revengerat | 64973d4e4f31914f027b731cfba25ed690827104774f9c768770290738293a2e

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
02/01/2025, 04:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_62c6ba9535cf5dfc5b894a20f49e4670.exe
Size

600KB
MD5

62c6ba9535cf5dfc5b894a20f49e4670
SHA1

ba542016ea2702116a8a882fc65a22391150aca9
SHA256

64973d4e4f31914f027b731cfba25ed690827104774f9c768770290738293a2e
SHA512

2991646db1a499e2e82d80bdfbc9f324c5333ca481c6da0a0a64d9b8d00d066e41d182806bb437aeaffc8c07f99ecd1f1007ef4b7fb2da9190bcdff37d13ff1c
SSDEEP

6144:hKWlw1Dx+iASQFfCEv2YUMNJlaJuNlK17Y4c83fhysVufBn597NX27u:h7lw1DxV5QFfXeYU43fiysgfBnnl27u

Score

10^/10

revengerat discovery stealer trojan

Malware Config

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat
Revengerat family
revengerat

RevengeRat Executable 1 IoCs

stealer

resource	yara_rule
behavioral2/files/0x0007000000023cb1-6.dat	revengerat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	ocs_v71a.exe

Executes dropped EXE 1 IoCs

pid	Process
1468	ocs_v71a.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_62c6ba9535cf5dfc5b894a20f49e4670.exe

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	firefox.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	1468	ocs_v71a.exe
Token: SeDebugPrivilege	4844	firefox.exe
Token: SeDebugPrivilege	4844	firefox.exe
Token: SeDebugPrivilege	4844	firefox.exe
Token: SeDebugPrivilege	4844	firefox.exe
Token: SeDebugPrivilege	4844	firefox.exe

Suspicious use of FindShellTrayWindow 21 IoCs

pid	Process
4844	firefox.exe
4844	firefox.exe
4844	firefox.exe
4844	firefox.exe
4844	firefox.exe
4844	firefox.exe
4844	firefox.exe
4844	firefox.exe
4844	firefox.exe
4844	firefox.exe
4844	firefox.exe
4844	firefox.exe
4844	firefox.exe
4844	firefox.exe
4844	firefox.exe
4844	firefox.exe
4844	firefox.exe
4844	firefox.exe
4844	firefox.exe
4844	firefox.exe
4844	firefox.exe

Suspicious use of SendNotifyMessage 20 IoCs

pid	Process
4844	firefox.exe
4844	firefox.exe
4844	firefox.exe
4844	firefox.exe
4844	firefox.exe
4844	firefox.exe
4844	firefox.exe
4844	firefox.exe
4844	firefox.exe
4844	firefox.exe
4844	firefox.exe
4844	firefox.exe
4844	firefox.exe
4844	firefox.exe
4844	firefox.exe
4844	firefox.exe
4844	firefox.exe
4844	firefox.exe
4844	firefox.exe
4844	firefox.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1144	JaffaCakes118_62c6ba9535cf5dfc5b894a20f49e4670.exe
1468	ocs_v71a.exe
1468	ocs_v71a.exe
4844	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1144 wrote to memory of 1468	1144	JaffaCakes118_62c6ba9535cf5dfc5b894a20f49e4670.exe	82
PID 1144 wrote to memory of 1468	1144	JaffaCakes118_62c6ba9535cf5dfc5b894a20f49e4670.exe	82
PID 1468 wrote to memory of 1708	1468	ocs_v71a.exe	83
PID 1468 wrote to memory of 1708	1468	ocs_v71a.exe	83
PID 1708 wrote to memory of 4844	1708	firefox.exe	84
PID 1708 wrote to memory of 4844	1708	firefox.exe	84
PID 1708 wrote to memory of 4844	1708	firefox.exe	84
PID 1708 wrote to memory of 4844	1708	firefox.exe	84
PID 1708 wrote to memory of 4844	1708	firefox.exe	84
PID 1708 wrote to memory of 4844	1708	firefox.exe	84
PID 1708 wrote to memory of 4844	1708	firefox.exe	84
PID 1708 wrote to memory of 4844	1708	firefox.exe	84
PID 1708 wrote to memory of 4844	1708	firefox.exe	84
PID 1708 wrote to memory of 4844	1708	firefox.exe	84
PID 1708 wrote to memory of 4844	1708	firefox.exe	84
PID 4844 wrote to memory of 1928	4844	firefox.exe	85
PID 4844 wrote to memory of 1928	4844	firefox.exe	85
PID 4844 wrote to memory of 1928	4844	firefox.exe	85
PID 4844 wrote to memory of 1928	4844	firefox.exe	85
PID 4844 wrote to memory of 1928	4844	firefox.exe	85
PID 4844 wrote to memory of 1928	4844	firefox.exe	85
PID 4844 wrote to memory of 1928	4844	firefox.exe	85
PID 4844 wrote to memory of 1928	4844	firefox.exe	85
PID 4844 wrote to memory of 1928	4844	firefox.exe	85
PID 4844 wrote to memory of 1928	4844	firefox.exe	85
PID 4844 wrote to memory of 1928	4844	firefox.exe	85
PID 4844 wrote to memory of 1928	4844	firefox.exe	85
PID 4844 wrote to memory of 1928	4844	firefox.exe	85
PID 4844 wrote to memory of 1928	4844	firefox.exe	85
PID 4844 wrote to memory of 1928	4844	firefox.exe	85
PID 4844 wrote to memory of 1928	4844	firefox.exe	85
PID 4844 wrote to memory of 1928	4844	firefox.exe	85
PID 4844 wrote to memory of 1928	4844	firefox.exe	85
PID 4844 wrote to memory of 1928	4844	firefox.exe	85
PID 4844 wrote to memory of 1928	4844	firefox.exe	85
PID 4844 wrote to memory of 1928	4844	firefox.exe	85
PID 4844 wrote to memory of 1928	4844	firefox.exe	85
PID 4844 wrote to memory of 1928	4844	firefox.exe	85
PID 4844 wrote to memory of 1928	4844	firefox.exe	85
PID 4844 wrote to memory of 1928	4844	firefox.exe	85
PID 4844 wrote to memory of 1928	4844	firefox.exe	85
PID 4844 wrote to memory of 1928	4844	firefox.exe	85
PID 4844 wrote to memory of 1928	4844	firefox.exe	85
PID 4844 wrote to memory of 1928	4844	firefox.exe	85
PID 4844 wrote to memory of 1928	4844	firefox.exe	85
PID 4844 wrote to memory of 1928	4844	firefox.exe	85
PID 4844 wrote to memory of 1928	4844	firefox.exe	85
PID 4844 wrote to memory of 1928	4844	firefox.exe	85
PID 4844 wrote to memory of 1928	4844	firefox.exe	85
PID 4844 wrote to memory of 1928	4844	firefox.exe	85
PID 4844 wrote to memory of 1928	4844	firefox.exe	85
PID 4844 wrote to memory of 1928	4844	firefox.exe	85
PID 4844 wrote to memory of 1928	4844	firefox.exe	85
PID 4844 wrote to memory of 1928	4844	firefox.exe	85
PID 4844 wrote to memory of 1928	4844	firefox.exe	85
PID 4844 wrote to memory of 1928	4844	firefox.exe	85
PID 4844 wrote to memory of 1928	4844	firefox.exe	85
PID 4844 wrote to memory of 1928	4844	firefox.exe	85
PID 4844 wrote to memory of 1928	4844	firefox.exe	85
PID 4844 wrote to memory of 1928	4844	firefox.exe	85
PID 4844 wrote to memory of 3956	4844	firefox.exe	86
PID 4844 wrote to memory of 3956	4844	firefox.exe	86
PID 4844 wrote to memory of 3956	4844	firefox.exe	86
PID 4844 wrote to memory of 3956	4844	firefox.exe	86

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_62c6ba9535cf5dfc5b894a20f49e4670.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_62c6ba9535cf5dfc5b894a20f49e4670.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1144
- C:\Users\Admin\AppData\Local\Temp\OCS\ocs_v71a.exe
  C:\Users\Admin\AppData\Local\Temp\OCS\ocs_v71a.exe -install -1392864 -dcude -daffe1dfa5754f43a24f366eae09bf07 - -de -owzdstsymbvoxiwh -327824
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1468
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" http://www.download-sponsor.de/exitdownload/thankyou.php?pid=dcude&cid=1392864&appname=[APPNAME]&cbstate=&uid=b171f7c0-2021-4d35-b107-9bc6fa166a49&sid=daffe1dfa5754f43a24f366eae09bf07&scid=&source=de&language=en-cl&cdata=utyp-31.ua-66697265666f782e657865.userid-323137323261333964336663316564363763353866663232
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1708
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" http://www.download-sponsor.de/exitdownload/thankyou.php?pid=dcude&cid=1392864&appname=[APPNAME]&cbstate=&uid=b171f7c0-2021-4d35-b107-9bc6fa166a49&sid=daffe1dfa5754f43a24f366eae09bf07&scid=&source=de&language=en-cl&cdata=utyp-31.ua-66697265666f782e657865.userid-323137323261333964336663316564363763353866663232
      4⤵
      Checks processor information in registry
      Modifies registry class
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:4844
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1984 -parentBuildID 20240401114208 -prefsHandle 1900 -prefMapHandle 1892 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d4da7fd4-d236-4ff0-96e2-e59203867480} 4844 "\\.\pipe\gecko-crash-server-pipe.4844" gpu
        5⤵
        
        PID:1928
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2464 -parentBuildID 20240401114208 -prefsHandle 2444 -prefMapHandle 2440 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {947caca2-dad1-48f4-88c5-4480ff286254} 4844 "\\.\pipe\gecko-crash-server-pipe.4844" socket
        5⤵
        
        PID:3956
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2992 -childID 1 -isForBrowser -prefsHandle 2976 -prefMapHandle 3052 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1260 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6b6cb441-8f69-47aa-8606-df3229c95afb} 4844 "\\.\pipe\gecko-crash-server-pipe.4844" tab
        5⤵
        
        PID:1572
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1236 -childID 2 -isForBrowser -prefsHandle 2604 -prefMapHandle 1280 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1260 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3bd09a31-c4a0-4b48-9c1a-12c16a703a74} 4844 "\\.\pipe\gecko-crash-server-pipe.4844" tab
        5⤵
        
        PID:1336
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4844 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4976 -prefMapHandle 4972 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f1cfc22a-0e2d-4907-8a57-532829c7460e} 4844 "\\.\pipe\gecko-crash-server-pipe.4844" utility
        5⤵
        Checks processor information in registry
        
        PID:320
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5464 -childID 3 -isForBrowser -prefsHandle 5456 -prefMapHandle 5416 -prefsLen 27097 -prefMapSize 244658 -jsInitHandle 1260 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4536a0e2-331a-471a-b288-70d140d084f9} 4844 "\\.\pipe\gecko-crash-server-pipe.4844" tab
        5⤵
        
        PID:4956
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5688 -childID 4 -isForBrowser -prefsHandle 5608 -prefMapHandle 5616 -prefsLen 27097 -prefMapSize 244658 -jsInitHandle 1260 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9236308b-f91f-4b3a-9cb4-58246a22af84} 4844 "\\.\pipe\gecko-crash-server-pipe.4844" tab
        5⤵
        
        PID:5116
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5700 -childID 5 -isForBrowser -prefsHandle 5876 -prefMapHandle 5872 -prefsLen 27097 -prefMapSize 244658 -jsInitHandle 1260 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8f1250de-9b52-4063-9220-999a5df4b786} 4844 "\\.\pipe\gecko-crash-server-pipe.4844" tab
        5⤵
        
        PID:4036
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2848 -childID 6 -isForBrowser -prefsHandle 2800 -prefMapHandle 4536 -prefsLen 30948 -prefMapSize 244658 -jsInitHandle 1260 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {840d64ef-cafa-4d77-bd9f-bff4b1337da9} 4844 "\\.\pipe\gecko-crash-server-pipe.4844" tab
        5⤵
        
        PID:4388

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\y0bypz8z.default-release\activity-stream.discovery_stream.json

Filesize
25KB

MD5
51613b140a47310ad53e7730c0ef87b3

SHA1
d7f6d42d733b1f78fb9e99ee3af86e79ce189a7a

SHA256
b26b1b90202d6ccbac0f78c0c8a2c7949013c4695b4b3e504559f677da04024f

SHA512
e69e16964bf48083b46cf8eb2dcd2d5c8485437e79c00aa042f9021a3c67ed1ae8b70ac87ba6ebeda048521496bbdbda96ce557b41fba84bfbf02e490aed19fc

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\y0bypz8z.default-release\cache2\entries\6653BC7BE242C21AA1988A4A42D1DEDA18231C31

Filesize
13KB

MD5
917f1a11d9db2e1b92a4ec6a908878b3

SHA1
7fca6b4b1f3643e0ed9073f2486bd805e0edb769

SHA256
71d0fbdb9ae038f522725b629d8655fa7038b4a94d618c3ada0d7c92cfa8ed3a

SHA512
4ca1b80bfbb7d2a98f88018474cc622964f76fbb4d603cda4baf7a788269629162c1ae97b27a11d1fc96271a7ea56b95379bbaa1f5160e6a16e13c2d292de50a

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\y0bypz8z.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl

Filesize
15KB

MD5
96c542dec016d9ec1ecc4dddfcbaac66

SHA1
6199f7648bb744efa58acf7b96fee85d938389e4

SHA256
7f32769d6bb4e875f58ceb9e2fbfdc9bd6b82397eca7a4c5230b0786e68f1798

SHA512
cda2f159c3565bc636e0523c893b293109de2717142871b1ec78f335c12bad96fc3f62bcf56a1a88abdeed2ac3f3e5e9a008b45e24d713e13c23103acc15e658

Download Submit
C:\Users\Admin\AppData\Local\Temp\OCS\ocs_v71a.exe

Filesize
288KB

MD5
317ec5f92cfbf04a53e8125b66b3b4af

SHA1
16068b8977b4dc562ae782d91bc009472667e331

SHA256
7612ef3877c3e4e305a6c22941141601b489a73bc088622a40ebd93bee25bae5

SHA512
ed772da641a5c128677c4c285c648c1d8e539c34522b95c14f614797bb0d188571c7c257441d45598809aa3f8b4690bd53230282726e077c86c8d9fe71c1db65

Download Submit
C:\Users\Admin\AppData\Local\Temp\OCS\owzdstsymbvoxiwh.dat

Filesize
91B

MD5
e9788ff7a9d45bfad9a9a0056664bc08

SHA1
032aaf2d06b439dbcc88cde8d71d7d014c69c121

SHA256
797e03e3b2df3918151403aca1f8801f4b329825fba0ec01200401c8074e2220

SHA512
7829fe3132b1f097c626613809997cadbcc52a0b2bed28820255a5c06871603114233f63daae541b991562a36d410e4b25786ce7cf102523ed90c24d3bb2def0

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\AlternateServices.bin

Filesize
6KB

MD5
e70ad5de07ffbfbd65cc4466dde4058d

SHA1
744df6f71295894b0fec79fb2f4f28213a5403ab

SHA256
e30a3a891a9dd30235e7eb4f8f7b6693834719481ca6cdd903a389c70ecb8506

SHA512
417d2e827433fc612dedb32267f297f0436fb15157862751c7c5941d8534a7609c557f8fdca8aab19a8a21bd04f2230f22cfdafcc3e9920eef5a74219feece64

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
52ea0f49bc39efbfee2fd6580505492d

SHA1
3633125a4b5b7e0a91df7776e29d7665f5914608

SHA256
39293a2c791bdb410b1686d491637c11c5c17b1fd46141acf06669883476c551

SHA512
5544507c5491758fcd9d31038e2d017187c76ad7ef4e5e3e8cbb5ec7ff4fed1e8cff4b6f045986b81c8a130b759ca4f4b461bd32683aa9708f13cbe580bd0de4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
2c294f4f24be9ae0d3ba9f5ea7c3f3af

SHA1
1298a1edcb06e6a9eefce005e01a526e6c2baf64

SHA256
0ab0b4d8a51b27f27cd2663aec2d0d9e1cae399d695286b60fd6c93b67f98b0f

SHA512
b5b845df86697d2f49d8becd1dac46e148e3999a12ef20b1ccf2119eb645cb7fee25adb4e0d6833b097290e725d3065a3f0bc0e693c6c4f35565e3a97bcd0dea

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\datareporting\glean\db\data.safe.tmp

Filesize
14KB

MD5
ce213661c998d67ddd09609670382beb

SHA1
6b85ed5c591c72e66554f5b67c4d0f1f622511cd

SHA256
2619b72abf47717a59c0a5c993baf93681fb69c488909d24e3dbde37d6da87cb

SHA512
e63d64319558161530597d5642bbde5062200638485eda563628fc9889502de8e45eabbace01ef05c6d4320a23970bbe19ba9b1d6174961b411cbdd174683c2b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\datareporting\glean\db\data.safe.tmp

Filesize
14KB

MD5
06f40ca67419af03e729cb4412425430

SHA1
5fec24a3bc3f72fd5c96370704b3ee55b68345dc

SHA256
7bcbe06b3fb2ce7cbfe79070156fae0ca6e62d09aef5bd5831c8f3a41482d51b

SHA512
d64d80eaff355a54b7026c00bd18d0b8ded7d8d064b647b7cd778268a74bf3ac93df9be63b3481f23dfdabb59b00b17caf0c41f7588103e811dd8dd8c155751e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\datareporting\glean\pending_pings\4a5241da-d579-4add-801a-2295cb444b3d

Filesize
982B

MD5
f4078cdb4ee3f10bf63d46ee45f6637f

SHA1
377afab74b27d5b41fb67b80b580ea43583c10f9

SHA256
5689fb65e71603c82ea1008622579185680cc11ccc589c3ed49ab49899d9c009

SHA512
1305b769566c437545e866f7c2804142d9d8bd6dec17200d2e13741a4f876532254f8b0599833a3f83f25cedcb9d84765f91051ff6378c66b4e4f7bc907b24e1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\datareporting\glean\pending_pings\6f6eea87-8c54-44c6-b6b9-ef5f7451a41b

Filesize
671B

MD5
c2df83e897fdc4593e79bf2a1d5166b0

SHA1
a8c876da3fd71def8f6b01064e8bb2bd1417aa1a

SHA256
a0c5b9cae4cb8fc065ad0a80b3d71bf92bf51550fa83d6830891a3a4c3fa8842

SHA512
5b2cbd5caf428e779c9725cfc96b45c9b60bf97c83eb7611da076ade7c27f1e6be6d280d6112e5543afe5cb6b34abdcc14e56515a98dd53c3b5c71569fe61520

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\datareporting\glean\pending_pings\8f5032b6-03b8-4efb-9b9f-b9e368615834

Filesize
27KB

MD5
17d3011bae4a189f7f2324c0a00b4ac7

SHA1
1d434bbc3ccdb14c9dc060618672f389812c0613

SHA256
3449d74df8eb078eb1f4ad1211d08123167ee4f63248a9090f9fec9712c148f5

SHA512
42cc2286d5855661f23a7279ff3bb9240961133d9514a228a4cc9ec8b23794ea8823e5caf7463930aa1bd65adcd000d5d059bf9cc8cbb97da414ac67e7451928

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\prefs-1.js

Filesize
11KB

MD5
fea1228c6fb6f866d74a0dae2947d833

SHA1
c9897bda69800a538d6a81067f8918eb4c41a531

SHA256
81d91afb26eef5c1883bf21d52cc84664c11940378d5ca6af1c0e48bfb3ff093

SHA512
7c7ef628ffa65680056cb03f53f29fc71e46255272075f45a8e7394ef6b42a72221a210c04d2210b9b38960089775d7676d852db9332c000f78a99c7e03cf7f5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\prefs-1.js

Filesize
15KB

MD5
677087d56066cc6ac8330746ce6faf01

SHA1
5c965d10df915693ba05081541c01a9452c1b051

SHA256
0494609f2aedb60514dc55d45ce88fbaae2b4ea2cc7d4d48917cd64fe184b32e

SHA512
25c762f673782e84837ed1b557fc55264a13ef2918c06e1e9c6cbd31b5568108f5a7bef3de4c0e0332f26bdac447149cd04a630c8f41e0009b5d42639c1d520b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\prefs.js

Filesize
10KB

MD5
ad908ff89a3abdaf362cf6f38eacfe97

SHA1
7e3607d7ec39a294071f14afc7ec3a472707c574

SHA256
370dec2ba9a2f04a2e3fdbdbbed90e84122bb7cc46ca428760b71d1ef389b03b

SHA512
bca9ad5e75ed825f658bb12dc9286c0c18ba39bf626939254ae8c5dc59e31e14be0c24527fd091a3ef9c7b07dfac18ff6375c9249fb8245f19f93b4808983892

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\prefs.js

Filesize
10KB

MD5
46ea3414c52a0fff87822e958903bef0

SHA1
70ce3b92fd40c6cd9422ab983459a7d27bf95e01

SHA256
8449b5cd14dd837323a30f5d5458609ef82500bb198288c08da53d3e15d1a4ff

SHA512
94fede424a12590be41fba3de69abc27d53c9e5c5689456eb15dc6c455299fe5f8d87ba8e63718882bcfb829ae4ba19364f349334cdbe27b52212896ae39c12a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\sessionstore-backups\recovery.baklz4

Filesize
1KB

MD5
594035596a2babdf179c64d76c8e4c85

SHA1
203fe320c7d0b43876f0c6c0d284b88ee39261d3

SHA256
5a3fdace6be0133f546232cfd6107c5ba8a0568adda702414c9a8420a7e64e8c

SHA512
a0f1d9eb6717689d4ab2cfaa5e208345e8f3588321c32b128d923613d9d5bb939daa9c109c1aa59b7ecf454fc07bd3b6345283f73c1730d5a1eab8755406fb9a

Download Submit
memory/1468-13-0x00007FFFD2700000-0x00007FFFD30A1000-memory.dmp

Filesize
9.6MB

Download
memory/1468-19-0x00007FFFD2700000-0x00007FFFD30A1000-memory.dmp

Filesize
9.6MB

Download
memory/1468-16-0x00007FFFD2700000-0x00007FFFD30A1000-memory.dmp

Filesize
9.6MB

Download
memory/1468-17-0x00007FFFD2700000-0x00007FFFD30A1000-memory.dmp

Filesize
9.6MB

Download
memory/1468-23-0x00007FFFD2700000-0x00007FFFD30A1000-memory.dmp

Filesize
9.6MB

Download
memory/1468-18-0x00007FFFD2700000-0x00007FFFD30A1000-memory.dmp

Filesize
9.6MB

Download
memory/1468-12-0x000000001BD60000-0x000000001BDFC000-memory.dmp

Filesize
624KB

Download
memory/1468-14-0x0000000000D80000-0x0000000000D88000-memory.dmp

Filesize
32KB

Download
memory/1468-11-0x000000001BBF0000-0x000000001BC96000-memory.dmp

Filesize
664KB

Download
memory/1468-9-0x000000001B720000-0x000000001BBEE000-memory.dmp

Filesize
4.8MB

Download
memory/1468-10-0x00007FFFD2700000-0x00007FFFD30A1000-memory.dmp

Filesize
9.6MB

Download
memory/1468-8-0x00007FFFD29B5000-0x00007FFFD29B6000-memory.dmp

Filesize
4KB

Download
memory/1468-20-0x00007FFFD2700000-0x00007FFFD30A1000-memory.dmp

Filesize
9.6MB

Download
memory/1468-21-0x00007FFFD2700000-0x00007FFFD30A1000-memory.dmp

Filesize
9.6MB

Download
memory/1468-22-0x00007FFFD29B5000-0x00007FFFD29B6000-memory.dmp

Filesize
4KB

Download
memory/1468-25-0x00007FFFD2700000-0x00007FFFD30A1000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads