discordrat | 634d4d89eb266344d7d11f4b2f5d01746b702d4ab2f683bad19c5e9f584fdcd1

Analysis

max time kernel
87s
max time network
89s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241023-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
08-12-2024 17:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

release.zip
Size

445KB
MD5

bd299ffb365cf3024a956cc0d9fbba64
SHA1

1c5d97a244b89ab32b5687e3d580253ddc118aa2
SHA256

634d4d89eb266344d7d11f4b2f5d01746b702d4ab2f683bad19c5e9f584fdcd1
SHA512

3b1b66300a61bce81418bd9ee2f565fc6c4798a851ffbba211bd2a49960d484c7afbc270be6a05dc468a560faf23e7f8d9b2f1a1afd9cd878d60a5110852094c
SSDEEP

12288:BfJ13+GoLo2d5ifXHE8134QwYOwFSFRiLQt:BKGo8EifSQwYWt

Score

10^/10

discordrat discovery persistence rat rootkit stealer

Malware Config

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat
Discordrat family
discordrat

Executes dropped EXE 2 IoCs

pid	Process
4744	builder.exe
32	Client-built.exe

Loads dropped DLL 2 IoCs

pid	Process
4744	builder.exe
4744	builder.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	builder.exe

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
768	NOTEPAD.EXE

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeRestorePrivilege	2928	7zFM.exe
Token: 35	2928	7zFM.exe
Token: SeSecurityPrivilege	2928	7zFM.exe
Token: SeDebugPrivilege	32	Client-built.exe
Token: SeDebugPrivilege	1316	firefox.exe
Token: SeDebugPrivilege	1316	firefox.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
2928	7zFM.exe
2928	7zFM.exe
4744	builder.exe
1316	firefox.exe
1316	firefox.exe
1316	firefox.exe
1316	firefox.exe
1316	firefox.exe
1316	firefox.exe
1316	firefox.exe
1316	firefox.exe
1316	firefox.exe
1316	firefox.exe
1316	firefox.exe
1316	firefox.exe
1316	firefox.exe
1316	firefox.exe
1316	firefox.exe
1316	firefox.exe
1316	firefox.exe
1316	firefox.exe
1316	firefox.exe
1316	firefox.exe
1316	firefox.exe
1316	firefox.exe
1316	firefox.exe

Suspicious use of SendNotifyMessage 22 IoCs

pid	Process
1316	firefox.exe
1316	firefox.exe
1316	firefox.exe
1316	firefox.exe
1316	firefox.exe
1316	firefox.exe
1316	firefox.exe
1316	firefox.exe
1316	firefox.exe
1316	firefox.exe
1316	firefox.exe
1316	firefox.exe
1316	firefox.exe
1316	firefox.exe
1316	firefox.exe
1316	firefox.exe
1316	firefox.exe
1316	firefox.exe
1316	firefox.exe
1316	firefox.exe
1316	firefox.exe
1316	firefox.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1316	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1660 wrote to memory of 1316	1660	firefox.exe	99
PID 1660 wrote to memory of 1316	1660	firefox.exe	99
PID 1660 wrote to memory of 1316	1660	firefox.exe	99
PID 1660 wrote to memory of 1316	1660	firefox.exe	99
PID 1660 wrote to memory of 1316	1660	firefox.exe	99
PID 1660 wrote to memory of 1316	1660	firefox.exe	99
PID 1660 wrote to memory of 1316	1660	firefox.exe	99
PID 1660 wrote to memory of 1316	1660	firefox.exe	99
PID 1660 wrote to memory of 1316	1660	firefox.exe	99
PID 1660 wrote to memory of 1316	1660	firefox.exe	99
PID 1660 wrote to memory of 1316	1660	firefox.exe	99
PID 1316 wrote to memory of 3800	1316	firefox.exe	100
PID 1316 wrote to memory of 3800	1316	firefox.exe	100
PID 1316 wrote to memory of 3800	1316	firefox.exe	100
PID 1316 wrote to memory of 3800	1316	firefox.exe	100
PID 1316 wrote to memory of 3800	1316	firefox.exe	100
PID 1316 wrote to memory of 3800	1316	firefox.exe	100
PID 1316 wrote to memory of 3800	1316	firefox.exe	100
PID 1316 wrote to memory of 3800	1316	firefox.exe	100
PID 1316 wrote to memory of 3800	1316	firefox.exe	100
PID 1316 wrote to memory of 3800	1316	firefox.exe	100
PID 1316 wrote to memory of 3800	1316	firefox.exe	100
PID 1316 wrote to memory of 3800	1316	firefox.exe	100
PID 1316 wrote to memory of 3800	1316	firefox.exe	100
PID 1316 wrote to memory of 3800	1316	firefox.exe	100
PID 1316 wrote to memory of 3800	1316	firefox.exe	100
PID 1316 wrote to memory of 3800	1316	firefox.exe	100
PID 1316 wrote to memory of 3800	1316	firefox.exe	100
PID 1316 wrote to memory of 3800	1316	firefox.exe	100
PID 1316 wrote to memory of 3800	1316	firefox.exe	100
PID 1316 wrote to memory of 3800	1316	firefox.exe	100
PID 1316 wrote to memory of 3800	1316	firefox.exe	100
PID 1316 wrote to memory of 3800	1316	firefox.exe	100
PID 1316 wrote to memory of 3800	1316	firefox.exe	100
PID 1316 wrote to memory of 3800	1316	firefox.exe	100
PID 1316 wrote to memory of 3800	1316	firefox.exe	100
PID 1316 wrote to memory of 3800	1316	firefox.exe	100
PID 1316 wrote to memory of 3800	1316	firefox.exe	100
PID 1316 wrote to memory of 3800	1316	firefox.exe	100
PID 1316 wrote to memory of 3800	1316	firefox.exe	100
PID 1316 wrote to memory of 3800	1316	firefox.exe	100
PID 1316 wrote to memory of 3800	1316	firefox.exe	100
PID 1316 wrote to memory of 3800	1316	firefox.exe	100
PID 1316 wrote to memory of 3800	1316	firefox.exe	100
PID 1316 wrote to memory of 3800	1316	firefox.exe	100
PID 1316 wrote to memory of 3800	1316	firefox.exe	100
PID 1316 wrote to memory of 3800	1316	firefox.exe	100
PID 1316 wrote to memory of 3800	1316	firefox.exe	100
PID 1316 wrote to memory of 3800	1316	firefox.exe	100
PID 1316 wrote to memory of 3800	1316	firefox.exe	100
PID 1316 wrote to memory of 3800	1316	firefox.exe	100
PID 1316 wrote to memory of 3800	1316	firefox.exe	100
PID 1316 wrote to memory of 3800	1316	firefox.exe	100
PID 1316 wrote to memory of 3800	1316	firefox.exe	100
PID 1316 wrote to memory of 3800	1316	firefox.exe	100
PID 1316 wrote to memory of 3800	1316	firefox.exe	100
PID 1316 wrote to memory of 3892	1316	firefox.exe	101
PID 1316 wrote to memory of 3892	1316	firefox.exe	101
PID 1316 wrote to memory of 3892	1316	firefox.exe	101
PID 1316 wrote to memory of 3892	1316	firefox.exe	101
PID 1316 wrote to memory of 3892	1316	firefox.exe	101
PID 1316 wrote to memory of 3892	1316	firefox.exe	101
PID 1316 wrote to memory of 3892	1316	firefox.exe	101
PID 1316 wrote to memory of 3892	1316	firefox.exe	101

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\release.zip"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2928

C:\Users\Admin\Desktop\builder.exe
"C:\Users\Admin\Desktop\builder.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
PID:4744

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3960

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\d.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:768

C:\Users\Admin\Desktop\Client-built.exe
"C:\Users\Admin\Desktop\Client-built.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:32

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1660
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1316
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1988 -parentBuildID 20240401114208 -prefsHandle 1916 -prefMapHandle 1896 -prefsLen 23681 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d8ba647c-b415-4530-a50d-928eff7aa2e2} 1316 "\\.\pipe\gecko-crash-server-pipe.1316" gpu
    3⤵
    PID:3800
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2396 -parentBuildID 20240401114208 -prefsHandle 2388 -prefMapHandle 2384 -prefsLen 23717 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {40f8788f-0759-4a91-a587-5754bf5ebb73} 1316 "\\.\pipe\gecko-crash-server-pipe.1316" socket
    3⤵
    PID:3892
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3220 -childID 1 -isForBrowser -prefsHandle 3232 -prefMapHandle 3044 -prefsLen 23858 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7a583bad-62cb-4729-81b7-11ee6a688722} 1316 "\\.\pipe\gecko-crash-server-pipe.1316" tab
    3⤵
    PID:2156
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4280 -childID 2 -isForBrowser -prefsHandle 4272 -prefMapHandle 4268 -prefsLen 29091 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a55db790-2721-443e-9d99-0655f7f7d329} 1316 "\\.\pipe\gecko-crash-server-pipe.1316" tab
    3⤵
    PID:2704
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4964 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4956 -prefMapHandle 4952 -prefsLen 29091 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b3ed6811-7a38-4c1f-aba7-aa904d299ba4} 1316 "\\.\pipe\gecko-crash-server-pipe.1316" utility
    3⤵
    - Checks processor information in registry
    PID:5256
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5352 -childID 3 -isForBrowser -prefsHandle 5348 -prefMapHandle 5284 -prefsLen 26944 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4eeb8037-7a04-4493-a0f6-8ea8ee8af549} 1316 "\\.\pipe\gecko-crash-server-pipe.1316" tab
    3⤵
    PID:5512
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5484 -childID 4 -isForBrowser -prefsHandle 5492 -prefMapHandle 5496 -prefsLen 26944 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a8266620-866e-4610-b259-cde36e5eedc4} 1316 "\\.\pipe\gecko-crash-server-pipe.1316" tab
    3⤵
    PID:5524
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5676 -childID 5 -isForBrowser -prefsHandle 5684 -prefMapHandle 5688 -prefsLen 26944 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {864c91f3-6603-48db-a12a-6afab3e8edcf} 1316 "\\.\pipe\gecko-crash-server-pipe.1316" tab
    3⤵
    PID:5536
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6064 -childID 6 -isForBrowser -prefsHandle 6068 -prefMapHandle 5492 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0c66ceaf-9d24-4964-a216-a22f55cce193} 1316 "\\.\pipe\gecko-crash-server-pipe.1316" tab
    3⤵
    PID:2036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\f1lggfg7.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl

Filesize
15KB

MD5
96c542dec016d9ec1ecc4dddfcbaac66

SHA1
6199f7648bb744efa58acf7b96fee85d938389e4

SHA256
7f32769d6bb4e875f58ceb9e2fbfdc9bd6b82397eca7a4c5230b0786e68f1798

SHA512
cda2f159c3565bc636e0523c893b293109de2717142871b1ec78f335c12bad96fc3f62bcf56a1a88abdeed2ac3f3e5e9a008b45e24d713e13c23103acc15e658

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\f1lggfg7.default-release\AlternateServices.bin

Filesize
10KB

MD5
8a66c7ce6d2cd5fd5cce7214d19d212a

SHA1
2574d715a25feaec92fa39105b68f130c88fa6e1

SHA256
144ee24c05a1a64c97510244c36dca1b80f38c2b849e650b60e9d274034602f3

SHA512
3feea46ff3ddf4369c86b2d0f2bf1a3da4bd0e53e1e78caa3c4c1ab2a2d9022697b820b0dfde5cb99330fb237c6bbd7be13cb3567bd9b24f5df4c2c8663172dc

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\f1lggfg7.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
578cabc389b156a8814731a865930e72

SHA1
6ebb69f8baff1c4d13426384c18a6bcc1b4b2ec7

SHA256
9bfdb22ec1fc009d775cee2afb8b89bb663d250c3c54f878afec5b7ebf1cad41

SHA512
3eed8dfb5b3786d0b955ac30f9662a5f69112eb895959b3dc9e5e396dcd93781c033e3d4ec6feaf6d2811d5eea00cda6b5615fc1adf5701bac6a99b54534ecff

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\f1lggfg7.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
69f5742de760ca5f3d9b2f1aafb8f8b8

SHA1
dfa4ef45363ca380319a4c523111d40b0ee3412c

SHA256
273a79ef09056edfb18d3665663bf119d630bd452ea8ec20c948be7f6d29e5da

SHA512
32bc5d2468bdf88f1c9ef00f74c4ac6b26020d269a99ec4be4ed247a47bdda0a79696ba0606d59cb3fe6d5f1d62313927357423e0b148c4d292bd3721a347edd

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\f1lggfg7.default-release\datareporting\glean\pending_pings\928e49b6-21a8-4e4f-8d1a-14bf7011acdb

Filesize
26KB

MD5
f17d249b87d4f8eb8ba7a9f5eba0401f

SHA1
4e58c731a5e89320cd7bbbef33e5ded45643fdab

SHA256
3f7f0f761f9e3577745bf88682183d2a0f8f01f8df47f0cea2084a7dc67abe2d

SHA512
95fab14eb9cb236e5e14d7101b626856b0ee8db15bdd8376c1b46016b925a9c6bd749cc411e46a8f1eb823b3973e1a19a225bdccf2f854937db3160e3cfc4143

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\f1lggfg7.default-release\datareporting\glean\pending_pings\964ee8cb-cb6a-4494-8729-e8d1861817f1

Filesize
671B

MD5
bb694b7d9a3482d03b5da7b96a0ce226

SHA1
e703bfc39966f40d3f7085151fbab4ab6a9abf7a

SHA256
79977912254495a9aba7dec9cdb4ceec304cc4b907f4b9ecfaf3ec232b9f0957

SHA512
1178e9d958877737d147031e7be9abb9ab86e57be1969672305886c78fe69b5cdb0798be81c029f77c08aeca977f6b65fdc606a70436880d7f84482b885a92ce

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\f1lggfg7.default-release\datareporting\glean\pending_pings\dc164c2e-7ba3-4f11-96a9-930e6bb99953

Filesize
982B

MD5
290170b1c932776f16ea184fabf88c37

SHA1
321f44aefde8d3f1f44f983bdfc3ebdc83214e78

SHA256
05cc85b546aba32260e5bccfd97b388e20f008edebcfd9af6049cc308b955846

SHA512
67a8f60664f196786fab2f071a49f26e4f80eb105ad9bf95de996968181fd65b436ae47dfcdee157c5e23d4eef7d9ad40ef6fa3cf2ae3a73d5522e33d28e4c39

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\f1lggfg7.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\f1lggfg7.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\f1lggfg7.default-release\prefs-1.js

Filesize
10KB

MD5
eb06fb86a75375b2a761212cf452000e

SHA1
d2bf3efda51c64d04886b4288f44d4056800f60a

SHA256
e57e87158432aece9b84d66f71e2923af26c925dd6d86c6880d1b56c36d193e8

SHA512
83751892d8109ad996f8177928dec4d72aa720f8cc2f32b9c9d7862120f5108f5d2747634ab2d4ba5eff50c55d2f79cb8775124421dbe04d98758474f916c362

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\f1lggfg7.default-release\prefs-1.js

Filesize
10KB

MD5
55a7bd70fa60f0b0760c0779d087e53b

SHA1
68c6c7220f6aeafc66380a370407687f5a240713

SHA256
50ac0a1f5116271326fd0d7b536c98f9cfd0d43ca7b114504725fbb1175cdd52

SHA512
4fcbd4305011fcfeb227ddc796c2f59fbb81edd12c9788d31ecf835ceeb02668e242df6481cd778e74c333c7415e496c0a817ccaab742c6a133399285041645d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\f1lggfg7.default-release\prefs-1.js

Filesize
10KB

MD5
428acad8f395d2f888f723032eb37c17

SHA1
cbc626156a37a2468dff233c6889c4369d444763

SHA256
08e90f5c40d0f28aff095af3f60dd8e2630b28f100f755cddbb0aad1b95ae315

SHA512
e88ee132b6a05622333fecf7239dfe0895d28d7164407f1c702a7b78762d535df1a0e3c6cb30ac0c13e36e4cd160da6482451e261c6b399eb7da159a2270d498

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\f1lggfg7.default-release\prefs.js

Filesize
10KB

MD5
a10f27619258082db26829a4e6faafb7

SHA1
6186b9338be544bb81b8ff459b146acb10c54a4e

SHA256
4572ad1a477fa888f8a95201ab5505047d6e2c7b3dddcbb79789259ff31d49f3

SHA512
d04c68d61675e5c44d608e5a48998f8bb52e1c9fabd17ac9f2fa393e7cc1104fe233132b6ba7bffc664cf8bf998b14acf45bc7c6dee784f64537bfc838bfcd05

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\f1lggfg7.default-release\prefs.js

Filesize
11KB

MD5
9212c407d801ac79d4c01244986806bb

SHA1
ffc40f30a3330a437c2107af626637686db365dc

SHA256
cc1ec419c6769f6e3673e7609a378f90b15c5985558b1801ebb63f49b6661e2c

SHA512
5f3b9341127d24783a558e95a0b76de4e3d10d082385e096e5dea78f73c2a45a7a4b18820dfb7355be8ca01b96856e1ab5098fa57a3f25076fb17b65036824c2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\f1lggfg7.default-release\sessionstore-backups\recovery.baklz4

Filesize
2KB

MD5
f103ab1d5c969d5d6d7793eaa8e0dbc7

SHA1
11a285beee103d960bf824d838a80672ff156b9e

SHA256
4e514baeb7794be1e05d7eeed795e67e9bda377b6f85893d389378fdca0d98b9

SHA512
7f6b44e2e5145543f39995c3207666914dc2ce9c8555d07eec2c62aab137bb1e3fac89a5f3f62bf7f702dd9b9a22e8195d7b7fee4c6eddf625928f81577626ad

Download Submit
C:\Users\Admin\Desktop\Client-built.exe

Filesize
78KB

MD5
de1ec0402dce880bdda03f2e1b07c234

SHA1
925878d15fa620429894c8e0df57a15d1c6e3bf3

SHA256
0caf4f2c21a947aa1bb488a0c2cf1855c50e7ff3cab2f1030619614d0ef9187b

SHA512
298496412d430324502db0cf8512005db7637c66655258a93b4f94373d621f19e7ca503991666354c56b73ee2d56159c4ee9e6df00b6144500a174a225de4db0

Download Submit
C:\Users\Admin\Desktop\Release\Discord rat.exe

Filesize
79KB

MD5
d13905e018eb965ded2e28ba0ab257b5

SHA1
6d7fe69566fddc69b33d698591c9a2c70d834858

SHA256
2bd631c6665656673a923c13359b0dc211debc05b2885127e26b0dce808e2dec

SHA512
b95bfdebef33ac72b6c21cdf0abb4961222b7efd17267cd7236e731dd0b6105ece28e784a95455f1ffc8a6dd1d580a467b07b3bd8cb2fb19e2111f1a864c97cb

Download Submit
C:\Users\Admin\Desktop\builder.exe

Filesize
10KB

MD5
4f04f0e1ff050abf6f1696be1e8bb039

SHA1
bebf3088fff4595bfb53aea6af11741946bbd9ce

SHA256
ded51c306ee7e59fa15c42798c80f988f6310ea77ab77de3d12dc01233757cfa

SHA512
94713824b81de323e368fde18679ef8b8f2883378bffd2b7bd2b4e4bd5d48b35c6e71c9f8e9b058ba497db1bd0781807e5b7cecfd540dad611da0986c72b9f12

Download Submit
C:\Users\Admin\Desktop\d.txt

Filesize
93B

MD5
215bd924cded72f60607787e7e840e73

SHA1
6b01c4ca1b61be2f1482f492e376247641e8b707

SHA256
5c007cc18e2002b03aa576cbd57369ce41c779e366c5dff2b87244b5c63b88b3

SHA512
3a6b7dc592295b686be7b5ab9ee3af24ab34096efae64d48e90ff99e4116c339b713dfcd638b5f051815f9305a4335ff28f01eca6c868ec3c033ac9b920dc0fd

Download Submit
C:\Users\Admin\Desktop\dnlib.dll

Filesize
1.1MB

MD5
508ccde8bc7003696f32af7054ca3d97

SHA1
1f6a0303c5ae5dc95853ec92fd8b979683c3f356

SHA256
4758c7c39522e17bf93b3993ada4a1f7dd42bb63331bac0dcd729885e1ba062a

SHA512
92a59a2e1f6bf0ce512d21cf4148fe027b3a98ed6da46925169a4d0d9835a7a4b1374ba0be84e576d9a8d4e45cb9c2336e1f5bd1ea53e39f0d8553db264e746d

Download Submit
memory/32-30-0x000001BB44040000-0x000001BB44202000-memory.dmp

Filesize
1.8MB

Download
memory/32-36-0x000001BB45300000-0x000001BB45828000-memory.dmp

Filesize
5.2MB

Download
memory/32-29-0x000001BB29950000-0x000001BB29968000-memory.dmp

Filesize
96KB

Download
memory/4744-26-0x0000000075320000-0x0000000075AD1000-memory.dmp

Filesize
7.7MB

Download
memory/4744-22-0x0000000009570000-0x0000000009692000-memory.dmp

Filesize
1.1MB

Download
memory/4744-17-0x0000000075320000-0x0000000075AD1000-memory.dmp

Filesize
7.7MB

Download
memory/4744-16-0x000000007532E000-0x000000007532F000-memory.dmp

Filesize
4KB

Download
memory/4744-15-0x00000000059C0000-0x00000000059CA000-memory.dmp

Filesize
40KB

Download
memory/4744-14-0x0000000075320000-0x0000000075AD1000-memory.dmp

Filesize
7.7MB

Download
memory/4744-13-0x0000000005900000-0x0000000005992000-memory.dmp

Filesize
584KB

Download
memory/4744-12-0x0000000005DB0000-0x0000000006356000-memory.dmp

Filesize
5.6MB

Download
memory/4744-11-0x0000000000F20000-0x0000000000F28000-memory.dmp

Filesize
32KB

Download
memory/4744-10-0x000000007532E000-0x000000007532F000-memory.dmp

Filesize
4KB

Download