discordrat | hxxps://www[.]upload[.]ee/files/17214815/Vape[.]rar[.]html

Analysis

max time kernel
125s
max time network
126s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
13-10-2024 08:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.upload.ee/files/17214815/Vape.rar.html

Score

10^/10

discordrat discovery persistence rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTI5Mjk3NzAzNDk0MzAwODg5MA.GUtIvD.vaGauQAWYFeLWJRnUaocQs4q3Ztcew_JgOoy8U
server_id
1292965909807501376

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat

Executes dropped EXE 2 IoCs

Processes:

injector.exeinjector.exe

pid	Process
5832	injector.exe
2568	injector.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exefirefox.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe

Modifies registry class 1 IoCs

Processes:

firefox.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings	firefox.exe

NTFS ADS 1 IoCs

Processes:

firefox.exe

description	ioc	Process
File created	C:\Users\Admin\Downloads\Vape.rar:Zone.Identifier	firefox.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

Processes:

firefox.exe7zG.exeinjector.exeinjector.exe

description	pid	Process
Token: SeDebugPrivilege	3556	firefox.exe
Token: SeDebugPrivilege	3556	firefox.exe
Token: SeDebugPrivilege	3556	firefox.exe
Token: SeRestorePrivilege	3432	7zG.exe
Token: 35	3432	7zG.exe
Token: SeSecurityPrivilege	3432	7zG.exe
Token: SeSecurityPrivilege	3432	7zG.exe
Token: SeDebugPrivilege	5832	injector.exe
Token: SeDebugPrivilege	2568	injector.exe
Token: SeDebugPrivilege	3556	firefox.exe
Token: SeDebugPrivilege	3556	firefox.exe
Token: SeDebugPrivilege	3556	firefox.exe

Suspicious use of FindShellTrayWindow 22 IoCs

Processes:

firefox.exe7zG.exe

pid	Process
3556	firefox.exe
3556	firefox.exe
3556	firefox.exe
3556	firefox.exe
3556	firefox.exe
3556	firefox.exe
3556	firefox.exe
3556	firefox.exe
3556	firefox.exe
3556	firefox.exe
3556	firefox.exe
3556	firefox.exe
3556	firefox.exe
3556	firefox.exe
3556	firefox.exe
3556	firefox.exe
3556	firefox.exe
3556	firefox.exe
3556	firefox.exe
3556	firefox.exe
3556	firefox.exe
3432	7zG.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

firefox.exe

pid	Process
3556	firefox.exe
3556	firefox.exe
3556	firefox.exe
3556	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

firefox.exefirefox.exe

description	pid	Process	procid_target
PID 4860 wrote to memory of 3556	4860	firefox.exe	80
PID 4860 wrote to memory of 3556	4860	firefox.exe	80
PID 4860 wrote to memory of 3556	4860	firefox.exe	80
PID 4860 wrote to memory of 3556	4860	firefox.exe	80
PID 4860 wrote to memory of 3556	4860	firefox.exe	80
PID 4860 wrote to memory of 3556	4860	firefox.exe	80
PID 4860 wrote to memory of 3556	4860	firefox.exe	80
PID 4860 wrote to memory of 3556	4860	firefox.exe	80
PID 4860 wrote to memory of 3556	4860	firefox.exe	80
PID 4860 wrote to memory of 3556	4860	firefox.exe	80
PID 4860 wrote to memory of 3556	4860	firefox.exe	80
PID 3556 wrote to memory of 4044	3556	firefox.exe	81
PID 3556 wrote to memory of 4044	3556	firefox.exe	81
PID 3556 wrote to memory of 4044	3556	firefox.exe	81
PID 3556 wrote to memory of 4044	3556	firefox.exe	81
PID 3556 wrote to memory of 4044	3556	firefox.exe	81
PID 3556 wrote to memory of 4044	3556	firefox.exe	81
PID 3556 wrote to memory of 4044	3556	firefox.exe	81
PID 3556 wrote to memory of 4044	3556	firefox.exe	81
PID 3556 wrote to memory of 4044	3556	firefox.exe	81
PID 3556 wrote to memory of 4044	3556	firefox.exe	81
PID 3556 wrote to memory of 4044	3556	firefox.exe	81
PID 3556 wrote to memory of 4044	3556	firefox.exe	81
PID 3556 wrote to memory of 4044	3556	firefox.exe	81
PID 3556 wrote to memory of 4044	3556	firefox.exe	81
PID 3556 wrote to memory of 4044	3556	firefox.exe	81
PID 3556 wrote to memory of 4044	3556	firefox.exe	81
PID 3556 wrote to memory of 4044	3556	firefox.exe	81
PID 3556 wrote to memory of 4044	3556	firefox.exe	81
PID 3556 wrote to memory of 4044	3556	firefox.exe	81
PID 3556 wrote to memory of 4044	3556	firefox.exe	81
PID 3556 wrote to memory of 4044	3556	firefox.exe	81
PID 3556 wrote to memory of 4044	3556	firefox.exe	81
PID 3556 wrote to memory of 4044	3556	firefox.exe	81
PID 3556 wrote to memory of 4044	3556	firefox.exe	81
PID 3556 wrote to memory of 4044	3556	firefox.exe	81
PID 3556 wrote to memory of 4044	3556	firefox.exe	81
PID 3556 wrote to memory of 4044	3556	firefox.exe	81
PID 3556 wrote to memory of 4044	3556	firefox.exe	81
PID 3556 wrote to memory of 4044	3556	firefox.exe	81
PID 3556 wrote to memory of 4044	3556	firefox.exe	81
PID 3556 wrote to memory of 4044	3556	firefox.exe	81
PID 3556 wrote to memory of 4044	3556	firefox.exe	81
PID 3556 wrote to memory of 4044	3556	firefox.exe	81
PID 3556 wrote to memory of 4044	3556	firefox.exe	81
PID 3556 wrote to memory of 4044	3556	firefox.exe	81
PID 3556 wrote to memory of 4044	3556	firefox.exe	81
PID 3556 wrote to memory of 4044	3556	firefox.exe	81
PID 3556 wrote to memory of 4044	3556	firefox.exe	81
PID 3556 wrote to memory of 4044	3556	firefox.exe	81
PID 3556 wrote to memory of 4044	3556	firefox.exe	81
PID 3556 wrote to memory of 4044	3556	firefox.exe	81
PID 3556 wrote to memory of 4044	3556	firefox.exe	81
PID 3556 wrote to memory of 4044	3556	firefox.exe	81
PID 3556 wrote to memory of 4044	3556	firefox.exe	81
PID 3556 wrote to memory of 4044	3556	firefox.exe	81
PID 3556 wrote to memory of 4244	3556	firefox.exe	82
PID 3556 wrote to memory of 4244	3556	firefox.exe	82
PID 3556 wrote to memory of 4244	3556	firefox.exe	82
PID 3556 wrote to memory of 4244	3556	firefox.exe	82
PID 3556 wrote to memory of 4244	3556	firefox.exe	82
PID 3556 wrote to memory of 4244	3556	firefox.exe	82
PID 3556 wrote to memory of 4244	3556	firefox.exe	82
PID 3556 wrote to memory of 4244	3556	firefox.exe	82

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "https://www.upload.ee/files/17214815/Vape.rar.html"
1⤵
- Suspicious use of WriteProcessMemory
PID:4860
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url https://www.upload.ee/files/17214815/Vape.rar.html
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3556
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1996 -parentBuildID 20240401114208 -prefsHandle 1928 -prefMapHandle 1916 -prefsLen 23678 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d73af73d-d08c-43f8-8a12-eab887e70579} 3556 "\\.\pipe\gecko-crash-server-pipe.3556" gpu
    3⤵
    PID:4044
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2428 -parentBuildID 20240401114208 -prefsHandle 2404 -prefMapHandle 2400 -prefsLen 24598 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e7d06fd5-a4a0-43ff-a617-8b0d46bb5bbe} 3556 "\\.\pipe\gecko-crash-server-pipe.3556" socket
    3⤵
    PID:4244
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1432 -childID 1 -isForBrowser -prefsHandle 3204 -prefMapHandle 3200 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 976 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7cbe2eae-69bb-452d-9752-ed61e9d87ef4} 3556 "\\.\pipe\gecko-crash-server-pipe.3556" tab
    3⤵
    PID:4836
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3608 -childID 2 -isForBrowser -prefsHandle 3696 -prefMapHandle 3640 -prefsLen 29088 -prefMapSize 244658 -jsInitHandle 976 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b3b37a44-7a3e-4e5c-8bbb-bdd02ac05122} 3556 "\\.\pipe\gecko-crash-server-pipe.3556" tab
    3⤵
    PID:2676
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4652 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4648 -prefMapHandle 4644 -prefsLen 29088 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9b233790-95e3-48bc-ad37-78dc25a7c75c} 3556 "\\.\pipe\gecko-crash-server-pipe.3556" utility
    3⤵
    - Checks processor information in registry
    PID:3912
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5432 -childID 3 -isForBrowser -prefsHandle 5420 -prefMapHandle 5424 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 976 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {56ea84f4-0017-4691-8354-03089a5f08f6} 3556 "\\.\pipe\gecko-crash-server-pipe.3556" tab
    3⤵
    PID:5752
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5440 -childID 4 -isForBrowser -prefsHandle 5596 -prefMapHandle 5600 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 976 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c1cb9714-58cf-4ca0-bf6d-5baa1c354fe3} 3556 "\\.\pipe\gecko-crash-server-pipe.3556" tab
    3⤵
    PID:5764
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5756 -childID 5 -isForBrowser -prefsHandle 5764 -prefMapHandle 5768 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 976 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3edee28f-707b-4b77-94c8-16981d20d656} 3556 "\\.\pipe\gecko-crash-server-pipe.3556" tab
    3⤵
    PID:5776
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6220 -childID 6 -isForBrowser -prefsHandle 6212 -prefMapHandle 6208 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 976 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8f3ca521-972b-49da-bfd2-2f52dbcf7a51} 3556 "\\.\pipe\gecko-crash-server-pipe.3556" tab
    3⤵
    PID:3192
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6164 -childID 7 -isForBrowser -prefsHandle 5432 -prefMapHandle 6008 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 976 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {29af1fb4-a60a-4128-b60b-b0509638e6e7} 3556 "\\.\pipe\gecko-crash-server-pipe.3556" tab
    3⤵
    PID:2144
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5492 -childID 8 -isForBrowser -prefsHandle 6452 -prefMapHandle 6448 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 976 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cef2f5cb-dc0b-42fc-b695-a33aeaf32196} 3556 "\\.\pipe\gecko-crash-server-pipe.3556" tab
    3⤵
    PID:1924
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5932 -childID 9 -isForBrowser -prefsHandle 6684 -prefMapHandle 6680 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 976 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a0a07ce4-bbb2-4bf8-be3a-d8740017f1d9} 3556 "\\.\pipe\gecko-crash-server-pipe.3556" tab
    3⤵
    PID:5616
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6720 -childID 10 -isForBrowser -prefsHandle 5740 -prefMapHandle 5728 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 976 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3a93437f-5b0f-4f07-a7b0-acaeca939f6c} 3556 "\\.\pipe\gecko-crash-server-pipe.3556" tab
    3⤵
    PID:5652
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4340 -childID 11 -isForBrowser -prefsHandle 5456 -prefMapHandle 3672 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 976 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2bfc0cc4-84b5-47bc-8440-0f4017b5bba3} 3556 "\\.\pipe\gecko-crash-server-pipe.3556" tab
    3⤵
    PID:1448
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6688 -childID 12 -isForBrowser -prefsHandle 6848 -prefMapHandle 6840 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 976 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {edcd46ac-9cb6-4fe5-b90f-714345370c94} 3556 "\\.\pipe\gecko-crash-server-pipe.3556" tab
    3⤵
    PID:4104

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5472

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Vape\" -spe -an -ai#7zMap26033:70:7zEvent27083
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3432

C:\Users\Admin\Downloads\Vape\injector.exe
"C:\Users\Admin\Downloads\Vape\injector.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5832

C:\Users\Admin\Downloads\Vape\injector.exe
"C:\Users\Admin\Downloads\Vape\injector.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\dfn8djy7.default-release\activity-stream.discovery_stream.json.tmp

Filesize
19KB

MD5
41b5e9850e84422279220ace8bd0738b

SHA1
9d2f1879b4e75edab234b7a3703ab69fb88f1c10

SHA256
76046721fbfa083dbd785b15f1146bac3f2f2c3ed232e9efbd20f11eaada3bb2

SHA512
2ebf65f023f6122c920deb0c4c13f8f853732c14057de694e3a543aef38eca82a66d3600363d51d63c90d17adc619b9e1cfd080a82558851481fcd7c60fd2038

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dfn8djy7.default-release\AlternateServices.bin

Filesize
7KB

MD5
a2651a16586024e011af1491c5a0c01b

SHA1
7ec7ac792480eb57d0761d2e1f6bf4c60fb8c981

SHA256
d3a89a11dcd0350983da367a94e5cccaa34bcf0e8e0b1502b50a84b6b4ed0dc1

SHA512
9c5c3c38c3be5d709c385c2b1f4d2f58effd1c14ef39d995883adf901861326c991e1cf2ad6eea658746025abee59899dd556011c48ab27793e74b081e79d1a4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dfn8djy7.default-release\AlternateServices.bin

Filesize
10KB

MD5
7ba8ac921af29267c12cc8d4af5599c4

SHA1
58cecafdc1f3e543329ed2f645f795f2f88a801c

SHA256
5c90ba039de8d2f9f5125d60b63de4abf104e3f854b427fe5242921a3049f8dc

SHA512
b3c50a8e8c9c77d9eb6a2d53d213248af29356d69976f652d5cbded4fe31e247765caf5e755847e3f6ef26a07d2340f05fcec2352926da12ebcd5b8836992cb2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dfn8djy7.default-release\AlternateServices.bin

Filesize
30KB

MD5
3990ca69c09921bbb3cdf4c9aab8fb46

SHA1
59949d59894e6f91b086a8c11fc423397665b6a0

SHA256
ba4ee2c9ea59aa47093a49e09540d36959b424203713794b2d05ca07b741eba1

SHA512
4f28b5f08ead8b525c25594dcc7fc35a61121a361ca8e41e9d9bf89a562b0e1130baa98b59c223ef5a612f6343a1072e02f9169d124949a0bfbfae8786baefea

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dfn8djy7.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
3a6fbe02ca173a049028054f01db4aaa

SHA1
ddcdaa11052a1293f4743fee5c38c209f5c09288

SHA256
02d32a4dab2c2cdb55919e758cad16baceab80746eb24bdcf06f508e32610a0a

SHA512
f1955dffe847d81962e7a8d0fd44fe46aa0a7ebd378df11cef6053196756b04cf1f3eadc528de3978b49d9d15e943d414f0bb0b897bbdce933e06dc0d54d13d1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dfn8djy7.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
815e01dd4d3e5c0d6557ff228317e5f4

SHA1
8974afd91806608a29456d74e38b4349b72f1a42

SHA256
efc88880b2f4f58390b02df7be516b5a31fab1cb0502be4166edafd1988154e9

SHA512
8da07b218fd93e6155488a81d0fd1dfc0fc5b848d2b9ee24a78d21713b845d4cb94496fd0ff16ac803783554260e51dae989a9274aa7d6f890c802b93c13fe3f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dfn8djy7.default-release\datareporting\glean\pending_pings\684d1996-d996-45d9-9710-aee996826b2b

Filesize
26KB

MD5
051d62110b8acfad26ec43476e53558b

SHA1
762f3f7aa11a8ffcf7eb7a2eb4ecbed9cc938894

SHA256
5433e425a3f791795c9945b58a988eaa8d785f7fd697f1113f1aff82af6b10b0

SHA512
99335fb38e3fca89f99e6ce50deffd33cba8f610d5e906ff057722c94d5ede3c3c77d12ff9fab5cb079ada7d80b6e27086476a4dbcf8c8fdabb7eb98d12cf4aa

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dfn8djy7.default-release\datareporting\glean\pending_pings\6d30fc0b-528a-4436-82db-61dfc420fce1

Filesize
982B

MD5
9b2fdde363e4d3149eb8c08d499bcd39

SHA1
d3b33a3fddb1c8aed5b3fdc9d899169b4d33c87f

SHA256
71d0d8777aaeddf2b59292e23fa7f0af76c380d49ae8764a6d471a9b051719d3

SHA512
4f2b7193a4b796e1f7e25f63cdb646f5c614ed4d742cfe0eefcb289af2067a8170b58b5400b854eb638db08ef8498e2da418aa34f7ee012d25a4883c984906db

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dfn8djy7.default-release\datareporting\glean\pending_pings\8d8bbbac-23d6-478c-8235-c6ce331a4b52

Filesize
671B

MD5
86cd4586a116d519693c216e5baacad7

SHA1
5165f1d01085f47175a70d423dab803714a1de5f

SHA256
6a9a6ef48093093b1e112475aea1e22f768e96747091705c656fff2c91ebc52a

SHA512
44aea5caa1e1500026f6e7fca8db56058914a018f38410eff10ea1cb7772ee13134ab68afae556d41a474001d95947221ad21357d9cfe9a6b6756bd1ca6c3731

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dfn8djy7.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dfn8djy7.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dfn8djy7.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dfn8djy7.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dfn8djy7.default-release\prefs-1.js

Filesize
11KB

MD5
79b7e05168d2f5d87967792ff88fd160

SHA1
da15ac880eaa8035155237f92f976f0b36495505

SHA256
cc425f88143214ea6e4a02a8bd7558a371ff3ab0add60bdd32a4752dd143f5bb

SHA512
e15d455d8a8a5eb4600da80a7611024f5f2752d0f31708796ee4407cdbb68c40393f25c05d0e2f0b0cfe5b6a1f83dbc1bfe2c7d861552ff0efb62d0d91ea36d5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dfn8djy7.default-release\prefs-1.js

Filesize
11KB

MD5
3305f7ecd4ca2dc4f91f77a3ced83a56

SHA1
b6c381071b2d16aa13c396971ce934b66e78e55a

SHA256
b1201ef6efb76ca5f40a106397bf81f9f3700ee11322448ee6a33b5a71b04cca

SHA512
ef53eb323582a1c63a7893032e9497dc9674370f1b4ffc64e3b08aa2a0e9b33bb6043a5db74557e22388ae4a6073b58b83a5f58accf8a29be57d7782298d494e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dfn8djy7.default-release\prefs.js

Filesize
11KB

MD5
f11fcaab9e820c801761eef7f504c063

SHA1
1d381311682347b99a094d6697839d0302066519

SHA256
5ec201c8c2d8300a564b0abacd0a6c96d06c795197711b1238a760804066dbf6

SHA512
fc3fda3c7e996225ddda1cf9fe292a945b8722feba9c1e9bc71b4445467f9c102ccd707679f9a6960edb6f12919a98dae16c9c2ae66654db8f42c1a68a04f35a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dfn8djy7.default-release\sessionstore-backups\recovery.baklz4

Filesize
3KB

MD5
ba35e8f44fc7cb9f751652d700d8169c

SHA1
5eb691d1d887f8071782386afcf0c14d56a95c74

SHA256
7e74ce15f997cb6f15b711a59ec5db9a76a3e0cfe5747b6b2eb2448b721ebe33

SHA512
4c6e7cc2c2214cc5c8edae3418e43b34664858e2a016a6480894b2d7573ada14df2f0f74c24741215b89f1d3a8458619637fac903fa705496da118dd23d2cd08

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dfn8djy7.default-release\sessionstore-backups\recovery.baklz4

Filesize
6KB

MD5
5532f904932735b9901b087edf17c944

SHA1
a3b60ea3d946a16e54c2742533195ec6e6072b14

SHA256
d7c94d64b6c7e30a7b90144ab7ac8a01f59010783857ea5ebecf6a553b16f73a

SHA512
0a1b05ef1b7c5062f4a6898f029ef353f87d74e48c571f37b87e56be278e617ef22b1aa9bbbc42618879af2efca77d13441173a6dc6f973834efb3ae22faed2c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dfn8djy7.default-release\sessionstore-backups\recovery.baklz4

Filesize
6KB

MD5
fe3b739a6a134a5944fc44566552a0b8

SHA1
a8cddae460d71d667d25a0a057054175573b1197

SHA256
395ea69f2d2d61e90a9e084e0d952de34ac7e0bb502a420abf9e6d74960e7555

SHA512
6da697076e45f2ae94974f141aa83ad1858b5bdc8f57f938306ef9770eb2e65adf56cdf43237a3310aed0e502605b442a9451a26c453cf573ef595467e44f9e8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dfn8djy7.default-release\sessionstore-backups\recovery.baklz4

Filesize
6KB

MD5
49ed71a92c51ac75af86965fab51da96

SHA1
c290daaa2449c75e47dadb76e1553ca69912f029

SHA256
67d6ab4651953506a6145003f5e6b08845116303df0d2be050620d54401de926

SHA512
6a6e5fcd5167aa74cf5be27fb5756167702c50a06631042922de01c856e03a6eca83e3373b5986e7be12ebbf2a62750329cfa8a1574094719b90965aecde396b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dfn8djy7.default-release\sessionstore-backups\recovery.baklz4

Filesize
6KB

MD5
940e8292688745e4726eceb9e852484a

SHA1
f5907989a0a823c6752e14742f2bf59ece90cab5

SHA256
f4eda1d3fa1c01dc9dc65095e74e41bc591aa387d26781592ef38a6aef7d0f93

SHA512
a2ed3d93ff006ee5db7a5018c365fa0a54472f3225626ba1e7b0b781395a9e290a4c52b1b740c5304322725fad9a4747c77204cd40ed2c25083c28026f99db26

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dfn8djy7.default-release\sessionstore-backups\recovery.baklz4

Filesize
6KB

MD5
5495d07f858c9e3f57dffef004a9218a

SHA1
8eefd55bc8cc0c1798f5245a2f350fbad9e4f100

SHA256
e882f5be209d90b72122a2e215e8bff1940ea989539943e9fd6c09d1af7f8055

SHA512
89fed4512336281ba707d2d8ea4df6e71595ae33028210e3d104cdad95c5abe64c4d5e7e3fce2919147a6a83e1d19412ce3a56d1bab09b47b6f589400ab63b99

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dfn8djy7.default-release\sessionstore-backups\recovery.baklz4

Filesize
6KB

MD5
9b1fe740f4a07ee2aa7919375fad6616

SHA1
ecfff889cb659562f4dee261061d409b9f70ef05

SHA256
52eed70fd699f0ba81188e593f582c4e1e515b3109509c00bd5b2fe03b1ed496

SHA512
5cfe626a4813bad799ccd0d14ea659da3ceb53f1b07f9824513d8fc285daffd4f38884d9146bf5ba5aba50d47cc4c2dd5c8faefa79be1275855805947c30ab7d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dfn8djy7.default-release\storage\default\https+++oxyvn.edonhisdhi.com\cache\morgue\192\{e7a23fa3-aa88-4f5f-a08c-6c4ec08510c0}.final

Filesize
19KB

MD5
e388335edea282743616d3f145f569e4

SHA1
ef82b84776339511aa02abed218dff1ddccdb3d7

SHA256
ae6d0d3b2d3675901e87228ee42678ca8299edf77983e00f3dc05a47f6c87a2a

SHA512
02eb5a22e065e196a87b948537e3c3bdde5bd87d2c4bb598062d89bbc7577b007b1a67470aa7e359155e6e6f39294889a278db7e92a67ae1486db6518307fa42

Download Submit
C:\Users\Admin\Downloads\Vape.fHy4e2sP.rar.part

Filesize
2.5MB

MD5
9fd38e9ca6c7d97e0a832be735a7fb62

SHA1
a747808211ec504e8f2dc49705c982bbcbe8e2bf

SHA256
d3c9145e5d415f26bee532866228c2f8a2dd1256af7efa14682b4f91afbcb2ed

SHA512
90743009b547cf9a34434bcb4b9b0e91ae8d0779f4ac17166d9fbd45cdc36dc63f242de73ce55bc45b555a3be4d9ff540fd06d91e477c7324fdfdff2eb625b73

Download Submit
C:\Users\Admin\Downloads\Vape\injector.exe

Filesize
78KB

MD5
691c8bfc9e0c88048e673958036b4521

SHA1
f5d8391530f31b5540dd6fefac179061ea44f366

SHA256
2e4f54bd9589e135c3a489af339ad06bd4843a32ac0ea44115ecde240a41b510

SHA512
cb9bda3900576e8af500eaf61e812b87a443964a47ac8d6ec0696b6a32774150800da09dd84b9810b532152d0292878e5ed4e9cdaf86509ac8162e2e759f230d

Download Submit
memory/5832-846-0x000001BB5CCF0000-0x000001BB5CEB2000-memory.dmp

Filesize
1.8MB

Download
memory/5832-858-0x00007FF9E5860000-0x00007FF9E6322000-memory.dmp

Filesize
10.8MB

Download
memory/5832-857-0x00007FF9E5863000-0x00007FF9E5865000-memory.dmp

Filesize
8KB

Download
memory/5832-848-0x000001BB5D4F0000-0x000001BB5DA18000-memory.dmp

Filesize
5.2MB

Download
memory/5832-847-0x00007FF9E5860000-0x00007FF9E6322000-memory.dmp

Filesize
10.8MB

Download
memory/5832-845-0x000001BB42590000-0x000001BB425A8000-memory.dmp

Filesize
96KB

Download
memory/5832-844-0x00007FF9E5863000-0x00007FF9E5865000-memory.dmp

Filesize
8KB

Download