discordrat | 2d1f7b06c08058706f5b24f482bd1adfd69573451a762a424f48843896a3f798

Analysis

max time kernel
73s
max time network
76s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241023-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
08-12-2024 17:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

release.zip
Size

445KB
MD5

f674b9eb0f6aec721d628ce6bde2e2c5
SHA1

5c08090d16b02b092f5c0cfddfa6c22791af8c98
SHA256

2d1f7b06c08058706f5b24f482bd1adfd69573451a762a424f48843896a3f798
SHA512

b7e8ab7fa100924b7aeb246687946afc1b605facea30e4b2f1a2d81b325c33ba490d2bb1cb2e1a1ce7a349cd5ca03b1cd3580b9de44f5368adce333963253b41
SSDEEP

12288:BfJ13+GoLo2d5ifXHE8134QwYOwFSFRiLQH:BKGo8EifSQwYWH

Score

10^/10

discordrat discovery persistence rat rootkit stealer

Malware Config

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat
Discordrat family
discordrat

Executes dropped EXE 5 IoCs

pid	Process
4492	builder.exe
5140	Discord rat.exe
1592	Client-built.exe
4948	Client-built.exe
3004	Client-built.exe

Loads dropped DLL 2 IoCs

pid	Process
4492	builder.exe
4492	builder.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	builder.exe

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
4676	NOTEPAD.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1140	7zFM.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeRestorePrivilege	1140	7zFM.exe
Token: 35	1140	7zFM.exe
Token: SeSecurityPrivilege	1140	7zFM.exe
Token: SeDebugPrivilege	2016	firefox.exe
Token: SeDebugPrivilege	2016	firefox.exe
Token: SeDebugPrivilege	5140	Discord rat.exe
Token: SeDebugPrivilege	1592	Client-built.exe
Token: SeDebugPrivilege	4948	Client-built.exe
Token: SeDebugPrivilege	3004	Client-built.exe

Suspicious use of FindShellTrayWindow 38 IoCs

pid	Process
1140	7zFM.exe
1140	7zFM.exe
4676	NOTEPAD.EXE
2016	firefox.exe
2016	firefox.exe
2016	firefox.exe
2016	firefox.exe
2016	firefox.exe
2016	firefox.exe
2016	firefox.exe
2016	firefox.exe
2016	firefox.exe
2016	firefox.exe
2016	firefox.exe
2016	firefox.exe
2016	firefox.exe
2016	firefox.exe
2016	firefox.exe
2016	firefox.exe
2016	firefox.exe
2016	firefox.exe
2016	firefox.exe
2016	firefox.exe
2016	firefox.exe
2016	firefox.exe
2016	firefox.exe
2016	firefox.exe
2016	firefox.exe
2016	firefox.exe
2016	firefox.exe
2016	firefox.exe
2016	firefox.exe
2016	firefox.exe
2016	firefox.exe
2016	firefox.exe
2016	firefox.exe
2016	firefox.exe
2016	firefox.exe

Suspicious use of SendNotifyMessage 34 IoCs

pid	Process
2016	firefox.exe
2016	firefox.exe
2016	firefox.exe
2016	firefox.exe
2016	firefox.exe
2016	firefox.exe
2016	firefox.exe
2016	firefox.exe
2016	firefox.exe
2016	firefox.exe
2016	firefox.exe
2016	firefox.exe
2016	firefox.exe
2016	firefox.exe
2016	firefox.exe
2016	firefox.exe
2016	firefox.exe
2016	firefox.exe
2016	firefox.exe
2016	firefox.exe
2016	firefox.exe
2016	firefox.exe
2016	firefox.exe
2016	firefox.exe
2016	firefox.exe
2016	firefox.exe
2016	firefox.exe
2016	firefox.exe
2016	firefox.exe
2016	firefox.exe
2016	firefox.exe
2016	firefox.exe
2016	firefox.exe
2016	firefox.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2016	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3636 wrote to memory of 2016	3636	firefox.exe	96
PID 3636 wrote to memory of 2016	3636	firefox.exe	96
PID 3636 wrote to memory of 2016	3636	firefox.exe	96
PID 3636 wrote to memory of 2016	3636	firefox.exe	96
PID 3636 wrote to memory of 2016	3636	firefox.exe	96
PID 3636 wrote to memory of 2016	3636	firefox.exe	96
PID 3636 wrote to memory of 2016	3636	firefox.exe	96
PID 3636 wrote to memory of 2016	3636	firefox.exe	96
PID 3636 wrote to memory of 2016	3636	firefox.exe	96
PID 3636 wrote to memory of 2016	3636	firefox.exe	96
PID 3636 wrote to memory of 2016	3636	firefox.exe	96
PID 2016 wrote to memory of 1340	2016	firefox.exe	97
PID 2016 wrote to memory of 1340	2016	firefox.exe	97
PID 2016 wrote to memory of 1340	2016	firefox.exe	97
PID 2016 wrote to memory of 1340	2016	firefox.exe	97
PID 2016 wrote to memory of 1340	2016	firefox.exe	97
PID 2016 wrote to memory of 1340	2016	firefox.exe	97
PID 2016 wrote to memory of 1340	2016	firefox.exe	97
PID 2016 wrote to memory of 1340	2016	firefox.exe	97
PID 2016 wrote to memory of 1340	2016	firefox.exe	97
PID 2016 wrote to memory of 1340	2016	firefox.exe	97
PID 2016 wrote to memory of 1340	2016	firefox.exe	97
PID 2016 wrote to memory of 1340	2016	firefox.exe	97
PID 2016 wrote to memory of 1340	2016	firefox.exe	97
PID 2016 wrote to memory of 1340	2016	firefox.exe	97
PID 2016 wrote to memory of 1340	2016	firefox.exe	97
PID 2016 wrote to memory of 1340	2016	firefox.exe	97
PID 2016 wrote to memory of 1340	2016	firefox.exe	97
PID 2016 wrote to memory of 1340	2016	firefox.exe	97
PID 2016 wrote to memory of 1340	2016	firefox.exe	97
PID 2016 wrote to memory of 1340	2016	firefox.exe	97
PID 2016 wrote to memory of 1340	2016	firefox.exe	97
PID 2016 wrote to memory of 1340	2016	firefox.exe	97
PID 2016 wrote to memory of 1340	2016	firefox.exe	97
PID 2016 wrote to memory of 1340	2016	firefox.exe	97
PID 2016 wrote to memory of 1340	2016	firefox.exe	97
PID 2016 wrote to memory of 1340	2016	firefox.exe	97
PID 2016 wrote to memory of 1340	2016	firefox.exe	97
PID 2016 wrote to memory of 1340	2016	firefox.exe	97
PID 2016 wrote to memory of 1340	2016	firefox.exe	97
PID 2016 wrote to memory of 1340	2016	firefox.exe	97
PID 2016 wrote to memory of 1340	2016	firefox.exe	97
PID 2016 wrote to memory of 1340	2016	firefox.exe	97
PID 2016 wrote to memory of 1340	2016	firefox.exe	97
PID 2016 wrote to memory of 1340	2016	firefox.exe	97
PID 2016 wrote to memory of 1340	2016	firefox.exe	97
PID 2016 wrote to memory of 1340	2016	firefox.exe	97
PID 2016 wrote to memory of 1340	2016	firefox.exe	97
PID 2016 wrote to memory of 1340	2016	firefox.exe	97
PID 2016 wrote to memory of 1340	2016	firefox.exe	97
PID 2016 wrote to memory of 1340	2016	firefox.exe	97
PID 2016 wrote to memory of 1340	2016	firefox.exe	97
PID 2016 wrote to memory of 1340	2016	firefox.exe	97
PID 2016 wrote to memory of 1340	2016	firefox.exe	97
PID 2016 wrote to memory of 1340	2016	firefox.exe	97
PID 2016 wrote to memory of 1340	2016	firefox.exe	97
PID 2016 wrote to memory of 3876	2016	firefox.exe	98
PID 2016 wrote to memory of 3876	2016	firefox.exe	98
PID 2016 wrote to memory of 3876	2016	firefox.exe	98
PID 2016 wrote to memory of 3876	2016	firefox.exe	98
PID 2016 wrote to memory of 3876	2016	firefox.exe	98
PID 2016 wrote to memory of 3876	2016	firefox.exe	98
PID 2016 wrote to memory of 3876	2016	firefox.exe	98
PID 2016 wrote to memory of 3876	2016	firefox.exe	98

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\release.zip"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1140

C:\Users\Admin\Desktop\builder.exe
"C:\Users\Admin\Desktop\builder.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:4492

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\d.txt
1⤵
- Opens file in notepad (likely ransom note)
- Suspicious use of FindShellTrayWindow
PID:4676

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3636
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2016
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2020 -parentBuildID 20240401114208 -prefsHandle 1948 -prefMapHandle 1928 -prefsLen 23681 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {14a5361e-0891-4268-8f31-bdb4740203ba} 2016 "\\.\pipe\gecko-crash-server-pipe.2016" gpu
    3⤵
    PID:1340
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2428 -parentBuildID 20240401114208 -prefsHandle 2420 -prefMapHandle 2408 -prefsLen 23717 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fc57c0ac-f118-4a72-8ef5-29080d8f4e4e} 2016 "\\.\pipe\gecko-crash-server-pipe.2016" socket
    3⤵
    PID:3876
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3232 -childID 1 -isForBrowser -prefsHandle 3076 -prefMapHandle 3220 -prefsLen 23858 -prefMapSize 244658 -jsInitHandle 1196 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ee0aed08-7fc5-43f7-a59f-1dd900936238} 2016 "\\.\pipe\gecko-crash-server-pipe.2016" tab
    3⤵
    PID:3132
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3984 -childID 2 -isForBrowser -prefsHandle 3980 -prefMapHandle 3976 -prefsLen 29091 -prefMapSize 244658 -jsInitHandle 1196 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7c424483-f6b8-4a96-8712-309415d7cc60} 2016 "\\.\pipe\gecko-crash-server-pipe.2016" tab
    3⤵
    PID:2716
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4848 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4844 -prefMapHandle 4824 -prefsLen 29091 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {325f03c2-7ef8-4673-a5c4-b4c8dc55a065} 2016 "\\.\pipe\gecko-crash-server-pipe.2016" utility
    3⤵
    - Checks processor information in registry
    PID:3676
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5284 -childID 3 -isForBrowser -prefsHandle 5380 -prefMapHandle 5320 -prefsLen 27097 -prefMapSize 244658 -jsInitHandle 1196 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f16f81c9-c512-4782-bfb6-41266713fbe8} 2016 "\\.\pipe\gecko-crash-server-pipe.2016" tab
    3⤵
    PID:5604
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5540 -childID 4 -isForBrowser -prefsHandle 5548 -prefMapHandle 5552 -prefsLen 27097 -prefMapSize 244658 -jsInitHandle 1196 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3a79ceb1-246a-4986-985d-812c2cbf47af} 2016 "\\.\pipe\gecko-crash-server-pipe.2016" tab
    3⤵
    PID:5616
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5732 -childID 5 -isForBrowser -prefsHandle 5740 -prefMapHandle 5744 -prefsLen 27097 -prefMapSize 244658 -jsInitHandle 1196 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2318100b-2a9b-494d-b2e8-9aa7662b760b} 2016 "\\.\pipe\gecko-crash-server-pipe.2016" tab
    3⤵
    PID:5628
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6252 -childID 6 -isForBrowser -prefsHandle 6244 -prefMapHandle 6240 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 1196 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c09dc6a1-02f9-4c02-8543-afbf89d2adc6} 2016 "\\.\pipe\gecko-crash-server-pipe.2016" tab
    3⤵
    PID:4688

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1716

C:\Users\Admin\Desktop\Release\Discord rat.exe
"C:\Users\Admin\Desktop\Release\Discord rat.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5140

C:\Users\Admin\Desktop\Client-built.exe
"C:\Users\Admin\Desktop\Client-built.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1592

C:\Users\Admin\Desktop\Client-built.exe
"C:\Users\Admin\Desktop\Client-built.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4948

C:\Users\Admin\Desktop\Client-built.exe
"C:\Users\Admin\Desktop\Client-built.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\dom8snqr.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl

Filesize
15KB

MD5
96c542dec016d9ec1ecc4dddfcbaac66

SHA1
6199f7648bb744efa58acf7b96fee85d938389e4

SHA256
7f32769d6bb4e875f58ceb9e2fbfdc9bd6b82397eca7a4c5230b0786e68f1798

SHA512
cda2f159c3565bc636e0523c893b293109de2717142871b1ec78f335c12bad96fc3f62bcf56a1a88abdeed2ac3f3e5e9a008b45e24d713e13c23103acc15e658

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dom8snqr.default-release\AlternateServices.bin

Filesize
6KB

MD5
326cc83d4bf8d956f95fc97a71b0e1fa

SHA1
b3b5caab88a74639e1dcc8856e97725ecd741da0

SHA256
bfd3275e7f5f1b196af4807583ed65ffbf302e10a8c8e8dcdb339c8556ec014a

SHA512
33d2f9a4b6ad2c9668ea35191d1bd2737cb0f7684cea61ba34eb3f06195f186e9e8df5cc41c93a83f47aa130cded604fec08c9a42af29851b4c7c34a00b97ef9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dom8snqr.default-release\AlternateServices.bin

Filesize
10KB

MD5
702a684169da4d77b4a2a3cb79a7b800

SHA1
b37ca944d2763b2bd7cf8fcb7b17ef8d56e412db

SHA256
83c360d0991b85660335cf4b76cafc5ed584d412f9155783167990b045298693

SHA512
81e062477d070cab87011ba29a74d909b6203b5d05ab6900e055ab9ca02463c9b417982d90a6bdf2d0d405cf150c7b639a84c082baee8fd38f4851f6143f74b8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dom8snqr.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
e2831ed910f9c3e1446c9c293d24c265

SHA1
6595083acb96335ea9ff37c3777bff4616e21652

SHA256
bab909095e5eededd4edd59f93f7b03209aa0104f0d8b450e474e645d6e8e21c

SHA512
73ddcecdbda1cb527fc902ad50a75cf80df2cfd5dc69db4d51cab73dda619c04e356fe95025da007b4a5133b4a1ff751b1db56026c5ec03feb32bc49e32aa557

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dom8snqr.default-release\datareporting\glean\pending_pings\8e494aa6-b279-4c55-b982-0b6b0eb10ea8

Filesize
982B

MD5
d7444b587050a69fa999ee3bb198afe3

SHA1
a48903e0d114c9f443ca6df3904ce21ed7eb5117

SHA256
4b911e6c14df3074c3661d712b6bd25832539a1ea250ea3c8bdccbda11f1e7e2

SHA512
8323dcf272570ebc7ca2a2ef7b79d9e9438ed8c6c8108df61f5cdb3a87b51e73c3f45087abf8cd9496133f2128bddb413a4f1cb7fee926c7d4c4f1a211f5bd62

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dom8snqr.default-release\datareporting\glean\pending_pings\bb09563f-ae85-4cd8-ad94-e4af37f3ca4b

Filesize
671B

MD5
fa2d7302258d745f9d254476805ab38f

SHA1
c4c7daf006da20d09eb82284fea7e43e4a62f2a3

SHA256
82cd90bfd71330df534a26ca951e22689781b9afeb323f21de4e07c5f3b301f0

SHA512
13571347be737be93be2a4f9583bff03022a2c7df1eed4eb85ce1f51418bbf801124939bd5342f70aa1b76feb6837605c3ce3a4aac8e34ce5ceeb4698e3f3879

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dom8snqr.default-release\datareporting\glean\pending_pings\cc5d076d-84b7-4705-80c9-0df948be5c5b

Filesize
26KB

MD5
ebc6ae469384b7f57c12283a140f812f

SHA1
6014fbfc67f299c504794585831939c1eac050d3

SHA256
fa4099685ee5191bdeef934e9d53ef8195f0a7db8d260623c56910c212d3d2fb

SHA512
5b36e0f55e16ed26b7bffe36cf3666e9728a49f5bfb876e418c5c57dfc2ef19d78335830fefb7695a88c2d473ed47f3e4a4de73ee28f6316a51db0cb4816165e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dom8snqr.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dom8snqr.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dom8snqr.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dom8snqr.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dom8snqr.default-release\prefs-1.js

Filesize
10KB

MD5
901bd3e41552ff45604ef72a5009321a

SHA1
cb4f99acb002fd4d6d434b3258c7e6bdf2791bb6

SHA256
1848df1590bfbc66ef71c90f1f18e591a2f7df2d0e0d374197399cab95171f30

SHA512
9b5882efaccb94bc5a363605b45f695f242ab735eed25c46067ad7d07bb9d5ee6a6ce8f80883ea6f9c06f5a7429a2a0206d250e4b256adeb13a80e1ed39426d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dom8snqr.default-release\sessionstore-backups\recovery.baklz4

Filesize
2KB

MD5
cd67de708872ef94c5a3c60af2b317a6

SHA1
478c7d98473ab31950a686298d73685e91c34bb2

SHA256
f2735cea32ce451bbee778941bbfd265f1b91c01806972d7612f04f7694c7f8a

SHA512
a8e3004fdae0b0f10df19245fa7b567a58ebb628647af60bbe04b570b777769f1d2f3f4c71bc1c99220a69c2c9c36b8e71df3a62797ee178bd77ef01fc510383

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dom8snqr.default-release\sessionstore-backups\recovery.baklz4

Filesize
2KB

MD5
ab27d5c3ee9727f0c2668fa943aa07a7

SHA1
545c1e64c2e198a3715cd400923dda183a58af57

SHA256
aa010d603f6eb2d0b61c3d5f93475000b6558e144697ce5e2ef62acccc84375f

SHA512
025a46203212548e5d29e886d25d8756d7a02ef39dac8e6cad59d26c018f75e362ed2e4f31423c638818600966fa4cffbeb9de3d0ee6ffb66c79913109b81641

Download Submit
C:\Users\Admin\Desktop\Client-built.exe

Filesize
78KB

MD5
1c5c1fa386a2383e92c9a0577c539df8

SHA1
dcd6ed90f64107403014b97675cdf66a69f61213

SHA256
4e4c57277d017ee55b96d8194e95fb0ea46792cd664d13e63057e29ad1a20aa6

SHA512
72cb27f98177f35165fa8db764dfdf29aee9b29658b7403c217c27d587ad9cc75536f73207f84c189602c5bf3bdae3fcdf4b7d4c472dd9ad82f581c1cf8bf74e

Download Submit
C:\Users\Admin\Desktop\Release\Discord rat.exe

Filesize
79KB

MD5
d13905e018eb965ded2e28ba0ab257b5

SHA1
6d7fe69566fddc69b33d698591c9a2c70d834858

SHA256
2bd631c6665656673a923c13359b0dc211debc05b2885127e26b0dce808e2dec

SHA512
b95bfdebef33ac72b6c21cdf0abb4961222b7efd17267cd7236e731dd0b6105ece28e784a95455f1ffc8a6dd1d580a467b07b3bd8cb2fb19e2111f1a864c97cb

Download Submit
C:\Users\Admin\Desktop\builder.exe

Filesize
10KB

MD5
4f04f0e1ff050abf6f1696be1e8bb039

SHA1
bebf3088fff4595bfb53aea6af11741946bbd9ce

SHA256
ded51c306ee7e59fa15c42798c80f988f6310ea77ab77de3d12dc01233757cfa

SHA512
94713824b81de323e368fde18679ef8b8f2883378bffd2b7bd2b4e4bd5d48b35c6e71c9f8e9b058ba497db1bd0781807e5b7cecfd540dad611da0986c72b9f12

Download Submit
C:\Users\Admin\Desktop\d.txt

Filesize
93B

MD5
80ecc14f5e2966d847023c99e2fd7d96

SHA1
31c5591b044fb4cd8f702ec520f8c4515a9fb853

SHA256
2decc683f03f1de14d02cb9fafebc7b56e1fcfc851556c7b5f3c6035d00c75d5

SHA512
c7fa712ea30980b13bf8df2187982bbaccb5e71e954f869c2db0c94c312f90584a410eb8e18991d8888b5f3bc60fa0f20c265d32b20236c84c04452587980f76

Download Submit
C:\Users\Admin\Desktop\dnlib.dll

Filesize
1.1MB

MD5
508ccde8bc7003696f32af7054ca3d97

SHA1
1f6a0303c5ae5dc95853ec92fd8b979683c3f356

SHA256
4758c7c39522e17bf93b3993ada4a1f7dd42bb63331bac0dcd729885e1ba062a

SHA512
92a59a2e1f6bf0ce512d21cf4148fe027b3a98ed6da46925169a4d0d9835a7a4b1374ba0be84e576d9a8d4e45cb9c2336e1f5bd1ea53e39f0d8553db264e746d

Download Submit
memory/1592-392-0x00000174C5340000-0x00000174C5358000-memory.dmp

Filesize
96KB

Download
memory/4492-22-0x000000007443E000-0x000000007443F000-memory.dmp

Filesize
4KB

Download
memory/4492-366-0x0000000074430000-0x0000000074BE1000-memory.dmp

Filesize
7.7MB

Download
memory/4492-24-0x0000000074430000-0x0000000074BE1000-memory.dmp

Filesize
7.7MB

Download
memory/4492-20-0x0000000007180000-0x00000000072A2000-memory.dmp

Filesize
1.1MB

Download
memory/4492-15-0x0000000005470000-0x000000000547A000-memory.dmp

Filesize
40KB

Download
memory/4492-14-0x0000000074430000-0x0000000074BE1000-memory.dmp

Filesize
7.7MB

Download
memory/4492-13-0x00000000053B0000-0x0000000005442000-memory.dmp

Filesize
584KB

Download
memory/4492-12-0x00000000058A0000-0x0000000005E46000-memory.dmp

Filesize
5.6MB

Download
memory/4492-11-0x0000000000A10000-0x0000000000A18000-memory.dmp

Filesize
32KB

Download
memory/4492-10-0x000000007443E000-0x000000007443F000-memory.dmp

Filesize
4KB

Download
memory/5140-387-0x000002B23A880000-0x000002B23A898000-memory.dmp

Filesize
96KB

Download
memory/5140-389-0x000002B2556E0000-0x000002B255C08000-memory.dmp

Filesize
5.2MB

Download
memory/5140-388-0x000002B254FE0000-0x000002B2551A2000-memory.dmp

Filesize
1.8MB

Download