discordrat | d2d2664ee1d93b86c5cac6dfdb73e578cc6d17bc12ec498fc032a7616ccf17ab

Resubmissions

15-10-2024 14:36

241015-ryzzaatfnj 10

15-10-2024 12:58

241015-p7w8mszclq 10

Analysis

max time kernel
150s
max time network
157s
platform
windows10-1703_x64
resource
win10-20240611-en
resource tags

arch:x64arch:x86image:win10-20240611-enlocale:en-usos:windows10-1703-x64system
submitted
15-10-2024 12:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ezyzip.zip
Size

444KB
MD5

00534c96a9f653b69dc1eb6954f9ffc9
SHA1

4ca3d3b7bd78dbd4a7b0cf5683d2939fb11190a9
SHA256

d2d2664ee1d93b86c5cac6dfdb73e578cc6d17bc12ec498fc032a7616ccf17ab
SHA512

31344c4748ef194affbf58cc5d97abd69bb932303cd14055adcb9ada6c9a367b8b9911443406d46d070e17d33ac183dc278c31c5b090c1b8fa03c8b3932e22f0
SSDEEP

12288:4ThcCVRKuZih6p8mbIhq/6mwI6rim6CaStHub+wZKUGJ6PaD:4ThcCVR1Zihgk3mwrtHxiCYPaD

Score

10^/10

discordrat discovery persistence rat rootkit spyware stealer

Malware Config

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat
Downloads MZ/PE file

Executes dropped EXE 2 IoCs

pid	Process
316	builder.exe
4592	Client-built.exe

Loads dropped DLL 2 IoCs

pid	Process
316	builder.exe
316	builder.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs

Web Service

T1102

flow	ioc
5	discord.com
15	raw.githubusercontent.com
61	discord.com
18	discord.com
19	discord.com
20	discord.com
60	discord.com
6	discord.com
10	discord.com
14	raw.githubusercontent.com

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	builder.exe

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings	7zFM.exe
Key created	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings	firefox.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2004	7zFM.exe
2004	7zFM.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2004	7zFM.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeRestorePrivilege	2004	7zFM.exe
Token: 35	2004	7zFM.exe
Token: SeSecurityPrivilege	2004	7zFM.exe
Token: SeSecurityPrivilege	2004	7zFM.exe
Token: SeDebugPrivilege	4592	Client-built.exe
Token: SeDebugPrivilege	4436	firefox.exe
Token: SeDebugPrivilege	4436	firefox.exe

Suspicious use of FindShellTrayWindow 8 IoCs

pid	Process
2004	7zFM.exe
2004	7zFM.exe
2004	7zFM.exe
2004	7zFM.exe
4436	firefox.exe
4436	firefox.exe
4436	firefox.exe
4436	firefox.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
4436	firefox.exe
4436	firefox.exe
4436	firefox.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
4592	Client-built.exe
4592	Client-built.exe
4436	firefox.exe
4592	Client-built.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2004 wrote to memory of 5028	2004	7zFM.exe	71
PID 2004 wrote to memory of 5028	2004	7zFM.exe	71
PID 5032 wrote to memory of 4436	5032	firefox.exe	80
PID 5032 wrote to memory of 4436	5032	firefox.exe	80
PID 5032 wrote to memory of 4436	5032	firefox.exe	80
PID 5032 wrote to memory of 4436	5032	firefox.exe	80
PID 5032 wrote to memory of 4436	5032	firefox.exe	80
PID 5032 wrote to memory of 4436	5032	firefox.exe	80
PID 5032 wrote to memory of 4436	5032	firefox.exe	80
PID 5032 wrote to memory of 4436	5032	firefox.exe	80
PID 5032 wrote to memory of 4436	5032	firefox.exe	80
PID 5032 wrote to memory of 4436	5032	firefox.exe	80
PID 5032 wrote to memory of 4436	5032	firefox.exe	80
PID 4436 wrote to memory of 4388	4436	firefox.exe	81
PID 4436 wrote to memory of 4388	4436	firefox.exe	81
PID 4436 wrote to memory of 1604	4436	firefox.exe	82
PID 4436 wrote to memory of 1604	4436	firefox.exe	82
PID 4436 wrote to memory of 1604	4436	firefox.exe	82
PID 4436 wrote to memory of 1604	4436	firefox.exe	82
PID 4436 wrote to memory of 1604	4436	firefox.exe	82
PID 4436 wrote to memory of 1604	4436	firefox.exe	82
PID 4436 wrote to memory of 1604	4436	firefox.exe	82
PID 4436 wrote to memory of 1604	4436	firefox.exe	82
PID 4436 wrote to memory of 1604	4436	firefox.exe	82
PID 4436 wrote to memory of 1604	4436	firefox.exe	82
PID 4436 wrote to memory of 1604	4436	firefox.exe	82
PID 4436 wrote to memory of 1604	4436	firefox.exe	82
PID 4436 wrote to memory of 1604	4436	firefox.exe	82
PID 4436 wrote to memory of 1604	4436	firefox.exe	82
PID 4436 wrote to memory of 1604	4436	firefox.exe	82
PID 4436 wrote to memory of 1604	4436	firefox.exe	82
PID 4436 wrote to memory of 1604	4436	firefox.exe	82
PID 4436 wrote to memory of 1604	4436	firefox.exe	82
PID 4436 wrote to memory of 1604	4436	firefox.exe	82
PID 4436 wrote to memory of 1604	4436	firefox.exe	82
PID 4436 wrote to memory of 1604	4436	firefox.exe	82
PID 4436 wrote to memory of 1604	4436	firefox.exe	82
PID 4436 wrote to memory of 1604	4436	firefox.exe	82
PID 4436 wrote to memory of 1604	4436	firefox.exe	82
PID 4436 wrote to memory of 1604	4436	firefox.exe	82
PID 4436 wrote to memory of 1604	4436	firefox.exe	82
PID 4436 wrote to memory of 1604	4436	firefox.exe	82
PID 4436 wrote to memory of 1604	4436	firefox.exe	82
PID 4436 wrote to memory of 1604	4436	firefox.exe	82
PID 4436 wrote to memory of 1604	4436	firefox.exe	82
PID 4436 wrote to memory of 1604	4436	firefox.exe	82
PID 4436 wrote to memory of 1604	4436	firefox.exe	82
PID 4436 wrote to memory of 1604	4436	firefox.exe	82
PID 4436 wrote to memory of 1604	4436	firefox.exe	82
PID 4436 wrote to memory of 1604	4436	firefox.exe	82
PID 4436 wrote to memory of 1604	4436	firefox.exe	82
PID 4436 wrote to memory of 1604	4436	firefox.exe	82
PID 4436 wrote to memory of 1604	4436	firefox.exe	82
PID 4436 wrote to memory of 1604	4436	firefox.exe	82
PID 4436 wrote to memory of 1604	4436	firefox.exe	82
PID 4436 wrote to memory of 1604	4436	firefox.exe	82
PID 4436 wrote to memory of 1604	4436	firefox.exe	82
PID 4436 wrote to memory of 1604	4436	firefox.exe	82
PID 4436 wrote to memory of 1604	4436	firefox.exe	82
PID 4436 wrote to memory of 1604	4436	firefox.exe	82
PID 4436 wrote to memory of 1604	4436	firefox.exe	82
PID 4436 wrote to memory of 1604	4436	firefox.exe	82
PID 4436 wrote to memory of 1604	4436	firefox.exe	82
PID 4436 wrote to memory of 1936	4436	firefox.exe	83

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\ezyzip.zip"
1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2004
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\7zO4D780FA7\Nyt tekstdokument.txt
  2⤵
  PID:5028

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1600

C:\Users\Admin\Desktop\New folder\builder.exe
"C:\Users\Admin\Desktop\New folder\builder.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:316

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\New folder\Nyt tekstdokument.txt
1⤵
PID:3408

C:\Users\Admin\Desktop\New folder\Client-built.exe
"C:\Users\Admin\Desktop\New folder\Client-built.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4592

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:5032
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4436
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4436.0.371258645\1870878155" -parentBuildID 20221007134813 -prefsHandle 1676 -prefMapHandle 1664 -prefsLen 20845 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {722f2ade-e214-4d8a-aa7a-fe8227a88283} 4436 "\\.\pipe\gecko-crash-server-pipe.4436" 1764 1ca1b6d4e58 gpu
    3⤵
    PID:4388
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4436.1.947378498\1408885366" -parentBuildID 20221007134813 -prefsHandle 2108 -prefMapHandle 2104 -prefsLen 20926 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {eedd78c6-6b9b-48e4-9303-69c62996b792} 4436 "\\.\pipe\gecko-crash-server-pipe.4436" 2120 1ca10672b58 socket
    3⤵
    PID:1604
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4436.2.2011369357\3946008" -childID 1 -isForBrowser -prefsHandle 3088 -prefMapHandle 3084 -prefsLen 21029 -prefMapSize 233444 -jsInitHandle 1376 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a8bf3d5e-779e-404a-9aa1-630d5c1d81f9} 4436 "\\.\pipe\gecko-crash-server-pipe.4436" 3100 1ca1f5aeb58 tab
    3⤵
    PID:1936
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4436.3.1557100143\1349414492" -childID 2 -isForBrowser -prefsHandle 3556 -prefMapHandle 3552 -prefsLen 26214 -prefMapSize 233444 -jsInitHandle 1376 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {5e062a05-015c-4504-9490-2582a66c1e30} 4436 "\\.\pipe\gecko-crash-server-pipe.4436" 3560 1ca1deed658 tab
    3⤵
    PID:3360
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4436.4.1273290966\1712138903" -childID 3 -isForBrowser -prefsHandle 3992 -prefMapHandle 3988 -prefsLen 26273 -prefMapSize 233444 -jsInitHandle 1376 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {41cf4220-ede8-4afe-a290-bcbd42456bc5} 4436 "\\.\pipe\gecko-crash-server-pipe.4436" 4004 1ca2102b558 tab
    3⤵
    PID:5088
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4436.5.1128736007\890989225" -childID 4 -isForBrowser -prefsHandle 4980 -prefMapHandle 4952 -prefsLen 26354 -prefMapSize 233444 -jsInitHandle 1376 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {5fd199e2-d99c-4710-80ab-170316f6c6f5} 4436 "\\.\pipe\gecko-crash-server-pipe.4436" 4988 1ca1066cd58 tab
    3⤵
    PID:2276
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4436.6.2145727086\1404121827" -childID 5 -isForBrowser -prefsHandle 5040 -prefMapHandle 5044 -prefsLen 26354 -prefMapSize 233444 -jsInitHandle 1376 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0d78cf8d-5d08-4ea8-9080-c3b4edb469c6} 4436 "\\.\pipe\gecko-crash-server-pipe.4436" 5032 1ca21eb8c58 tab
    3⤵
    PID:4540
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4436.7.1430235935\865399953" -childID 6 -isForBrowser -prefsHandle 5324 -prefMapHandle 5320 -prefsLen 26354 -prefMapSize 233444 -jsInitHandle 1376 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4e83d28d-7264-4c05-9096-3455d689c74c} 4436 "\\.\pipe\gecko-crash-server-pipe.4436" 5332 1ca21eb9b58 tab
    3⤵
    PID:4268

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\2b7acdhd.default-release\activity-stream.discovery_stream.json.tmp

Filesize
23KB

MD5
a1071a354e065260cc56c8af0f4fe791

SHA1
6f35586675cd2ad75c8a3aa7fe4140edae6a3ef2

SHA256
e0ef5df510ff3c3d31e7029030d81c89ef49cd297b629933b02c7417dd92f23a

SHA512
b3dcac382e4971ce1d7998536cac03537132e212264a6bcf97208cb69ef6be95650a136b8c33b11afe0fa462f399c0881deb25192b5af7c21952dc633f3bf982

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\2b7acdhd.default-release\cache2\entries\0305BF7FE660AF5F32B4319E4C7EF7A7B70257A3

Filesize
13KB

MD5
d5e33f7cdd1ad909c85a4645933425aa

SHA1
2943f95bcab69aff8e0644fc04e331811b944e65

SHA256
65527444e2d74cbffd1f5918050db3315952084789081fc30da9027bbca1a357

SHA512
916d8bcdbf9750de16dfe6ecde0a4c03c8a0609954376e32aa4081a0d88fc1dacc6d19dfd2451257900d9f485398bd622d25bf5272602a87d86c66a64a2deccf

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\2b7acdhd.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl

Filesize
7KB

MD5
c460716b62456449360b23cf5663f275

SHA1
06573a83d88286153066bae7062cc9300e567d92

SHA256
0ec0f16f92d876a9c1140d4c11e2b346a9292984d9a854360e54e99fdcd99cc0

SHA512
476bc3a333aace4c75d9a971ef202d5889561e10d237792ca89f8d379280262ce98cf3d4728460696f8d7ff429a508237764bf4a9ccb59fd615aee07bdcadf30

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO4D780FA7\Nyt tekstdokument.txt

Filesize
97B

MD5
199a6de38f49adff383c677ffb2c9bee

SHA1
bbc95f327e72f8abb9d5b4fa2b4b2f4af813bc5e

SHA256
1c99bfdffab566929dd1826f604e29760b206a7c9e932be985d8248b6e53531f

SHA512
c3bc3d4c2f0e153d7a7e2bee35ac952d06a8a836e4bbeae8fc774e6f987788cfef29731df6bf37f339c6193efec65b7ddda80594626fa564081949a3f299533a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
442KB

MD5
85430baed3398695717b0263807cf97c

SHA1
fffbee923cea216f50fce5d54219a188a5100f41

SHA256
a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e

SHA512
06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
8.0MB

MD5
a01c5ecd6108350ae23d2cddf0e77c17

SHA1
c6ac28a2cd979f1f9a75d56271821d5ff665e2b6

SHA256
345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42

SHA512
b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\datareporting\glean\db\data.safe.bin

Filesize
2KB

MD5
78c8e14f8e60c9521296b6e7caca81fb

SHA1
af025e9997e22284e762d6f41faa42ff93214820

SHA256
3a3a08ebe3b50967e0f679d20dc5df25236ea07abb749bc4a512c4d49ed042e8

SHA512
55333f36f4f9979162bdc2bd5f0dcbb2e0ff7f5eadf93d67af086d677ae68249004e47c572fc7ef5a001bd16b600428d72ef0e9231a321d53f0cd61a45a22803

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\datareporting\glean\db\data.safe.bin

Filesize
2KB

MD5
12b271c53613e7411e7fc492ee19049e

SHA1
58158e81b16076b3148268f9e989e8a5040fd1b8

SHA256
b4f71452ecee18d34a644b5fa36a0a70ab7c5757a704c182e9bfe6e939ab1f93

SHA512
f0205dcc88f0687fc8ac6c5e320e2d79d9caa7e9517f7cf26182a59010c5f4145f162e7bad126c3ad16413a977e2709d431e99d8021f32f399ab5a1c817fc45d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\datareporting\glean\pending_pings\37f84449-ea70-4254-bc12-903248f61db6

Filesize
746B

MD5
0e925a2df6cef21d5a5a905b4565c692

SHA1
ebdd151f6554037f1c7fad979b16222ae8346c5b

SHA256
f54d1af048b89ea1ff728431b864b059e866cf857eec189fbef2728c6b3b0599

SHA512
f3e40a34a5d7bdd5075c314d936fc89ccfc14fca0199c5a03419ee93d71d0b5677387e19638ac6304a2ba27eaa756ad32da08892c4baa238f03f555d3f48afb5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\datareporting\glean\pending_pings\6fb44583-b56c-4868-a79e-913ecd846c40

Filesize
10KB

MD5
2787ed591194af3429572b98b2562758

SHA1
f1fa3e9a45a12e0586188fd042fd9eba4fba6e65

SHA256
d916de71ab55d568d66285d20ff8e41af405c2173c4eedb7a9a33f18a7123ca4

SHA512
ceac8584bb8366230ccf0f7188a9e1a86c08f499ebdcaf54bcf10b04ffb5e29da2f56b53f2d738eea1bdf8be6e247e36591055c43aa2fa6d7fe3cc4ca93c1304

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll

Filesize
997KB

MD5
fe3355639648c417e8307c6d051e3e37

SHA1
f54602d4b4778da21bc97c7238fc66aa68c8ee34

SHA256
1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e

SHA512
8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info

Filesize
116B

MD5
3d33cdc0b3d281e67dd52e14435dd04f

SHA1
4db88689282fd4f9e9e6ab95fcbb23df6e6485db

SHA256
f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b

SHA512
a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt

Filesize
479B

MD5
49ddb419d96dceb9069018535fb2e2fc

SHA1
62aa6fea895a8b68d468a015f6e6ab400d7a7ca6

SHA256
2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539

SHA512
48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json

Filesize
372B

MD5
8be33af717bb1b67fbd61c3f4b807e9e

SHA1
7cf17656d174d951957ff36810e874a134dd49e0

SHA256
e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd

SHA512
6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll

Filesize
11.8MB

MD5
33bf7b0439480effb9fb212efce87b13

SHA1
cee50f2745edc6dc291887b6075ca64d716f495a

SHA256
8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e

SHA512
d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib

Filesize
1KB

MD5
688bed3676d2104e7f17ae1cd2c59404

SHA1
952b2cdf783ac72fcb98338723e9afd38d47ad8e

SHA256
33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237

SHA512
7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig

Filesize
1KB

MD5
937326fead5fd401f6cca9118bd9ade9

SHA1
4526a57d4ae14ed29b37632c72aef3c408189d91

SHA256
68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81

SHA512
b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\prefs-1.js

Filesize
7KB

MD5
c9d838437661cd3886fbb578b1b6f655

SHA1
a3bf57a0427e22f42140797468a7e89ef29eb2a1

SHA256
db3310c4b042d30606e4b7929c866af7acec22a0aff3afe2ffc9cb1c9a489ca5

SHA512
8d3f715a18ac3f7f0fa3ad8a56ea37a3051713c5ba8f8176e985d209059ba532655dcb629185649bf371eb3605a1c55a476acaa76504ea2c3d0d64fb50b89c5b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
4ec76b11df473fa30a1b9c15d9346def

SHA1
4fb1e344a0d5251d75c84bece3d7343170f318ad

SHA256
1edf8560174895d4600a224f84537b5e38ce4c94f20b12c0b2437ee38e899ed0

SHA512
555ab5ace1794823fd324a33fb1bbec30bcc213bdabb7aa9ba946ffb522511ce22e027425c7345d77ab5bcb3d31f4c789cd0b81690d87c5171b11cd5157437f7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
184KB

MD5
6fb529a6040edced72255baf206751b3

SHA1
d86a9e27b28d30d06bf0134fc1f1dbe1c8eddde2

SHA256
0854a410ae1d03645fb10f650df8a76657332b00ebb80a86b3a2167e305fa970

SHA512
b62f30ad4cd0801c044258e0c16ffce4a945f4f94b1352caa03aa5639c0d7efc971e6b32bdac81eeb79d02715dfa4deec490f2e385f00b40008edaa6addc4020

Download Submit
C:\Users\Admin\Desktop\New folder\Client-built.exe

Filesize
78KB

MD5
621db100687e2bebfc3e83965a6488a6

SHA1
bc0ac954887e6aa9663f3f029542cd174b56d72c

SHA256
66337503cb96e6eff5135664d19bbe207cd9069418ca206317218b3097ae996a

SHA512
f19c0091e5f141202ee214b444df932fb5b7b92e6a430abb79b799f2659168bd3903f854877cbc4dc33ae9057520eb6ddf9e53904ea79596e7c6860924303e21

Download Submit
C:\Users\Admin\Desktop\New folder\Release\Discord rat.exe

Filesize
79KB

MD5
d13905e018eb965ded2e28ba0ab257b5

SHA1
6d7fe69566fddc69b33d698591c9a2c70d834858

SHA256
2bd631c6665656673a923c13359b0dc211debc05b2885127e26b0dce808e2dec

SHA512
b95bfdebef33ac72b6c21cdf0abb4961222b7efd17267cd7236e731dd0b6105ece28e784a95455f1ffc8a6dd1d580a467b07b3bd8cb2fb19e2111f1a864c97cb

Download Submit
C:\Users\Admin\Desktop\New folder\builder.exe

Filesize
10KB

MD5
4f04f0e1ff050abf6f1696be1e8bb039

SHA1
bebf3088fff4595bfb53aea6af11741946bbd9ce

SHA256
ded51c306ee7e59fa15c42798c80f988f6310ea77ab77de3d12dc01233757cfa

SHA512
94713824b81de323e368fde18679ef8b8f2883378bffd2b7bd2b4e4bd5d48b35c6e71c9f8e9b058ba497db1bd0781807e5b7cecfd540dad611da0986c72b9f12

Download Submit
C:\Users\Admin\Desktop\New folder\dnlib.dll

Filesize
1.1MB

MD5
508ccde8bc7003696f32af7054ca3d97

SHA1
1f6a0303c5ae5dc95853ec92fd8b979683c3f356

SHA256
4758c7c39522e17bf93b3993ada4a1f7dd42bb63331bac0dcd729885e1ba062a

SHA512
92a59a2e1f6bf0ce512d21cf4148fe027b3a98ed6da46925169a4d0d9835a7a4b1374ba0be84e576d9a8d4e45cb9c2336e1f5bd1ea53e39f0d8553db264e746d

Download Submit
memory/316-17-0x00000000055A0000-0x00000000055AA000-memory.dmp

Filesize
40KB

Download
memory/316-22-0x0000000008770000-0x0000000008892000-memory.dmp

Filesize
1.1MB

Download
memory/316-16-0x00000000055B0000-0x0000000005642000-memory.dmp

Filesize
584KB

Download
memory/316-15-0x00000000059D0000-0x0000000005ECE000-memory.dmp

Filesize
5.0MB

Download
memory/316-14-0x0000000000D40000-0x0000000000D48000-memory.dmp

Filesize
32KB

Download
memory/4592-27-0x00000296D9BD0000-0x00000296D9BE8000-memory.dmp

Filesize
96KB

Download
memory/4592-32-0x00000296DB930000-0x00000296DB94E000-memory.dmp

Filesize
120KB

Download
memory/4592-28-0x00000296F4240000-0x00000296F4402000-memory.dmp

Filesize
1.8MB

Download
memory/4592-31-0x00000296DB900000-0x00000296DB912000-memory.dmp

Filesize
72KB

Download
memory/4592-29-0x00000296F4A40000-0x00000296F4F66000-memory.dmp

Filesize
5.1MB

Download
memory/4592-30-0x00000296F4510000-0x00000296F4586000-memory.dmp

Filesize
472KB

Download