discordrat | 2d0c4e09f077fb6ddfe6eb637571b703a7754fd5dbc872b33bb05107823444e9

Analysis

max time kernel
114s
max time network
122s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241023-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
08-12-2024 17:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

release.zip
Size

445KB
MD5

5c28bddd017f9f16ac939ace6abf835a
SHA1

bc8e8dd59908326bfa0e75d6b6fbcd9861f5d934
SHA256

2d0c4e09f077fb6ddfe6eb637571b703a7754fd5dbc872b33bb05107823444e9
SHA512

8e2cc4959344cb56a57130fa56bb5343bddfb2c50b744d6c8606110141f82899e5590f52cf6df53d665abaa02e6c6b11b580f89b5b7d63ec99b4439b06daefd2
SSDEEP

12288:BfJ13+GoLo2d5ifXHE8134QwYOwFSFRiLQm:BKGo8EifSQwYWm

Score

10^/10

discordrat discovery persistence rat rootkit stealer

Malware Config

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat
Discordrat family
discordrat

Executes dropped EXE 1 IoCs

pid	Process
3704	builder.exe

Loads dropped DLL 2 IoCs

pid	Process
3704	builder.exe
3704	builder.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	builder.exe

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
2736	NOTEPAD.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4956	7zFM.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeRestorePrivilege	4956	7zFM.exe
Token: 35	4956	7zFM.exe
Token: SeSecurityPrivilege	4956	7zFM.exe
Token: SeDebugPrivilege	1096	firefox.exe
Token: SeDebugPrivilege	1096	firefox.exe

Suspicious use of FindShellTrayWindow 38 IoCs

pid	Process
4956	7zFM.exe
4956	7zFM.exe
2736	NOTEPAD.EXE
1096	firefox.exe
1096	firefox.exe
1096	firefox.exe
1096	firefox.exe
1096	firefox.exe
1096	firefox.exe
1096	firefox.exe
1096	firefox.exe
1096	firefox.exe
1096	firefox.exe
1096	firefox.exe
1096	firefox.exe
1096	firefox.exe
1096	firefox.exe
1096	firefox.exe
1096	firefox.exe
1096	firefox.exe
1096	firefox.exe
1096	firefox.exe
1096	firefox.exe
1096	firefox.exe
1096	firefox.exe
1096	firefox.exe
1096	firefox.exe
1096	firefox.exe
1096	firefox.exe
1096	firefox.exe
1096	firefox.exe
1096	firefox.exe
1096	firefox.exe
1096	firefox.exe
1096	firefox.exe
1096	firefox.exe
1096	firefox.exe
1096	firefox.exe

Suspicious use of SendNotifyMessage 34 IoCs

pid	Process
1096	firefox.exe
1096	firefox.exe
1096	firefox.exe
1096	firefox.exe
1096	firefox.exe
1096	firefox.exe
1096	firefox.exe
1096	firefox.exe
1096	firefox.exe
1096	firefox.exe
1096	firefox.exe
1096	firefox.exe
1096	firefox.exe
1096	firefox.exe
1096	firefox.exe
1096	firefox.exe
1096	firefox.exe
1096	firefox.exe
1096	firefox.exe
1096	firefox.exe
1096	firefox.exe
1096	firefox.exe
1096	firefox.exe
1096	firefox.exe
1096	firefox.exe
1096	firefox.exe
1096	firefox.exe
1096	firefox.exe
1096	firefox.exe
1096	firefox.exe
1096	firefox.exe
1096	firefox.exe
1096	firefox.exe
1096	firefox.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1096	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3456 wrote to memory of 1096	3456	firefox.exe	95
PID 3456 wrote to memory of 1096	3456	firefox.exe	95
PID 3456 wrote to memory of 1096	3456	firefox.exe	95
PID 3456 wrote to memory of 1096	3456	firefox.exe	95
PID 3456 wrote to memory of 1096	3456	firefox.exe	95
PID 3456 wrote to memory of 1096	3456	firefox.exe	95
PID 3456 wrote to memory of 1096	3456	firefox.exe	95
PID 3456 wrote to memory of 1096	3456	firefox.exe	95
PID 3456 wrote to memory of 1096	3456	firefox.exe	95
PID 3456 wrote to memory of 1096	3456	firefox.exe	95
PID 3456 wrote to memory of 1096	3456	firefox.exe	95
PID 1096 wrote to memory of 4304	1096	firefox.exe	96
PID 1096 wrote to memory of 4304	1096	firefox.exe	96
PID 1096 wrote to memory of 4304	1096	firefox.exe	96
PID 1096 wrote to memory of 4304	1096	firefox.exe	96
PID 1096 wrote to memory of 4304	1096	firefox.exe	96
PID 1096 wrote to memory of 4304	1096	firefox.exe	96
PID 1096 wrote to memory of 4304	1096	firefox.exe	96
PID 1096 wrote to memory of 4304	1096	firefox.exe	96
PID 1096 wrote to memory of 4304	1096	firefox.exe	96
PID 1096 wrote to memory of 4304	1096	firefox.exe	96
PID 1096 wrote to memory of 4304	1096	firefox.exe	96
PID 1096 wrote to memory of 4304	1096	firefox.exe	96
PID 1096 wrote to memory of 4304	1096	firefox.exe	96
PID 1096 wrote to memory of 4304	1096	firefox.exe	96
PID 1096 wrote to memory of 4304	1096	firefox.exe	96
PID 1096 wrote to memory of 4304	1096	firefox.exe	96
PID 1096 wrote to memory of 4304	1096	firefox.exe	96
PID 1096 wrote to memory of 4304	1096	firefox.exe	96
PID 1096 wrote to memory of 4304	1096	firefox.exe	96
PID 1096 wrote to memory of 4304	1096	firefox.exe	96
PID 1096 wrote to memory of 4304	1096	firefox.exe	96
PID 1096 wrote to memory of 4304	1096	firefox.exe	96
PID 1096 wrote to memory of 4304	1096	firefox.exe	96
PID 1096 wrote to memory of 4304	1096	firefox.exe	96
PID 1096 wrote to memory of 4304	1096	firefox.exe	96
PID 1096 wrote to memory of 4304	1096	firefox.exe	96
PID 1096 wrote to memory of 4304	1096	firefox.exe	96
PID 1096 wrote to memory of 4304	1096	firefox.exe	96
PID 1096 wrote to memory of 4304	1096	firefox.exe	96
PID 1096 wrote to memory of 4304	1096	firefox.exe	96
PID 1096 wrote to memory of 4304	1096	firefox.exe	96
PID 1096 wrote to memory of 4304	1096	firefox.exe	96
PID 1096 wrote to memory of 4304	1096	firefox.exe	96
PID 1096 wrote to memory of 4304	1096	firefox.exe	96
PID 1096 wrote to memory of 4304	1096	firefox.exe	96
PID 1096 wrote to memory of 4304	1096	firefox.exe	96
PID 1096 wrote to memory of 4304	1096	firefox.exe	96
PID 1096 wrote to memory of 4304	1096	firefox.exe	96
PID 1096 wrote to memory of 4304	1096	firefox.exe	96
PID 1096 wrote to memory of 4304	1096	firefox.exe	96
PID 1096 wrote to memory of 4304	1096	firefox.exe	96
PID 1096 wrote to memory of 4304	1096	firefox.exe	96
PID 1096 wrote to memory of 4304	1096	firefox.exe	96
PID 1096 wrote to memory of 4304	1096	firefox.exe	96
PID 1096 wrote to memory of 4304	1096	firefox.exe	96
PID 1096 wrote to memory of 980	1096	firefox.exe	97
PID 1096 wrote to memory of 980	1096	firefox.exe	97
PID 1096 wrote to memory of 980	1096	firefox.exe	97
PID 1096 wrote to memory of 980	1096	firefox.exe	97
PID 1096 wrote to memory of 980	1096	firefox.exe	97
PID 1096 wrote to memory of 980	1096	firefox.exe	97
PID 1096 wrote to memory of 980	1096	firefox.exe	97
PID 1096 wrote to memory of 980	1096	firefox.exe	97

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\release.zip"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4956

C:\Users\Admin\Desktop\builder.exe
"C:\Users\Admin\Desktop\builder.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3704

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\d.txt
1⤵
- Opens file in notepad (likely ransom note)
- Suspicious use of FindShellTrayWindow
PID:2736

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3456
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1096
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1956 -parentBuildID 20240401114208 -prefsHandle 1884 -prefMapHandle 1876 -prefsLen 23681 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6419eb2f-662e-4f9d-8548-16bc895d5d2e} 1096 "\\.\pipe\gecko-crash-server-pipe.1096" gpu
    3⤵
    PID:4304
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2364 -parentBuildID 20240401114208 -prefsHandle 2340 -prefMapHandle 2328 -prefsLen 23717 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {69d50391-7cc5-4442-b506-cf45542f5408} 1096 "\\.\pipe\gecko-crash-server-pipe.1096" socket
    3⤵
    PID:980
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3024 -childID 1 -isForBrowser -prefsHandle 3048 -prefMapHandle 3044 -prefsLen 23858 -prefMapSize 244658 -jsInitHandle 1224 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {75be2e9b-9da4-4c4f-a663-5ee6324fcd8c} 1096 "\\.\pipe\gecko-crash-server-pipe.1096" tab
    3⤵
    PID:4680
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3792 -childID 2 -isForBrowser -prefsHandle 3724 -prefMapHandle 3656 -prefsLen 29091 -prefMapSize 244658 -jsInitHandle 1224 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d373a1ac-9281-46aa-912a-184980220954} 1096 "\\.\pipe\gecko-crash-server-pipe.1096" tab
    3⤵
    PID:2952
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4960 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4756 -prefMapHandle 4760 -prefsLen 29091 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ede3be5f-7161-45d1-9835-a6c556901768} 1096 "\\.\pipe\gecko-crash-server-pipe.1096" utility
    3⤵
    - Checks processor information in registry
    PID:3036
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5472 -childID 3 -isForBrowser -prefsHandle 5356 -prefMapHandle 5444 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1224 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {224b2476-feef-484c-895e-777f33ce7844} 1096 "\\.\pipe\gecko-crash-server-pipe.1096" tab
    3⤵
    PID:5724
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5600 -childID 4 -isForBrowser -prefsHandle 5568 -prefMapHandle 5416 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1224 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {10d0468f-877a-45a7-bfd2-1a11362351fd} 1096 "\\.\pipe\gecko-crash-server-pipe.1096" tab
    3⤵
    PID:5748
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5596 -childID 5 -isForBrowser -prefsHandle 5612 -prefMapHandle 5604 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1224 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8ede976c-f948-4556-b44e-9461c15cb2f3} 1096 "\\.\pipe\gecko-crash-server-pipe.1096" tab
    3⤵
    PID:5756
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5636 -childID 6 -isForBrowser -prefsHandle 5580 -prefMapHandle 2780 -prefsLen 27211 -prefMapSize 244658 -jsInitHandle 1224 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {87069f91-5e64-4636-9741-60c377f0b058} 1096 "\\.\pipe\gecko-crash-server-pipe.1096" tab
    3⤵
    PID:2300

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\etc817bi.default-release\activity-stream.discovery_stream.json

Filesize
18KB

MD5
91cca08cefe6c9635614112b222cd863

SHA1
b73767de6252033c10ee0750c5f9544a44837b92

SHA256
4b4cab7bf2eddf7fc8da6a84de32d21cf67d87b9a7aff085d4d90595d4497b15

SHA512
da41db23fcbd031e46690f51ee47a736afb33bd649df20d4a45ccaff64b2168bea79ce2b302ded0bcc56e4f99abcaf338a4c5b6736aa00370cfb888af2a219ab

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\etc817bi.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl

Filesize
15KB

MD5
96c542dec016d9ec1ecc4dddfcbaac66

SHA1
6199f7648bb744efa58acf7b96fee85d938389e4

SHA256
7f32769d6bb4e875f58ceb9e2fbfdc9bd6b82397eca7a4c5230b0786e68f1798

SHA512
cda2f159c3565bc636e0523c893b293109de2717142871b1ec78f335c12bad96fc3f62bcf56a1a88abdeed2ac3f3e5e9a008b45e24d713e13c23103acc15e658

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\etc817bi.default-release\AlternateServices.bin

Filesize
6KB

MD5
56dbc4efbd0a10f5dabf6240dfcf1358

SHA1
434fc3c5173dd79b8fd14c888027c786d2462704

SHA256
5344b4df4c6bfe61f2a5c8cfb4f169ed54e46d0f240cde4cf0971d528862a470

SHA512
131aa2780de25f3f3be6a0efd716301cdb093d05e8ed0b6dece3601aed04b1a0d778b8f0168dca09d0f17f7a4555b7bbe18f7f364c684740119d62382cbee68e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\etc817bi.default-release\AlternateServices.bin

Filesize
8KB

MD5
e07d17c7b7bc9c88941bbbf975ae0740

SHA1
e357a311848a95fb462f5e256600af0f47c5ecbe

SHA256
ae59d78bf3e6171a18185a71415b0c8782987ca859400cabaa29e1a3e2a4ae4f

SHA512
43d070581742621d8a5cf25105b9bd8fb6466aeaba21f35827dcb1c69fccd2bdc18245bb3f7684ff2d3951944d11a4f37bdac08b1203af5d34a93177644a4248

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\etc817bi.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
5581ad6e63ffe65943a403472c067bc8

SHA1
cc3e6ff8f39a596905ae9e16cc949d0b04c08441

SHA256
5a0dda321172749b24927f6ffb331d4e39e0f4c59e2a73de3b9b7b9a4947b200

SHA512
c03dcb17851334304bc24149556e4897fdb7714cd6b0fa9120e54d143f4c76de899cfb2e5fb0af5060a5355394cecaf7ef06abcfa288ce8dc9307954d751716c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\etc817bi.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
ee3434998bc5334228ab10bd0824ecc7

SHA1
35c80b549bbfd49e520ca2a936a44a22dac9e0a5

SHA256
ef281233dd00c02ddb44a56236c86f8384072453425356eaf4c3086b0eb85240

SHA512
60196cf6d1c350cafdd62f3dc99ffebff5b9c4f1642d67c8e556db36b6410eba7b2581e2c97831afcb3f1c29f76155a50cc9cc70915fef8627b67e8fa5c2e559

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\etc817bi.default-release\datareporting\glean\db\data.safe.tmp

Filesize
22KB

MD5
4dbae5279227b984656a91629dc63016

SHA1
60b66ae0753c7b27d5b6d578362d986a04d960d9

SHA256
0a247f8a50e5315e62cb880588aedc300d1166c492db23e6bec734c98795bcc3

SHA512
d999cf812c6ea9cf367ecb2bf4670462d7d93d7d65311673e731ad930b58e0ca815007672a459deecbde784d41a2930ecf4f4f82db466e88ef099b75c80958c5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\etc817bi.default-release\datareporting\glean\pending_pings\0e524fdb-e88c-4b12-a42b-e5809ea897fa

Filesize
26KB

MD5
3209b30fb7d92dc0dedac15e6c51f017

SHA1
20140ee617d96c275c18b591c8ca7a14a0b7ff88

SHA256
5cb82a4538eeca10232de252a433c10ac68d669899dd34fd581af795da662353

SHA512
f4e81bcca6d68900ee244cad3fda23381429aaff8aa80d13a49fadf0943a42024bc90a0ce00533817d39441644cfe60d8dc7412115d44cda84015bf14c42516d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\etc817bi.default-release\datareporting\glean\pending_pings\368eb981-e4e4-425f-864d-066fa5697d75

Filesize
982B

MD5
57e82ff808ce8fb8e21f67f54c3ad2ad

SHA1
37d9e7ca047f7f57df1d452eb1dfeb53d8102763

SHA256
4778786ed240045a4e1f0648117a3375dbaf68ac18c4c8f85612da377a27b747

SHA512
e3cc87bddf63ffa117a0d1674f1fbe61d0b352bdd6ab488e7a824a0299984d5c7f66c7658404fce3320c71c2861783a8a3be06b32df1862eb493206537732db7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\etc817bi.default-release\datareporting\glean\pending_pings\c8d95e75-6906-4ea9-82d2-3bcb81f195eb

Filesize
671B

MD5
5ae70c9dc40e530af555e8987ff730c3

SHA1
f5d9c910db548a9b80be7905b621f0a04cf8965b

SHA256
749eabeb441289fefb2e3ec75f9fe7f1f1d17478185c88368bfddf0a61a1f238

SHA512
6be088508447c6e67b484c940b8f0a8e349e37d3d6d8225c27ab8dff8079eab82b9da01b6fb7000168e807b311f9704ac4f7c81102a825c00dd90b47afd6bde9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\etc817bi.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\etc817bi.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\etc817bi.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\etc817bi.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\etc817bi.default-release\prefs-1.js

Filesize
11KB

MD5
015355b6cb77ab00ee15b6985f81a890

SHA1
d83421a1e3caba808172ee689bf23cd37b490418

SHA256
d1b5bfc9dc7856ded2eaa0105a4d07b4ca208df6c55543404fdddce5d1ddb38e

SHA512
a7d213cb1e7c9a120396e9bdc25dc205c0b6a2c35f8a9418df061d11e3d386c6b70434f25d258cd7e5dc0cc5c7adad77d97e45680319ba57028664a43911fd48

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\etc817bi.default-release\prefs.js

Filesize
10KB

MD5
b4f000a87a282996fdcc37858320af0d

SHA1
abab8dfefcb53020d6f02cb47bf220af29f6c705

SHA256
9fe289fbd7a5ef5c5787b5bd626f2b58a1730518243d1d33b58fc1d0fbaa1e0a

SHA512
2feee1a3f91d533bd3e92aafc182e88afbb1feab706c4f993268987be5d0e6002975f665450da8aca5b37ee8e6680bc8530ccd23be6c52e6b1396598a797eeb3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\etc817bi.default-release\prefs.js

Filesize
10KB

MD5
44b09f7180e16b2b21a6c35433d09e67

SHA1
00884a6494e99723969927c1f5326e4d51a3760b

SHA256
763cdfc26bfbca5dcd7aa8fcd9c4abbb75b2b97bca4d28b799f22db79244b86b

SHA512
32bc2af590beff949c3fbbd4e7c92b59758eb1fdba114159b6147ae6304284ce408a520762fea5825f8a0c501400d4c686c35d3a39f37dbaadc1f4b978e4eedd

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\etc817bi.default-release\prefs.js

Filesize
10KB

MD5
dd73bc5910910484dcefbc07a759589e

SHA1
9ec9fe0f504fc7ba031d3062b13beb689922b34e

SHA256
1e0060bcb59632048118210e4150dbbe2649fa44421a50b27b69be85e7a90fb9

SHA512
d3f79f5d802605963b94069b595d0aeb3448d3fbc670cd4d6cdbfd12ea13dcc6e7e263d578b1a3445e64fc044810be8139afec3edf8b46c4d68cbcc38313e0e6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\etc817bi.default-release\sessionstore-backups\recovery.baklz4

Filesize
1KB

MD5
7013e148f44c00bddc8991cbc3309a21

SHA1
ea815ad4b66121686ecd13fa6168ff40a82e9de3

SHA256
17645d67fc895aa4f3c0f8d063c1008806ccd1c690da9aa163c9cde301cb3008

SHA512
5f21be03ea8e0b5d72a014d6603b79c31faddb6829de650f0632dc5f540e505369f2395790136419f29ea8d9573cd1469e1412359f2b3501608796f7245503f2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\etc817bi.default-release\sessionstore-backups\recovery.baklz4

Filesize
2KB

MD5
e1ca84d901b8bcf578835cd02e77b8f0

SHA1
d240a5df77cbd14c19a4f922552625fcd5795541

SHA256
c06205eac537e0f84579e30c9f7be1e6be79c3449a3ccd629b00a8b7392f1f49

SHA512
48a192e49a48359db61d31f6a5c29099c9daab94840b55e0568756dcbb509c23defbc7728747b2e4763dd8084b95ffcb9807b153d52e8b89379140d05bf310e9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\etc817bi.default-release\sessionstore-backups\recovery.baklz4

Filesize
2KB

MD5
9b8cd458c6d576b375adc929c62f9e9a

SHA1
e04a0cbcfdd1ed0c1f071aec2a519becf50c3a44

SHA256
bb4a44196cbb3e463ec91523b674992d0679ba970c851de55c884682be9505e4

SHA512
c3f5723cc67e281feeed4b03aa00f7b62ed4e9201d4d7c3bfab79d530ede70f3053862c1b11067aa32b39c8ee79cc19422753022da32c02cdc1acd51a5bd4e12

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\etc817bi.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
576KB

MD5
39f52c6304307d60abb4b1aeaa3a6cb9

SHA1
524e1546cf9cbf6dde98dfd99641c6098faa9372

SHA256
9cfa21b6cfdbe3ee9b6086898c6b05d0353fcad155f1df8d80e616c33b8e9f75

SHA512
6b76164c407a25fabff0de6970162b861adc48391cf7042be64e8776f491567c17b96c2ef5784f0bcfb31b1faa9ed7837654e98007a4d13a3ee273e15b51c860

Download Submit
C:\Users\Admin\Desktop\Client-built.exe

Filesize
78KB

MD5
49d6130bca1cf85adb53b34247070629

SHA1
d025ff0a2eeeaf0d303424ceb4ea5e55a26ba7da

SHA256
f573bc888434d747458210081a7a7632e86b945693a541f1548236bcefd6acc6

SHA512
69ba140dcef810d9ac7a4292d09b99b3b4f2da926342a57d325e99d6afb40b65fa6940448728b04d361d4a6f732dc93e18379a7fb9b0329ffe660181bab8ccbb

Download Submit
C:\Users\Admin\Desktop\Release\Discord rat.exe

Filesize
79KB

MD5
d13905e018eb965ded2e28ba0ab257b5

SHA1
6d7fe69566fddc69b33d698591c9a2c70d834858

SHA256
2bd631c6665656673a923c13359b0dc211debc05b2885127e26b0dce808e2dec

SHA512
b95bfdebef33ac72b6c21cdf0abb4961222b7efd17267cd7236e731dd0b6105ece28e784a95455f1ffc8a6dd1d580a467b07b3bd8cb2fb19e2111f1a864c97cb

Download Submit
C:\Users\Admin\Desktop\builder.exe

Filesize
10KB

MD5
4f04f0e1ff050abf6f1696be1e8bb039

SHA1
bebf3088fff4595bfb53aea6af11741946bbd9ce

SHA256
ded51c306ee7e59fa15c42798c80f988f6310ea77ab77de3d12dc01233757cfa

SHA512
94713824b81de323e368fde18679ef8b8f2883378bffd2b7bd2b4e4bd5d48b35c6e71c9f8e9b058ba497db1bd0781807e5b7cecfd540dad611da0986c72b9f12

Download Submit
C:\Users\Admin\Desktop\d.txt

Filesize
93B

MD5
d8cff20f39795883509d8d002ce614f4

SHA1
adab16686fe04411352e5e907e3c6bf95f3104cf

SHA256
785fd1984d747c52e79a1df9353e40eae2362c3dc2449377dca89e9890b3f0a3

SHA512
bca13c1f098df6aacff24ef7b1280141cb0caf3e37f0144324ad3c31295e7a2ba375cf9fe04db4b7695291e3d76f0f4a6e0c316eb4e2c9c077e9d7c7396358d6

Download Submit
C:\Users\Admin\Desktop\dnlib.dll

Filesize
1.1MB

MD5
508ccde8bc7003696f32af7054ca3d97

SHA1
1f6a0303c5ae5dc95853ec92fd8b979683c3f356

SHA256
4758c7c39522e17bf93b3993ada4a1f7dd42bb63331bac0dcd729885e1ba062a

SHA512
92a59a2e1f6bf0ce512d21cf4148fe027b3a98ed6da46925169a4d0d9835a7a4b1374ba0be84e576d9a8d4e45cb9c2336e1f5bd1ea53e39f0d8553db264e746d

Download Submit
memory/3704-13-0x0000000005310000-0x00000000053A2000-memory.dmp

Filesize
584KB

Download
memory/3704-11-0x00000000008F0000-0x00000000008F8000-memory.dmp

Filesize
32KB

Download
memory/3704-12-0x00000000058C0000-0x0000000005E66000-memory.dmp

Filesize
5.6MB

Download
memory/3704-10-0x0000000074AEE000-0x0000000074AEF000-memory.dmp

Filesize
4KB

Download
memory/3704-14-0x0000000074AE0000-0x0000000075291000-memory.dmp

Filesize
7.7MB

Download
memory/3704-15-0x0000000002D60000-0x0000000002D6A000-memory.dmp

Filesize
40KB

Download
memory/3704-503-0x0000000074AE0000-0x0000000075291000-memory.dmp

Filesize
7.7MB

Download
memory/3704-17-0x0000000074AEE000-0x0000000074AEF000-memory.dmp

Filesize
4KB

Download
memory/3704-18-0x0000000074AE0000-0x0000000075291000-memory.dmp

Filesize
7.7MB

Download
memory/3704-22-0x0000000008C60000-0x0000000008D82000-memory.dmp

Filesize
1.1MB

Download