revengerat | 73e8f590f0e2a0edf011e4b985a5bae11b11b839a99b85ecea79db6547edf1c2

Analysis

max time kernel
130s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
04-01-2025 21:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_7be5ddc2eade9ceb8ef531ff9b5f0f80.exe
Size

600KB
MD5

7be5ddc2eade9ceb8ef531ff9b5f0f80
SHA1

adf5bdd7b3481a11f0dc834814ce22bd0e0b7c74
SHA256

73e8f590f0e2a0edf011e4b985a5bae11b11b839a99b85ecea79db6547edf1c2
SHA512

38b4f5a0ee37ab640bb9c5e55dbc593f967b0948e0b2946b2ee7b85e49d4177df6116544635553719f898023fdff12f93602bf3a9140149a076e244bd7f21d60
SSDEEP

6144:oKWlw1Dx+NASQFfCEv2YUMNJlaJuNlK17Y4c83fhysVufBn597NX2zx:o7lw1DxS5QFfXeYU43fiysgfBnnl2zx

Score

10^/10

revengerat discovery stealer trojan

Malware Config

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat
Revengerat family
revengerat

RevengeRat Executable 1 IoCs

stealer

resource	yara_rule
behavioral2/files/0x000d000000023a6a-6.dat	revengerat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	ocs_v71a.exe

Executes dropped EXE 1 IoCs

pid	Process
1676	ocs_v71a.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_7be5ddc2eade9ceb8ef531ff9b5f0f80.exe

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	firefox.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	1676	ocs_v71a.exe
Token: SeDebugPrivilege	4292	firefox.exe
Token: SeDebugPrivilege	4292	firefox.exe
Token: SeDebugPrivilege	4292	firefox.exe
Token: SeDebugPrivilege	4292	firefox.exe
Token: SeDebugPrivilege	4292	firefox.exe

Suspicious use of FindShellTrayWindow 21 IoCs

pid	Process
4292	firefox.exe
4292	firefox.exe
4292	firefox.exe
4292	firefox.exe
4292	firefox.exe
4292	firefox.exe
4292	firefox.exe
4292	firefox.exe
4292	firefox.exe
4292	firefox.exe
4292	firefox.exe
4292	firefox.exe
4292	firefox.exe
4292	firefox.exe
4292	firefox.exe
4292	firefox.exe
4292	firefox.exe
4292	firefox.exe
4292	firefox.exe
4292	firefox.exe
4292	firefox.exe

Suspicious use of SendNotifyMessage 20 IoCs

pid	Process
4292	firefox.exe
4292	firefox.exe
4292	firefox.exe
4292	firefox.exe
4292	firefox.exe
4292	firefox.exe
4292	firefox.exe
4292	firefox.exe
4292	firefox.exe
4292	firefox.exe
4292	firefox.exe
4292	firefox.exe
4292	firefox.exe
4292	firefox.exe
4292	firefox.exe
4292	firefox.exe
4292	firefox.exe
4292	firefox.exe
4292	firefox.exe
4292	firefox.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
4180	JaffaCakes118_7be5ddc2eade9ceb8ef531ff9b5f0f80.exe
1676	ocs_v71a.exe
1676	ocs_v71a.exe
4292	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4180 wrote to memory of 1676	4180	JaffaCakes118_7be5ddc2eade9ceb8ef531ff9b5f0f80.exe	84
PID 4180 wrote to memory of 1676	4180	JaffaCakes118_7be5ddc2eade9ceb8ef531ff9b5f0f80.exe	84
PID 1676 wrote to memory of 3088	1676	ocs_v71a.exe	86
PID 1676 wrote to memory of 3088	1676	ocs_v71a.exe	86
PID 3088 wrote to memory of 4292	3088	firefox.exe	87
PID 3088 wrote to memory of 4292	3088	firefox.exe	87
PID 3088 wrote to memory of 4292	3088	firefox.exe	87
PID 3088 wrote to memory of 4292	3088	firefox.exe	87
PID 3088 wrote to memory of 4292	3088	firefox.exe	87
PID 3088 wrote to memory of 4292	3088	firefox.exe	87
PID 3088 wrote to memory of 4292	3088	firefox.exe	87
PID 3088 wrote to memory of 4292	3088	firefox.exe	87
PID 3088 wrote to memory of 4292	3088	firefox.exe	87
PID 3088 wrote to memory of 4292	3088	firefox.exe	87
PID 3088 wrote to memory of 4292	3088	firefox.exe	87
PID 4292 wrote to memory of 1932	4292	firefox.exe	88
PID 4292 wrote to memory of 1932	4292	firefox.exe	88
PID 4292 wrote to memory of 1932	4292	firefox.exe	88
PID 4292 wrote to memory of 1932	4292	firefox.exe	88
PID 4292 wrote to memory of 1932	4292	firefox.exe	88
PID 4292 wrote to memory of 1932	4292	firefox.exe	88
PID 4292 wrote to memory of 1932	4292	firefox.exe	88
PID 4292 wrote to memory of 1932	4292	firefox.exe	88
PID 4292 wrote to memory of 1932	4292	firefox.exe	88
PID 4292 wrote to memory of 1932	4292	firefox.exe	88
PID 4292 wrote to memory of 1932	4292	firefox.exe	88
PID 4292 wrote to memory of 1932	4292	firefox.exe	88
PID 4292 wrote to memory of 1932	4292	firefox.exe	88
PID 4292 wrote to memory of 1932	4292	firefox.exe	88
PID 4292 wrote to memory of 1932	4292	firefox.exe	88
PID 4292 wrote to memory of 1932	4292	firefox.exe	88
PID 4292 wrote to memory of 1932	4292	firefox.exe	88
PID 4292 wrote to memory of 1932	4292	firefox.exe	88
PID 4292 wrote to memory of 1932	4292	firefox.exe	88
PID 4292 wrote to memory of 1932	4292	firefox.exe	88
PID 4292 wrote to memory of 1932	4292	firefox.exe	88
PID 4292 wrote to memory of 1932	4292	firefox.exe	88
PID 4292 wrote to memory of 1932	4292	firefox.exe	88
PID 4292 wrote to memory of 1932	4292	firefox.exe	88
PID 4292 wrote to memory of 1932	4292	firefox.exe	88
PID 4292 wrote to memory of 1932	4292	firefox.exe	88
PID 4292 wrote to memory of 1932	4292	firefox.exe	88
PID 4292 wrote to memory of 1932	4292	firefox.exe	88
PID 4292 wrote to memory of 1932	4292	firefox.exe	88
PID 4292 wrote to memory of 1932	4292	firefox.exe	88
PID 4292 wrote to memory of 1932	4292	firefox.exe	88
PID 4292 wrote to memory of 1932	4292	firefox.exe	88
PID 4292 wrote to memory of 1932	4292	firefox.exe	88
PID 4292 wrote to memory of 1932	4292	firefox.exe	88
PID 4292 wrote to memory of 1932	4292	firefox.exe	88
PID 4292 wrote to memory of 1932	4292	firefox.exe	88
PID 4292 wrote to memory of 1932	4292	firefox.exe	88
PID 4292 wrote to memory of 1932	4292	firefox.exe	88
PID 4292 wrote to memory of 1932	4292	firefox.exe	88
PID 4292 wrote to memory of 1932	4292	firefox.exe	88
PID 4292 wrote to memory of 1932	4292	firefox.exe	88
PID 4292 wrote to memory of 1932	4292	firefox.exe	88
PID 4292 wrote to memory of 1932	4292	firefox.exe	88
PID 4292 wrote to memory of 1932	4292	firefox.exe	88
PID 4292 wrote to memory of 1932	4292	firefox.exe	88
PID 4292 wrote to memory of 4736	4292	firefox.exe	89
PID 4292 wrote to memory of 4736	4292	firefox.exe	89
PID 4292 wrote to memory of 4736	4292	firefox.exe	89
PID 4292 wrote to memory of 4736	4292	firefox.exe	89

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7be5ddc2eade9ceb8ef531ff9b5f0f80.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7be5ddc2eade9ceb8ef531ff9b5f0f80.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4180
- C:\Users\Admin\AppData\Local\Temp\OCS\ocs_v71a.exe
  C:\Users\Admin\AppData\Local\Temp\OCS\ocs_v71a.exe -install -177174 -dcude -7fb2858e83124b498595233b7a6adbae - -de -tqkjmzcohpojjceq -590454
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1676
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" http://www.download-sponsor.de/exitdownload/thankyou.php?pid=dcude&cid=177174&appname=[APPNAME]&cbstate=&uid=e94b4df6-b7fc-408d-a509-340bb2501e0a&sid=7fb2858e83124b498595233b7a6adbae&scid=&source=de&language=en-cl&cdata=utyp-31.ua-66697265666f782e657865.userid-326239623662343931313532623565393663383366316166
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3088
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" http://www.download-sponsor.de/exitdownload/thankyou.php?pid=dcude&cid=177174&appname=[APPNAME]&cbstate=&uid=e94b4df6-b7fc-408d-a509-340bb2501e0a&sid=7fb2858e83124b498595233b7a6adbae&scid=&source=de&language=en-cl&cdata=utyp-31.ua-66697265666f782e657865.userid-326239623662343931313532623565393663383366316166
      4⤵
      Checks processor information in registry
      Modifies registry class
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:4292
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1916 -parentBuildID 20240401114208 -prefsHandle 1736 -prefMapHandle 1728 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1bf9f5a0-ba37-451e-967d-c2a21cc4678e} 4292 "\\.\pipe\gecko-crash-server-pipe.4292" gpu
        5⤵
        
        PID:1932
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2396 -parentBuildID 20240401114208 -prefsHandle 2388 -prefMapHandle 2384 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {951caf40-a908-4e20-88af-b9f55fb4d0b8} 4292 "\\.\pipe\gecko-crash-server-pipe.4292" socket
        5⤵
        
        PID:4736
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3040 -childID 1 -isForBrowser -prefsHandle 3044 -prefMapHandle 3272 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 900 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e1e52378-5370-4aeb-93a1-9dcb95a0ff1a} 4292 "\\.\pipe\gecko-crash-server-pipe.4292" tab
        5⤵
        
        PID:2760
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4052 -childID 2 -isForBrowser -prefsHandle 4076 -prefMapHandle 4072 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 900 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f805ee06-ca51-42f1-bbc3-1052e990b600} 4292 "\\.\pipe\gecko-crash-server-pipe.4292" tab
        5⤵
        
        PID:2844
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4808 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4836 -prefMapHandle 4824 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9b34f409-20b3-4588-8dc5-c01e352c94a4} 4292 "\\.\pipe\gecko-crash-server-pipe.4292" utility
        5⤵
        Checks processor information in registry
        
        PID:1452
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4784 -childID 3 -isForBrowser -prefsHandle 5204 -prefMapHandle 5200 -prefsLen 27097 -prefMapSize 244658 -jsInitHandle 900 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {73a37328-976b-4d7b-94de-b900f5934d10} 4292 "\\.\pipe\gecko-crash-server-pipe.4292" tab
        5⤵
        
        PID:4556
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5420 -childID 4 -isForBrowser -prefsHandle 5340 -prefMapHandle 5348 -prefsLen 27097 -prefMapSize 244658 -jsInitHandle 900 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6491fad7-0fee-4230-bb2a-9969d1d9879b} 4292 "\\.\pipe\gecko-crash-server-pipe.4292" tab
        5⤵
        
        PID:4608
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5324 -childID 5 -isForBrowser -prefsHandle 5568 -prefMapHandle 5572 -prefsLen 27097 -prefMapSize 244658 -jsInitHandle 900 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e200b9ff-ffde-4711-8ecf-e56ea6e3e5f9} 4292 "\\.\pipe\gecko-crash-server-pipe.4292" tab
        5⤵
        
        PID:1812
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6136 -childID 6 -isForBrowser -prefsHandle 1448 -prefMapHandle 6044 -prefsLen 30948 -prefMapSize 244658 -jsInitHandle 900 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8e80fe41-a85e-480c-9b8a-e47e9d0009ca} 4292 "\\.\pipe\gecko-crash-server-pipe.4292" tab
        5⤵
        
        PID:2820

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\qgf82dd5.default-release\activity-stream.discovery_stream.json

Filesize
25KB

MD5
9aed554b027d9b4c143d1357f2e8668e

SHA1
386eb69fd162d71a4dfb1b9f02e4e8dcd0242c68

SHA256
1289af8225932e646652511247423f2c22de65af38c5522ef19e4ae7b2f5ee18

SHA512
f4895dafc73df61fbd767d45d976a034f9e656c6ae7719dd4a2eedf19de175630163d6b1a5e9981828680e47aef2eb35b9c974c58ad546b70fc6e23fb34024fd

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\qgf82dd5.default-release\cache2\entries\6653BC7BE242C21AA1988A4A42D1DEDA18231C31

Filesize
13KB

MD5
7b7e6315edc665ae1c7275c6ad580fd3

SHA1
6fd435baf2f46f391f7bc22bbc018816b8db9133

SHA256
117c0bab05de12914b7ad9fec8a3eea964ee90c4b22cadaf2d0f395d88604cb6

SHA512
bcb5c02612cb5fad94511d307c729e1b42145ee84d09178406a9c5880b052efb888c38842d23caf02dd5971f2b07ed29c273dc74bfe62ec10a9000979e05182c

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\qgf82dd5.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl

Filesize
15KB

MD5
96c542dec016d9ec1ecc4dddfcbaac66

SHA1
6199f7648bb744efa58acf7b96fee85d938389e4

SHA256
7f32769d6bb4e875f58ceb9e2fbfdc9bd6b82397eca7a4c5230b0786e68f1798

SHA512
cda2f159c3565bc636e0523c893b293109de2717142871b1ec78f335c12bad96fc3f62bcf56a1a88abdeed2ac3f3e5e9a008b45e24d713e13c23103acc15e658

Download Submit
C:\Users\Admin\AppData\Local\Temp\OCS\ocs_v71a.exe

Filesize
288KB

MD5
317ec5f92cfbf04a53e8125b66b3b4af

SHA1
16068b8977b4dc562ae782d91bc009472667e331

SHA256
7612ef3877c3e4e305a6c22941141601b489a73bc088622a40ebd93bee25bae5

SHA512
ed772da641a5c128677c4c285c648c1d8e539c34522b95c14f614797bb0d188571c7c257441d45598809aa3f8b4690bd53230282726e077c86c8d9fe71c1db65

Download Submit
C:\Users\Admin\AppData\Local\Temp\OCS\tqkjmzcohpojjceq.dat

Filesize
91B

MD5
318e45502e86157d81e731c838336f04

SHA1
c032662679f135414d4fe368ed431f17e738e93b

SHA256
790fef04a24c00fac59fe385a3bcecd44f06d9b3b24f225f54e81b7ed95a6d64

SHA512
cfd3933901fd6e755a97d6de66640ccea892bc2ebd3d2b957f6359f5149822d579a1805655a08b1f30f3cd7a84bf5eb484191b4edd1e11fca12443dcd2e51e6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\AlternateServices.bin

Filesize
7KB

MD5
68d0dbcb6207cfaf41f92fd8593ae897

SHA1
4830e057d1836b23cf6e78c41033bf8f62974454

SHA256
7b42d5e4e1de42d22d5a5650188e3576652f8c16a9b5cce58251ad7c346e6eac

SHA512
aa68279c5f22329c3b4496dc5d56b60ad207e7224a1df7f655bbd5852fbac60d8a9c08fbae17db4a9933b2543e08afcaa2655a17bb6a8974fc8138adfb0fc4e6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
2197801758504ea2ea4bc482c4082fb2

SHA1
35899607690fd40828e94b363b9c5ec6ffece0c7

SHA256
02e0a1b7dc969518c1138daa3434aef009e60dc3e11d138c8d03860254e898bb

SHA512
039c5ad68a228e32368411df2fc403508020974be81d5acbec272f01c88c11c766edab7aa6eb559fa303cbb10ef455778b9b51b3541c6666735e677914303695

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
b41bf7b6380f756d9f48206cfcc62945

SHA1
2aa3b06eec6586ada857ba9aa950e2d18d874fe9

SHA256
b3245e1f452f2e986b07277d30edf22eb9642733cb4af33791126825465d261b

SHA512
a0b1d5b0b77e504a48b4bfa46273b7bcd8c6074f9547c11765897e7188f3f077160a326b217a3d4dad577be0d7986738f1ad3b36f31da207f8cb1ed2ae82939c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\datareporting\glean\db\data.safe.tmp

Filesize
14KB

MD5
f94cd6ecdaa3a780413a9129ae10a83c

SHA1
1cc9ce086152eeb1e8b74af24ddea15f2b8a5211

SHA256
31628fa48ebbff07077cfb98a8ff3c14887ce553d91e192e14ae70a3803bb066

SHA512
df3cb38ef3f329d9bb82f7bf0ce07518af2467e6b6fee8f7f2a94d024f90e9156708d2e24c761bb33caab8b79a4f0609f1f3c9872d586a4ddb2befe8ae06c6fc

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\datareporting\glean\pending_pings\86b7c63b-119c-4496-a098-4643b4d50fc0

Filesize
671B

MD5
3cee7df8aff57301aa892189d0ca729c

SHA1
e6b2ca026dbdf1b69e277253988456b198f87b8b

SHA256
45304be9f09aa1da4dce34adf83b8e9df1eba4f48afbba9ef2aa49c52d21cde5

SHA512
f3b8b6db04708adece509095d85547925dc7edbb65fa4507ee9cf8fe4ca31a6921213827ded087d7ff5dd21e8a4c0a0120d4ac43893c88f2bfdf3495690ee530

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\datareporting\glean\pending_pings\d48c4ff7-2060-49a7-8b3d-b2864d9243d5

Filesize
982B

MD5
239083fc3046eac5dc154be8cacfa0fb

SHA1
5eb62aff27c880b7c6bf36de404652fa9b2f25c9

SHA256
02c40acc44c390005245274725eb9963833a1649a91285e5a219da3f6f0070c7

SHA512
ad20f6ecefc208ee1d57199ab7c2af17412bb614fe8e137f06b474e03931d3c2966b59a76864ffb0de6b00c2eb48887380fe854109173796da1104211eaa3a20

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\datareporting\glean\pending_pings\e1c68ac1-435b-40dd-829b-4398b5b5c5e5

Filesize
24KB

MD5
d7d30724fa5751913ed9ce2877ec8196

SHA1
47929adec7a41114b6281a916b3617521a1016ee

SHA256
eed1238f0573a9cb774e96758788d98e81d6ac4cb7e3c3a6108b87738bcd37e4

SHA512
064f0d155f8bfaad12bb0cdf9f0fec586a558eb85a48b9df3aaeea0d7d2283c766ae943ef26215f11d45cf6d6a0b82da595e26b9326893ec0427c16281645c31

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\prefs-1.js

Filesize
15KB

MD5
db299ad97caa670d2bdd270f4e078d27

SHA1
0f378270c1ddda082e6fb8e84972b6adf3e33d19

SHA256
8344169d7ea6a0494a4505d5782aaba5714a8d3d1426f36581b9c2fca50b48c4

SHA512
7fe82f0df23318361705ee4485d111204645760906df059dde9258472f8550b4f2f02f213e967144bff9f27bd060c72274f98759881ba5bc568a5255d3a2641e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\prefs-1.js

Filesize
11KB

MD5
50eeaa13c2130f87187f626ccefc17f0

SHA1
6ec342a586285a987bb8116c7de930af706f0ad1

SHA256
a25a6d70a20d520931865624d8c2f3af890e9c2fd20c57495453f650bae41674

SHA512
75ca3c43819962220031d655ea0049dfab08d4486f8bf45f7f9900c03f1968b826a54cf9e007023022c15dd8323eb982270ba464d0b28be589713c41827c6238

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\prefs.js

Filesize
10KB

MD5
e53ffc250ce05c4e4a9cb4699a18137a

SHA1
5c1f9de2a852220f8fbbc870025382c0e176d6b4

SHA256
3eedfe527a08b1041fddb0f02e5ee964c45a29144a3a1dfc45b731baddd4e09e

SHA512
5058dbaa6f9b717514f0e5d33b90fbf40f937dc5c646bb4ba2a2afd8a2b11b7169c5711d686bbe98db0e96e1e7a1512d0e80bcdccbe0105a37d3e40b1f6b09e6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\sessionstore-backups\recovery.baklz4

Filesize
1KB

MD5
567543c49ea5e246e2dfb388de30e30f

SHA1
f5df2063799a870cb52b3bdab5b664329ed505a9

SHA256
4de06b70e919b3d273dd4832fa92d96b64b70b46193d1f1514bc8f9f802cafa4

SHA512
2f9efdf66f0b4287ba53c6fb66af67fdf4a11491c816f07e18cac6e8004154205ebcfa5e6177be956326cd6cd8db0787a7639ec94fb4a1410955eb492931e8ed

Download Submit
memory/1676-17-0x00007FFEF0B10000-0x00007FFEF14B1000-memory.dmp

Filesize
9.6MB

Download
memory/1676-16-0x00007FFEF0B10000-0x00007FFEF14B1000-memory.dmp

Filesize
9.6MB

Download
memory/1676-22-0x00007FFEF0DC5000-0x00007FFEF0DC6000-memory.dmp

Filesize
4KB

Download
memory/1676-20-0x00007FFEF0B10000-0x00007FFEF14B1000-memory.dmp

Filesize
9.6MB

Download
memory/1676-19-0x00007FFEF0B10000-0x00007FFEF14B1000-memory.dmp

Filesize
9.6MB

Download
memory/1676-18-0x00007FFEF0B10000-0x00007FFEF14B1000-memory.dmp

Filesize
9.6MB

Download
memory/1676-25-0x00007FFEF0B10000-0x00007FFEF14B1000-memory.dmp

Filesize
9.6MB

Download
memory/1676-21-0x00007FFEF0B10000-0x00007FFEF14B1000-memory.dmp

Filesize
9.6MB

Download
memory/1676-14-0x0000000000BA0000-0x0000000000BA8000-memory.dmp

Filesize
32KB

Download
memory/1676-13-0x00007FFEF0B10000-0x00007FFEF14B1000-memory.dmp

Filesize
9.6MB

Download
memory/1676-12-0x000000001BD40000-0x000000001BDDC000-memory.dmp

Filesize
624KB

Download
memory/1676-9-0x00007FFEF0B10000-0x00007FFEF14B1000-memory.dmp

Filesize
9.6MB

Download
memory/1676-11-0x000000001BBF0000-0x000000001BC96000-memory.dmp

Filesize
664KB

Download
memory/1676-10-0x000000001B670000-0x000000001BB3E000-memory.dmp

Filesize
4.8MB

Download
memory/1676-8-0x00007FFEF0DC5000-0x00007FFEF0DC6000-memory.dmp

Filesize
4KB

Download
memory/1676-23-0x00007FFEF0B10000-0x00007FFEF14B1000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads