revengerat | 21b728321502d6e91aa763a31289f730dcc168b1e04b7ce31979e01ff330ed19

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
01-01-2025 02:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_43983f52deaefe1ad90e41142c646320.exe
Size

600KB
MD5

43983f52deaefe1ad90e41142c646320
SHA1

fb534dd7bb3ce23aa145f8bbbc1cd0bd5a55e39c
SHA256

21b728321502d6e91aa763a31289f730dcc168b1e04b7ce31979e01ff330ed19
SHA512

1d468b4ca2a76e38b3975b30db15783da20b7d82afbf43cd01af7dee4578256accb714b9352485baf31a711a41820b4e9ec85ee1c14d4576aff6a6006cc25278
SSDEEP

12288:V7lw1DxUp2fX9IiyO9KWz3d7ysgfBnnl241:V7m1DJ3yO9KWz3lysgpnncg

Score

10^/10

revengerat discovery stealer trojan

Malware Config

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat
Revengerat family
revengerat

RevengeRat Executable 1 IoCs

stealer

resource	yara_rule
behavioral2/files/0x000a000000023b78-6.dat	revengerat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	ocs_v7f.exe

Executes dropped EXE 1 IoCs

pid	Process
4100	ocs_v7f.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_43983f52deaefe1ad90e41142c646320.exe

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	firefox.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	4100	ocs_v7f.exe
Token: SeDebugPrivilege	2036	firefox.exe
Token: SeDebugPrivilege	2036	firefox.exe
Token: SeDebugPrivilege	2036	firefox.exe
Token: SeDebugPrivilege	2036	firefox.exe
Token: SeDebugPrivilege	2036	firefox.exe

Suspicious use of FindShellTrayWindow 21 IoCs

pid	Process
2036	firefox.exe
2036	firefox.exe
2036	firefox.exe
2036	firefox.exe
2036	firefox.exe
2036	firefox.exe
2036	firefox.exe
2036	firefox.exe
2036	firefox.exe
2036	firefox.exe
2036	firefox.exe
2036	firefox.exe
2036	firefox.exe
2036	firefox.exe
2036	firefox.exe
2036	firefox.exe
2036	firefox.exe
2036	firefox.exe
2036	firefox.exe
2036	firefox.exe
2036	firefox.exe

Suspicious use of SendNotifyMessage 20 IoCs

pid	Process
2036	firefox.exe
2036	firefox.exe
2036	firefox.exe
2036	firefox.exe
2036	firefox.exe
2036	firefox.exe
2036	firefox.exe
2036	firefox.exe
2036	firefox.exe
2036	firefox.exe
2036	firefox.exe
2036	firefox.exe
2036	firefox.exe
2036	firefox.exe
2036	firefox.exe
2036	firefox.exe
2036	firefox.exe
2036	firefox.exe
2036	firefox.exe
2036	firefox.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
4740	JaffaCakes118_43983f52deaefe1ad90e41142c646320.exe
4100	ocs_v7f.exe
4100	ocs_v7f.exe
2036	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4740 wrote to memory of 4100	4740	JaffaCakes118_43983f52deaefe1ad90e41142c646320.exe	85
PID 4740 wrote to memory of 4100	4740	JaffaCakes118_43983f52deaefe1ad90e41142c646320.exe	85
PID 4100 wrote to memory of 2332	4100	ocs_v7f.exe	87
PID 4100 wrote to memory of 2332	4100	ocs_v7f.exe	87
PID 2332 wrote to memory of 2036	2332	firefox.exe	88
PID 2332 wrote to memory of 2036	2332	firefox.exe	88
PID 2332 wrote to memory of 2036	2332	firefox.exe	88
PID 2332 wrote to memory of 2036	2332	firefox.exe	88
PID 2332 wrote to memory of 2036	2332	firefox.exe	88
PID 2332 wrote to memory of 2036	2332	firefox.exe	88
PID 2332 wrote to memory of 2036	2332	firefox.exe	88
PID 2332 wrote to memory of 2036	2332	firefox.exe	88
PID 2332 wrote to memory of 2036	2332	firefox.exe	88
PID 2332 wrote to memory of 2036	2332	firefox.exe	88
PID 2332 wrote to memory of 2036	2332	firefox.exe	88
PID 2036 wrote to memory of 1152	2036	firefox.exe	89
PID 2036 wrote to memory of 1152	2036	firefox.exe	89
PID 2036 wrote to memory of 1152	2036	firefox.exe	89
PID 2036 wrote to memory of 1152	2036	firefox.exe	89
PID 2036 wrote to memory of 1152	2036	firefox.exe	89
PID 2036 wrote to memory of 1152	2036	firefox.exe	89
PID 2036 wrote to memory of 1152	2036	firefox.exe	89
PID 2036 wrote to memory of 1152	2036	firefox.exe	89
PID 2036 wrote to memory of 1152	2036	firefox.exe	89
PID 2036 wrote to memory of 1152	2036	firefox.exe	89
PID 2036 wrote to memory of 1152	2036	firefox.exe	89
PID 2036 wrote to memory of 1152	2036	firefox.exe	89
PID 2036 wrote to memory of 1152	2036	firefox.exe	89
PID 2036 wrote to memory of 1152	2036	firefox.exe	89
PID 2036 wrote to memory of 1152	2036	firefox.exe	89
PID 2036 wrote to memory of 1152	2036	firefox.exe	89
PID 2036 wrote to memory of 1152	2036	firefox.exe	89
PID 2036 wrote to memory of 1152	2036	firefox.exe	89
PID 2036 wrote to memory of 1152	2036	firefox.exe	89
PID 2036 wrote to memory of 1152	2036	firefox.exe	89
PID 2036 wrote to memory of 1152	2036	firefox.exe	89
PID 2036 wrote to memory of 1152	2036	firefox.exe	89
PID 2036 wrote to memory of 1152	2036	firefox.exe	89
PID 2036 wrote to memory of 1152	2036	firefox.exe	89
PID 2036 wrote to memory of 1152	2036	firefox.exe	89
PID 2036 wrote to memory of 1152	2036	firefox.exe	89
PID 2036 wrote to memory of 1152	2036	firefox.exe	89
PID 2036 wrote to memory of 1152	2036	firefox.exe	89
PID 2036 wrote to memory of 1152	2036	firefox.exe	89
PID 2036 wrote to memory of 1152	2036	firefox.exe	89
PID 2036 wrote to memory of 1152	2036	firefox.exe	89
PID 2036 wrote to memory of 1152	2036	firefox.exe	89
PID 2036 wrote to memory of 1152	2036	firefox.exe	89
PID 2036 wrote to memory of 1152	2036	firefox.exe	89
PID 2036 wrote to memory of 1152	2036	firefox.exe	89
PID 2036 wrote to memory of 1152	2036	firefox.exe	89
PID 2036 wrote to memory of 1152	2036	firefox.exe	89
PID 2036 wrote to memory of 1152	2036	firefox.exe	89
PID 2036 wrote to memory of 1152	2036	firefox.exe	89
PID 2036 wrote to memory of 1152	2036	firefox.exe	89
PID 2036 wrote to memory of 1152	2036	firefox.exe	89
PID 2036 wrote to memory of 1152	2036	firefox.exe	89
PID 2036 wrote to memory of 1152	2036	firefox.exe	89
PID 2036 wrote to memory of 1152	2036	firefox.exe	89
PID 2036 wrote to memory of 1152	2036	firefox.exe	89
PID 2036 wrote to memory of 3704	2036	firefox.exe	90
PID 2036 wrote to memory of 3704	2036	firefox.exe	90
PID 2036 wrote to memory of 3704	2036	firefox.exe	90
PID 2036 wrote to memory of 3704	2036	firefox.exe	90

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_43983f52deaefe1ad90e41142c646320.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_43983f52deaefe1ad90e41142c646320.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4740
- C:\Users\Admin\AppData\Local\Temp\OCS\ocs_v7f.exe
  C:\Users\Admin\AppData\Local\Temp\OCS\ocs_v7f.exe -install -3885466 -dcude -8afe1021521e472782870d5035cea463 - -ChromeBundle -frdwahlroenddpws -590274
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4100
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" http://www.download-sponsor.de/exitdownload/thankyou.php?pid=dcude&cid=3885466&appname=[APPNAME]&cbstate=&uid=800911e3-a5f4-4138-954b-b793ae42d590&sid=8afe1021521e472782870d5035cea463&scid=&source=ChromeBundle&language=en-cl&cdata=utyp-31.ua-66697265666f782e657865.userid-393531626337373564396462316431613739353163623231
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2332
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" http://www.download-sponsor.de/exitdownload/thankyou.php?pid=dcude&cid=3885466&appname=[APPNAME]&cbstate=&uid=800911e3-a5f4-4138-954b-b793ae42d590&sid=8afe1021521e472782870d5035cea463&scid=&source=ChromeBundle&language=en-cl&cdata=utyp-31.ua-66697265666f782e657865.userid-393531626337373564396462316431613739353163623231
      4⤵
      Checks processor information in registry
      Modifies registry class
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2036
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1976 -parentBuildID 20240401114208 -prefsHandle 1752 -prefMapHandle 1748 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {92cb2222-99a4-4c9b-868d-88d208a872cd} 2036 "\\.\pipe\gecko-crash-server-pipe.2036" gpu
        5⤵
        
        PID:1152
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2468 -parentBuildID 20240401114208 -prefsHandle 2460 -prefMapHandle 2456 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0aa97928-fd39-4439-8db0-59f435c9e8c5} 2036 "\\.\pipe\gecko-crash-server-pipe.2036" socket
        5⤵
        
        PID:3704
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3000 -childID 1 -isForBrowser -prefsHandle 2992 -prefMapHandle 2988 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 896 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b585cc2d-749e-4885-93db-04ae299fc007} 2036 "\\.\pipe\gecko-crash-server-pipe.2036" tab
        5⤵
        
        PID:3052
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4104 -childID 2 -isForBrowser -prefsHandle 4092 -prefMapHandle 4088 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 896 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {79dff99b-3162-44b0-8483-d324e6d5820a} 2036 "\\.\pipe\gecko-crash-server-pipe.2036" tab
        5⤵
        
        PID:2268
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4784 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4816 -prefMapHandle 4812 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5049623e-8fd6-4e76-a933-f4385632d55f} 2036 "\\.\pipe\gecko-crash-server-pipe.2036" utility
        5⤵
        Checks processor information in registry
        
        PID:2800
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5248 -childID 3 -isForBrowser -prefsHandle 3984 -prefMapHandle 5236 -prefsLen 27097 -prefMapSize 244658 -jsInitHandle 896 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1588c5eb-b2c1-4827-acc6-f251e5ad4de5} 2036 "\\.\pipe\gecko-crash-server-pipe.2036" tab
        5⤵
        
        PID:3268
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5384 -childID 4 -isForBrowser -prefsHandle 4816 -prefMapHandle 5392 -prefsLen 27097 -prefMapSize 244658 -jsInitHandle 896 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a6357c03-c562-465f-a4a2-1f777f70a6cd} 2036 "\\.\pipe\gecko-crash-server-pipe.2036" tab
        5⤵
        
        PID:1212
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5592 -childID 5 -isForBrowser -prefsHandle 5600 -prefMapHandle 5476 -prefsLen 27097 -prefMapSize 244658 -jsInitHandle 896 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {292e184b-7d6f-48c9-b0ef-1e2610ae7532} 2036 "\\.\pipe\gecko-crash-server-pipe.2036" tab
        5⤵
        
        PID:940
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4696 -childID 6 -isForBrowser -prefsHandle 4764 -prefMapHandle 4680 -prefsLen 30948 -prefMapSize 244658 -jsInitHandle 896 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5cb733fc-d434-48b1-8951-330ecb4c5361} 2036 "\\.\pipe\gecko-crash-server-pipe.2036" tab
        5⤵
        
        PID:2692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\g9per00b.default-release\activity-stream.discovery_stream.json

Filesize
24KB

MD5
27a86850e27b3a80f24ada550acb0771

SHA1
ae5a5d3177fd59e2de32cd2f6e711b80c1b9f9c8

SHA256
b21998596b7c8293f0f1586dafb0702ed34fcc408fd6d9203d5bc4795ec2485d

SHA512
0d5bb66ee7b451810b8d15afcabc622a275b8dbeae058375b8505828bffe3f51039adb6ddbdbe824b1701a0ab128483b21d63750a3df205ec9729cd99ed81cbd

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\g9per00b.default-release\cache2\entries\6653BC7BE242C21AA1988A4A42D1DEDA18231C31

Filesize
13KB

MD5
0da4a180438bf94e32c9f999cfade4f3

SHA1
439d9d4f89dadee008945b7e94555cc3cc4c3037

SHA256
8c545f5efdde56df8c4bc308e2c4cd4f784b9c80237f091cd32c9b21efb13764

SHA512
ff55220151c5744ca17f76f6085400d584a5ca807378d7a42a94776ffd42648c409facabf629886d4ba68e9f2522f3bdb589be5cf36315c8c3909647bcd61cb2

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\g9per00b.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl

Filesize
15KB

MD5
96c542dec016d9ec1ecc4dddfcbaac66

SHA1
6199f7648bb744efa58acf7b96fee85d938389e4

SHA256
7f32769d6bb4e875f58ceb9e2fbfdc9bd6b82397eca7a4c5230b0786e68f1798

SHA512
cda2f159c3565bc636e0523c893b293109de2717142871b1ec78f335c12bad96fc3f62bcf56a1a88abdeed2ac3f3e5e9a008b45e24d713e13c23103acc15e658

Download Submit
C:\Users\Admin\AppData\Local\Temp\OCS\frdwahlroenddpws.dat

Filesize
91B

MD5
cf3248f5f9a03d6cbfd53a1769cee2a0

SHA1
3d10b59fce66f5cc8b579db82f7f8209b126576a

SHA256
0e39095b9c489474c620abe48e9d075e2f610134b8a924e4ec1fd8a9027ce461

SHA512
942a27020d80fcca96bd4d7ef9c337297fbbb179f298939c0534376ff3debe7e338369362c38bb56af73209f6ea542148b25d356922879d2b589f520bb615429

Download Submit
C:\Users\Admin\AppData\Local\Temp\OCS\ocs_v7f.exe

Filesize
288KB

MD5
ea3ccd42dbdc3500e3888daf53d8ef5d

SHA1
848c686280eaa04b172fccffbd312132a0c46172

SHA256
cd166eede0e0e5303fc3f5fe5f0dd44999020f116bde2adea15319cc214751b5

SHA512
7126ec10c2301354f32f3f813958c61eaef63fe946b804ebd6f5934068b344ab75857886d867373f7a2ccf47f18a5a0f1dbe652e9649963a9fdea2b3de6dba50

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\AlternateServices.bin

Filesize
6KB

MD5
d6a60d3efb318030680c4fa3bcbae398

SHA1
c2230db2bc0f82317e581a7f96769613660cc819

SHA256
d37aa4a190a4c49ceac293c8c12304354cf8131ed6adb085ab8252cbd39576e0

SHA512
6f0301f600dc6ba45036abc3a152ef619675f88f8e65c1169549a5c319639972275a7d052ae714892aae3470bc1f4868eb457c605f439eb443a788cc854b8798

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\AlternateServices.bin

Filesize
6KB

MD5
102d33d5754acc2e5368b5eb7859bcf6

SHA1
2e0e80f6fe846e04fea11fcfd614eddcdb656793

SHA256
00e4cac8cb433db7f2aee9888f778df55613ab3d6b08aaa2e98adca0452386a7

SHA512
2a55bb958f42c834c91e925257ccac3cefc80022884beb42d9e65ff77f2a84f16f2e87d550eeea404d07621ce9684f986546709f780300501e3ed0da328cc560

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\datareporting\glean\db\data.safe.tmp

Filesize
22KB

MD5
1086c4de619467618ef5aacee246e910

SHA1
5392d8357b0928a46b7525a3adf190ebf5fac5a9

SHA256
ed1bc24bc185d16e6546f250f985c34244d4db579922358f7612b139616c4f5a

SHA512
8cab7051f492bfcb063480f42e7983f5e3095d79a6c7280a26004abab83ccfbff5dfb283d35c50d6ed563a0082729fb2e15ab060304cad3f173ca395c65c75c7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\datareporting\glean\db\data.safe.tmp

Filesize
22KB

MD5
4fdc7bf82bd69a20de790e068adff406

SHA1
d5412721709cefecd9ea256b0394aae3b255afc3

SHA256
774903411763d521ffdd631b6208b7375c275d0d56dc56acec854ea2aa442a3b

SHA512
90385ea730be6e2049d8dd7fbab91d7ef4deaf2a0a8477731fe0d927ed66c5cbf8847d2d6922a1cea008cfdce6f40da419c9cf7accf4dc3d725097cbd3400a85

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\datareporting\glean\db\data.safe.tmp

Filesize
24KB

MD5
37b816e5bbe254f7c57d28268e84c5b5

SHA1
ab3e3821ceb9c6ba24c681cc136a87424e6ced1d

SHA256
c595555921313445b24a3351fb17910ef0cf812e0439924dadfbff97ebf287e3

SHA512
0ea717b30e097cbc2b3ba8eb778aae66bba65f8437a7d66c69c434c7f08dc0e61f5f80be6e5efda7cf3e8463c86f0ccde9705fc1d9ff40e5a4dedf20e11e86be

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\datareporting\glean\db\data.safe.tmp

Filesize
24KB

MD5
bac1afca135e8675e75eddd4bc22ae68

SHA1
5fbdf0accc655ad70076f82594aa75acb0463302

SHA256
8143ec15c827431c9989dbc26408d17be64b8b9bb1e6cbb1179236b2e1d06c3c

SHA512
d4fe79fc409a606f39dc1396d40bdc06c33d02beeaf5880fce20eaf93d9fad620ae85881f0169812d81c9017a6474949587c4991ff2924f1b33e5e8eeacb040b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\datareporting\glean\db\data.safe.tmp

Filesize
22KB

MD5
c0a66336426365febe74cd466e99f9c4

SHA1
e3711af8e13c5e0d83ad6cf475c92b0bfdc2579c

SHA256
f0d65804aeee376dd34cbdc7d7603bc2612056f17e799845b5cb18ec1f4c6ef1

SHA512
a947694f6b06e4bcd393d0d79131c16ba51a18d4df912bdf59ef95a56ea4eee78000b382888465dcdc33f92b9a55c598ec2192879df06c41223f23c478f7b2e1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\datareporting\glean\pending_pings\7581e4bd-ea62-47d0-9ccb-94dcb7360a95

Filesize
659B

MD5
7268b70a2fe7493aaec44bd9c8da316c

SHA1
ae54ec8112bbe34589494750f0106188740a7127

SHA256
c9b7c1b9d6694d87593036c96a9db706a5c40f671ac6ccfcf9e8d52a797c4a60

SHA512
2605cc8ad84fe2a60fcfda2748d29916ac960ebdda8b46fcff6c811161e8116d31d10643026dfb1b7514bd41e1fd75f4ea075256ca88903d204fb8bfa2dbe8dc

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\datareporting\glean\pending_pings\c4e53e74-5048-4068-843c-1760671f224d

Filesize
982B

MD5
a47f1e21ca74923037b31388a279f1e9

SHA1
e142ace4cd207f3c2bd40581232c9c37760ff63d

SHA256
4a04619b7a289082ba9d407568f6633643f9e7492f87d3fa539ffc25487062e4

SHA512
d7f1a2aabc19b133101fe83807da120aa150d94d8cda57784bc25306252941a42c78f478b31898ddefe1ccc84380a3756c4910defd460c7e74398125ef55b2b2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\prefs-1.js

Filesize
11KB

MD5
64f36cc88972f358902a46849603d2c7

SHA1
d182219f2b322c81a9a76c82138f157f5f4e3025

SHA256
959eba8a85e631f5a2477d9c0b617c03ebf95985e4c9cd5a027eb16f7f1d130c

SHA512
cb99d3af885e206cbf986f830fc3268c9840752dcdd2437546c7b6c0c8ee0445102d70b28cc7d6cd74918a2d8ad95513579c2eabc2597f780f6d1cb2948e375e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\prefs-1.js

Filesize
15KB

MD5
1ee2d3bb7ae5eb813578d5b5e95dc38a

SHA1
da3878812ce18639c82bc7549f62384538811cf0

SHA256
6166eed9b7f00b0f54a3ed6b2be69a597776635408f54d0d66341c95c4b61f7d

SHA512
86dda2ca7554bcd178a6f7cf966ee21bd7ba3c010fa433010154923b7a90b0c08b0baf13e93b72b4aa3673d43434aebfcfa2bb0d311030e8f5b872bc44cee37a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\prefs.js

Filesize
10KB

MD5
e1c92eabaaf11d4ab322317d520cc3bc

SHA1
14ced88e11cd47020f01424bcf17f5c33a68fef2

SHA256
585a5fad12b24ccabeb341a827007d697cda5ef187bed99847788b48db01bc66

SHA512
d18be99c04a69a2c856a37c7bfcba296f7b437e9742126bd7613f643e11c629206cb6a1e04ce39fafe35633c094d17407dfd5b5e73506e020fed29dce7d35967

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\prefs.js

Filesize
10KB

MD5
0670b440d462fb01ebaa9ae4b80cb49e

SHA1
a0d0e02aeb6a1f4499c51186a541e9f59ddb31cf

SHA256
35a7103c8dc51afb698fd617b7c25a4ce1866e707f72f7e675eadcb9032ed2f5

SHA512
ae047dcc42399a4e8d84945465a9037133e91e8c74198ddf15fa121a2b53964c8b5dfd36815f9c3215e4b9d501e316ce4442019eb1967d938b4ba4e865d4dbb0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\sessionstore-backups\recovery.baklz4

Filesize
1KB

MD5
6b112d0d41ea58364124ed042d7c3020

SHA1
dce5a5ccf39c6f956592c1311b11bfbb08a1637b

SHA256
3261efe55da6761051facaea4d6f8deb2a490082e7d7eb3a55147dd95dadf666

SHA512
f50fac6d9df9e2cfbdc91ad87bb05af8ba3e06f4acffdfccc0cdd08454ceaad1e17b95406eb1dc1871f936f99f3aac68f6252e787895a91fea5f1342ff4a5bfe

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
936KB

MD5
7678ff60fe6ed9924a18d500b3dfcef5

SHA1
bc0297ef383320def41f8605ce80842ecf764c03

SHA256
bc2bb6439d3d85e286f2fdcdc7a042d1b2ff832236b045ddb303ff781be4fccb

SHA512
683aa2fc43c3e4883c1503c1b2833b0d8145ca805cfb82230efa493688257c181a9f39123af8ae74ffafd6c72fc07e12fd5aca814e5e424344672165f54efdac

Download Submit
memory/4100-16-0x00007FFD64BC0000-0x00007FFD65561000-memory.dmp

Filesize
9.6MB

Download
memory/4100-12-0x000000001C930000-0x000000001C9CC000-memory.dmp

Filesize
624KB

Download
memory/4100-19-0x00007FFD64BC0000-0x00007FFD65561000-memory.dmp

Filesize
9.6MB

Download
memory/4100-20-0x00007FFD64BC0000-0x00007FFD65561000-memory.dmp

Filesize
9.6MB

Download
memory/4100-17-0x00007FFD64BC0000-0x00007FFD65561000-memory.dmp

Filesize
9.6MB

Download
memory/4100-24-0x00007FFD64BC0000-0x00007FFD65561000-memory.dmp

Filesize
9.6MB

Download
memory/4100-14-0x00000000017C0000-0x00000000017C8000-memory.dmp

Filesize
32KB

Download
memory/4100-18-0x00007FFD64BC0000-0x00007FFD65561000-memory.dmp

Filesize
9.6MB

Download
memory/4100-13-0x00007FFD64BC0000-0x00007FFD65561000-memory.dmp

Filesize
9.6MB

Download
memory/4100-11-0x000000001BD90000-0x000000001BE36000-memory.dmp

Filesize
664KB

Download
memory/4100-10-0x000000001C3C0000-0x000000001C88E000-memory.dmp

Filesize
4.8MB

Download
memory/4100-9-0x00007FFD64BC0000-0x00007FFD65561000-memory.dmp

Filesize
9.6MB

Download
memory/4100-8-0x00007FFD64E75000-0x00007FFD64E76000-memory.dmp

Filesize
4KB

Download
memory/4100-21-0x00007FFD64BC0000-0x00007FFD65561000-memory.dmp

Filesize
9.6MB

Download
memory/4100-22-0x00007FFD64E75000-0x00007FFD64E76000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads