1b9695f4f2d611b02ef22d22

SHA1
3475d78fa024da59390f33752e0181ecc6bf9e81

SHA256
ef6c477568544333b3bbf4ef7cc07102900b101ecae69c3621ab3b524ea93c8f

SHA512
9d197eccdce74af102051ed74835b4f61e51a6ea4a539e6655c408737edd01796ad60a4202c786c9d54022b35af92171fada39463d97ba8d8d3080a6db54170d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
3KB

MD5
6c9ff0a4ec5bfadaa01c5cc8ee019be7

SHA1
7e4ac24a7839c98c7a498dec3303bc5df138151a

SHA256
ef60771c30036dc460787e19a488c39a383cec054e0862f507ff974ed17420ad

SHA512
e8afedfcd6c3fcd15a03e02198fc5013c5f79d4e09c70ff01a2cebaca0435745bb9fdabb343071701217b05a81fe6eb2693e89a050211a4cb1de480ddcd5c4f9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
3KB

MD5
876b2cc03a4b5589d2c05102147b181d

SHA1
4e9eb3dfbbd2d62d6561f6b1f117fa98046ccdb7

SHA256
e003368d96323bb63b8da7f90e3e351e24453b0aa81389404f40d3d26786b926

SHA512
634b52faf948e43f9f26f331854e98905cb5e054100e5fa41f29311fc6d029be74b8060110561ec6082f717ed86eee0d0c09768ac80cc473a394315294787902

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
200KB

MD5
f9fdca219f773d234a9959031e6b89e9

SHA1
cb02842873ad49d2d013da6abfa1d9759af6146d

SHA256
f6ccf01dd96471a1f0f79f05e6a26192fae5152ea7958282bf33b296318a5461

SHA512
eef7e3c74b138e006d561e0261cafb708377d3db4319df689ff7a218c6144f7dbc82221858f047a94d5aada8645681b73ee0962c09f289c922e49f952eff4066

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
184KB

MD5
1fdc13de64cfdb8ba3fcd71aad9d33d3

SHA1
b7649cfd66d751435fa56a4b4b20daace452c692

SHA256
fa890605b23aecfebe4300d159f10096cfaba982a942c8ce829617b3de36a783

SHA512
3c9dc261a1f0a96d4433d60de03423d58f0bd63dbf5db48962372658103f16991f6da06c1670deea1e51efd2a15aae699d1d287ee377e0a457299a7dd9f691a7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\targeting.snapshot.json

Filesize
3KB

MD5
018cac468a9f41e0f6adf5ce69868963

SHA1
5e9f0132dcf29e3a76e8bcac4249e7835f3d3428

SHA256
2a1f5e87e1a5b9ef93bf6facc23cf025fd9e1eabd3b6145f10a2cab4755f2bad

SHA512
06d0dd6690291f740fa8cee6ff95c00fc3b2132f7a9c7e547230c2ef38f46c4ee29665455c0ab3c2227e2591672e8d5367c215f5686ff6741aa8eb45009a4ec1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\xulstore.json

Filesize
141B

MD5
1995825c748914809df775643764920f

SHA1
55c55d77bb712d2d831996344f0a1b3e0b7ff98a

SHA256
87835b1bd7d0934f997ef51c977349809551d47e32c3c9224899359ae0fce776

SHA512
c311970610d836550a07feb47bd0774fd728130d0660cbada2d2d68f2fcfbe84e85404d7f5b8ab0f71a6c947561dcffa95df2782a712f4dcb7230ea8ba01c34c

Download Submit
C:\Users\Admin\Downloads\release.D5aaBi_x.zip.part

Filesize
28KB

MD5
a1ade68d4cbec252565179993b7f867c

SHA1
50f611532366077365764e840447eceab9bc4a89

SHA256
79764ec2ed4f1193fd584b71444b39cb76428408dac5457ac38564108da2623d

SHA512
05c699c173515249c7297e9b7c0c21bf43debb546c921e8f87478a57ff27a5f33b4a3ac44f71b4bac3489579ba17ec6c54ab4062bee98c846082b429eb412400

Download Submit
C:\Users\Admin\Downloads\release\Client-built.exe

Filesize
78KB

MD5
0152bc2f05f92f7d3d3015bc27d111fb

SHA1
fe4442bfaacc91fa2ff479aefb0489b1021f8303

SHA256
9cd5d55c11a8732bceaaef35b2c6aab90fed0416a2613267fb3438ea3a57bbc6

SHA512
dc28eaa3da20af0fce9373694d4139f5ab1f7b8651eb6cbc10976bb56b55c559822c991a7d71e0e9721ce8c5118607410b724025fbcb4d58cb726b44bdc174d0

Download Submit
memory/4276-379-0x0000000000380000-0x0000000000388000-memory.dmp

Filesize
32KB

Download
memory/4276-398-0x0000000007DB0000-0x0000000007ED2000-memory.dmp

Filesize
1.1MB

Download
memory/4276-397-0x00000000737A0000-0x0000000073E8E000-memory.dmp

Filesize
6.9MB

Download
memory/4276-396-0x00000000737AE000-0x00000000737AF000-memory.dmp

Filesize
4KB

Download
memory/4276-386-0x0000000004BD0000-0x0000000004BDA000-memory.dmp

Filesize
40KB

Download
memory/4276-387-0x00000000737A0000-0x0000000073E8E000-memory.dmp

Filesize
6.9MB

Download
memory/4276-385-0x0000000004C30000-0x0000000004CC2000-memory.dmp

Filesize
584KB

Download
memory/4276-384-0x0000000005220000-0x000000000571E000-memory.dmp

Filesize
5.0MB

Download
memory/4276-378-0x00000000737AE000-0x00000000737AF000-memory.dmp

Filesize
4KB

Download
memory/4664-493-0x0000028ADE930000-0x0000028ADEE56000-memory.dmp

Filesize
5.1MB

Download
memory/4664-492-0x0000028ADE230000-0x0000028ADE3F2000-memory.dmp

Filesize
1.8MB

Download
memory/4664-491-0x0000028AC39F0000-0x0000028AC3A08000-memory.dmp

Filesize
96KB

Download