Analysis Overview
SHA256
73e8f590f0e2a0edf011e4b985a5bae11b11b839a99b85ecea79db6547edf1c2
Threat Level: Known bad
The file JaffaCakes118_7be5ddc2eade9ceb8ef531ff9b5f0f80 was found to be: Known bad.
Malicious Activity Summary
RevengeRAT
Revengerat family
RevengeRat Executable
Loads dropped DLL
Executes dropped EXE
Checks computer location settings
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Checks processor information in registry
Suspicious use of AdjustPrivilegeToken
Modifies registry class
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2025-01-04 21:44
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2025-01-04 21:44
Reported
2025-01-04 21:47
Platform
win7-20240903-en
Max time kernel
128s
Max time network
146s
Command Line
Signatures
RevengeRAT
Revengerat family
RevengeRat Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\OCS\ocs_v71a.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7be5ddc2eade9ceb8ef531ff9b5f0f80.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7be5ddc2eade9ceb8ef531ff9b5f0f80.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7be5ddc2eade9ceb8ef531ff9b5f0f80.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_Classes\Local Settings | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7be5ddc2eade9ceb8ef531ff9b5f0f80.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\OCS\ocs_v71a.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\OCS\ocs_v71a.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7be5ddc2eade9ceb8ef531ff9b5f0f80.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7be5ddc2eade9ceb8ef531ff9b5f0f80.exe"
C:\Users\Admin\AppData\Local\Temp\OCS\ocs_v71a.exe
C:\Users\Admin\AppData\Local\Temp\OCS\ocs_v71a.exe -install -177174 -dcude -7fb2858e83124b498595233b7a6adbae - -de -ozlcpvbaragfevmb -459164
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" http://www.download-sponsor.de/exitdownload/thankyou.php?pid=dcude&cid=177174&appname=[APPNAME]&cbstate=&uid=f9c3484c-e3ad-40bf-98a8-27cf3bcecdbe&sid=7fb2858e83124b498595233b7a6adbae&scid=&source=de&language=en-cl&cdata=utyp-31.ua-66697265666f782e657865.userid-326239623662343931313532623565393663383366316166
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" http://www.download-sponsor.de/exitdownload/thankyou.php?pid=dcude&cid=177174&appname=[APPNAME]&cbstate=&uid=f9c3484c-e3ad-40bf-98a8-27cf3bcecdbe&sid=7fb2858e83124b498595233b7a6adbae&scid=&source=de&language=en-cl&cdata=utyp-31.ua-66697265666f782e657865.userid-326239623662343931313532623565393663383366316166
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2788.0.1581236115\67768863" -parentBuildID 20221007134813 -prefsHandle 1212 -prefMapHandle 1144 -prefsLen 20847 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {30d48a0e-7dea-4003-b67d-e81ac75b7ac6} 2788 "\\.\pipe\gecko-crash-server-pipe.2788" 1324 68dca58 gpu
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2788.1.348818511\708895735" -parentBuildID 20221007134813 -prefsHandle 1492 -prefMapHandle 1488 -prefsLen 21708 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {2aa3495f-926c-4d89-bf1a-6f5d9a62379f} 2788 "\\.\pipe\gecko-crash-server-pipe.2788" 1504 44e2558 socket
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2788.2.427559862\1538273752" -childID 1 -isForBrowser -prefsHandle 1852 -prefMapHandle 1964 -prefsLen 21746 -prefMapSize 233444 -jsInitHandle 636 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d0099200-19a4-4d8e-8aeb-a9a9eeabdd53} 2788 "\\.\pipe\gecko-crash-server-pipe.2788" 1940 1a2a3458 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2788.3.1548765338\1063107836" -childID 2 -isForBrowser -prefsHandle 2468 -prefMapHandle 2484 -prefsLen 26216 -prefMapSize 233444 -jsInitHandle 636 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {3ecbe71c-e036-4de8-af08-d014414062d3} 2788 "\\.\pipe\gecko-crash-server-pipe.2788" 2460 1d2e1258 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2788.4.385763346\1467130421" -childID 3 -isForBrowser -prefsHandle 3132 -prefMapHandle 3612 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 636 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {71c7c59c-4ab1-4dd8-8e43-52de8fd94d6f} 2788 "\\.\pipe\gecko-crash-server-pipe.2788" 3744 1e7c9258 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2788.5.1584511896\1812383182" -childID 4 -isForBrowser -prefsHandle 3864 -prefMapHandle 3868 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 636 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ee457177-6c11-4b38-98f7-a9b910456d4e} 2788 "\\.\pipe\gecko-crash-server-pipe.2788" 3852 1fad8d58 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2788.6.458952728\985504627" -childID 5 -isForBrowser -prefsHandle 4084 -prefMapHandle 4088 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 636 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {035d4926-4c53-4c94-bc83-52d6403b8f30} 2788 "\\.\pipe\gecko-crash-server-pipe.2788" 3612 1a3a9a58 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2788.7.68370696\2066536681" -childID 6 -isForBrowser -prefsHandle 1016 -prefMapHandle 1060 -prefsLen 27487 -prefMapSize 233444 -jsInitHandle 636 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {cd55a134-c439-4c88-ad58-a3abc334c12e} 2788 "\\.\pipe\gecko-crash-server-pipe.2788" 1740 d63158 tab
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | thinklabs-ltd.de | udp |
| DE | 176.9.175.237:80 | thinklabs-ltd.de | tcp |
| US | 8.8.8.8:53 | bin.download-sponsor.de | udp |
| DE | 176.9.175.234:443 | bin.download-sponsor.de | tcp |
| US | 8.8.8.8:53 | www.download-sponsor.de | udp |
| US | 8.8.8.8:53 | spocs.getpocket.com | udp |
| US | 8.8.8.8:53 | getpocket.cdn.mozilla.net | udp |
| DE | 176.9.175.237:80 | www.download-sponsor.de | tcp |
| US | 8.8.8.8:53 | www.download-sponsor.de | udp |
| DE | 176.9.175.237:80 | www.download-sponsor.de | tcp |
| US | 34.120.5.221:443 | getpocket.cdn.mozilla.net | tcp |
| US | 8.8.8.8:53 | prod.ads.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | www.download-sponsor.de | udp |
| US | 8.8.8.8:53 | prod.ads.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.pocket.prod.cloudops.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.content-signature-chains.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | shavar.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | dcude.download-sponsor.de | udp |
| US | 8.8.8.8:53 | prod.content-signature-chains.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.pocket.prod.cloudops.mozgcp.net | udp |
| US | 8.8.8.8:53 | shavar.prod.mozaws.net | udp |
| DE | 176.9.175.237:80 | dcude.download-sponsor.de | tcp |
| US | 8.8.8.8:53 | prod.remote-settings.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | dcude.download-sponsor.de | udp |
| US | 8.8.8.8:53 | prod.remote-settings.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | dcude.download-sponsor.de | udp |
| US | 8.8.8.8:53 | survey.download-sponsor.de | udp |
| US | 8.8.8.8:53 | firefox-settings-attachments.cdn.mozilla.net | udp |
| DE | 176.9.175.237:80 | survey.download-sponsor.de | tcp |
| US | 8.8.8.8:53 | survey.download-sponsor.de | udp |
| US | 34.117.121.53:443 | firefox-settings-attachments.cdn.mozilla.net | tcp |
| US | 8.8.8.8:53 | attachments.prod.remote-settings.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | attachments.prod.remote-settings.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | survey.download-sponsor.de | udp |
| US | 8.8.8.8:53 | d.addelive.com | udp |
| US | 8.8.8.8:53 | download-sponsor.de | udp |
| US | 8.8.8.8:53 | files.download-sponsor.de | udp |
| US | 66.216.109.248:80 | d.addelive.com | tcp |
| US | 8.8.8.8:53 | d.addelive.com | udp |
| DE | 176.9.175.237:80 | files.download-sponsor.de | tcp |
| US | 8.8.8.8:53 | download-sponsor.de | udp |
| US | 8.8.8.8:53 | files.download-sponsor.de | udp |
| DE | 176.9.175.237:80 | files.download-sponsor.de | tcp |
| US | 8.8.8.8:53 | d.addelive.com | udp |
| US | 8.8.8.8:53 | download-sponsor.de | udp |
| US | 8.8.8.8:53 | files.download-sponsor.de | udp |
| US | 66.216.109.248:80 | d.addelive.com | tcp |
| US | 8.8.8.8:53 | download.chip.eu | udp |
| N/A | 127.0.0.1:49211 | tcp | |
| N/A | 127.0.0.1:49219 | tcp | |
| US | 8.8.8.8:53 | prod.balrog.prod.cloudops.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.balrog.prod.cloudops.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.remote-settings.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | ciscobinary.openh264.org | udp |
| DE | 2.22.61.56:80 | ciscobinary.openh264.org | tcp |
| US | 8.8.8.8:53 | a19.dscg10.akamai.net | udp |
| US | 8.8.8.8:53 | a19.dscg10.akamai.net | udp |
| US | 8.8.8.8:53 | redirector.gvt1.com | udp |
| GB | 142.250.180.14:443 | redirector.gvt1.com | tcp |
| US | 8.8.8.8:53 | redirector.gvt1.com | udp |
| US | 8.8.8.8:53 | redirector.gvt1.com | udp |
| GB | 142.250.180.14:443 | redirector.gvt1.com | udp |
| US | 8.8.8.8:53 | r4---sn-aigzrnsz.gvt1.com | udp |
| GB | 74.125.175.169:443 | r4---sn-aigzrnsz.gvt1.com | tcp |
| US | 8.8.8.8:53 | r4.sn-aigzrnsz.gvt1.com | udp |
| US | 8.8.8.8:53 | r4.sn-aigzrnsz.gvt1.com | udp |
| GB | 74.125.175.169:443 | r4.sn-aigzrnsz.gvt1.com | udp |
| US | 66.216.109.248:80 | d.addelive.com | tcp |
| US | 66.216.109.248:80 | d.addelive.com | tcp |
| US | 8.8.8.8:53 | impressum.thinklabs-ltd.de | udp |
| US | 8.8.8.8:53 | impressum.thinklabs-ltd.de | udp |
| US | 8.8.8.8:53 | impressum.thinklabs-ltd.de | udp |
| US | 8.8.8.8:53 | support.mozilla.org | udp |
| US | 8.8.8.8:53 | us-west1.prod.sumo.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | us-west1.prod.sumo.prod.webservices.mozgcp.net | udp |
Files
\Users\Admin\AppData\Local\Temp\OCS\ocs_v71a.exe
| MD5 | 317ec5f92cfbf04a53e8125b66b3b4af |
| SHA1 | 16068b8977b4dc562ae782d91bc009472667e331 |
| SHA256 | 7612ef3877c3e4e305a6c22941141601b489a73bc088622a40ebd93bee25bae5 |
| SHA512 | ed772da641a5c128677c4c285c648c1d8e539c34522b95c14f614797bb0d188571c7c257441d45598809aa3f8b4690bd53230282726e077c86c8d9fe71c1db65 |
memory/3024-12-0x000007FEF5D1E000-0x000007FEF5D1F000-memory.dmp
memory/3024-13-0x000007FEF5A60000-0x000007FEF63FD000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\OCS\ozlcpvbaragfevmb.dat
| MD5 | 318e45502e86157d81e731c838336f04 |
| SHA1 | c032662679f135414d4fe368ed431f17e738e93b |
| SHA256 | 790fef04a24c00fac59fe385a3bcecd44f06d9b3b24f225f54e81b7ed95a6d64 |
| SHA512 | cfd3933901fd6e755a97d6de66640ccea892bc2ebd3d2b957f6359f5149822d579a1805655a08b1f30f3cd7a84bf5eb484191b4edd1e11fca12443dcd2e51e6b |
memory/3024-15-0x000007FEF5A60000-0x000007FEF63FD000-memory.dmp
memory/3024-16-0x000007FEF5A60000-0x000007FEF63FD000-memory.dmp
memory/3024-17-0x000007FEF5A60000-0x000007FEF63FD000-memory.dmp
memory/3024-18-0x000007FEF5A60000-0x000007FEF63FD000-memory.dmp
memory/3024-19-0x000007FEF5A60000-0x000007FEF63FD000-memory.dmp
memory/3024-20-0x000007FEF5D1E000-0x000007FEF5D1F000-memory.dmp
memory/3024-21-0x000007FEF5A60000-0x000007FEF63FD000-memory.dmp
memory/3024-22-0x000007FEF5A60000-0x000007FEF63FD000-memory.dmp
memory/3024-23-0x000007FEF5A60000-0x000007FEF63FD000-memory.dmp
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ytcgl2sn.default-release\datareporting\glean\pending_pings\f2cc8ab7-4d88-477e-8bb1-fd9f34cccf4e
| MD5 | b0a2d6d9ad6bed16d111f5972b44bc4e |
| SHA1 | 4259c2be93a8cee4d34220e9e44588351d94444e |
| SHA256 | 68d2297170bd7189a0a77e0dd9f940cb02195cffd5b8353cfe78ae5ef61965d1 |
| SHA512 | c8efc19394db24ef18a7a2a42b5b19a4f41dbb9f89a07608f8d2c18067653d5854771ad60fc8878d635ef389bcc4c18021320f358b6f0d83bc82fb24dd516f75 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ytcgl2sn.default-release\datareporting\glean\pending_pings\435a37f4-f7fb-4274-afdb-d740bcc79e46
| MD5 | 321935722a9e13e40f4cd249301fe3e6 |
| SHA1 | 81a672a49be855b724bad1820319adff2dab02d2 |
| SHA256 | 7d8bf440b0ea8c0e091277fa72aba84d042f258ce7e1f65402631c6c6ed9f9f6 |
| SHA512 | 3758e2976a7b284c9ee58332b9adbd3bd78757452613b62b848b2d733c7fd3c337fb8991263e9e5cd2bea0539dc0ac5a3410cc6a77b4d601c033f041cd66dc5a |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ytcgl2sn.default-release\datareporting\glean\db\data.safe.bin
| MD5 | 6e00851b131afd483c478622bde68d1a |
| SHA1 | 031dc4a6e4d474165b0bcb3578897a670a7af69a |
| SHA256 | 4f2be829647ce2a4cf4efa6b6fc19472f06c1093aac177cde1eb0b36ba1650f6 |
| SHA512 | bac68257c8e477b5efcf43d09085b52bef4641af426457f9ebbb0205d18da522c485b200f39d910ff10e469c27d77be6a647749eee929ab2d5c8a61b612c985b |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ytcgl2sn.default-release\activity-stream.discovery_stream.json.tmp
| MD5 | 3a1191f4fb7fcc41e432eb84ecdbd362 |
| SHA1 | 52d8d74e82d6bed62030570bc223796443691fb6 |
| SHA256 | c089f5b58c5149a148597b145f7525831c366797101595e6786407253d757d46 |
| SHA512 | a8357aaa52800e4dbf1f2b68cf634090db86abf22fa946ca135822a4410744508aaedf2ccccfba9afb2d703c32fc6129972182c9a9cb449110358af2aa69bb05 |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ytcgl2sn.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl
| MD5 | 96c542dec016d9ec1ecc4dddfcbaac66 |
| SHA1 | 6199f7648bb744efa58acf7b96fee85d938389e4 |
| SHA256 | 7f32769d6bb4e875f58ceb9e2fbfdc9bd6b82397eca7a4c5230b0786e68f1798 |
| SHA512 | cda2f159c3565bc636e0523c893b293109de2717142871b1ec78f335c12bad96fc3f62bcf56a1a88abdeed2ac3f3e5e9a008b45e24d713e13c23103acc15e658 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ytcgl2sn.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | 971e389e96c98315685cc256bfcf93a4 |
| SHA1 | 87b884e52e269701b95003318c672a928d47ca59 |
| SHA256 | 1eb9aba9b377d5576e75c47a2cf9dbaa27638d748b86c8d171d013364815a3bc |
| SHA512 | b9ead06c3f019cd7a7cf299c6d0d05fcac9f99f478caea21d5fac949ea39d9cd44800da0799a12d497e6babfdd071aaed8fa161d12d793634b81e924b7277430 |
C:\Users\Admin\AppData\Local\Temp\tmpaddon
| MD5 | 85430baed3398695717b0263807cf97c |
| SHA1 | fffbee923cea216f50fce5d54219a188a5100f41 |
| SHA256 | a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e |
| SHA512 | 06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ytcgl2sn.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info
| MD5 | 3d33cdc0b3d281e67dd52e14435dd04f |
| SHA1 | 4db88689282fd4f9e9e6ab95fcbb23df6e6485db |
| SHA256 | f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b |
| SHA512 | a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ytcgl2sn.default-release\prefs-1.js
| MD5 | ec2885705e81c095f202b37cf79b3e67 |
| SHA1 | acb781716b9d01c2f96b69fd21613147c05ece6e |
| SHA256 | 35c013bfddd087500aceea106a17cf29e92b4a06a742fb57dc3c266a057ae647 |
| SHA512 | 579a137a5fa9fc17515d3ccfae5e98b1a20762e5a5c0cf398222b40bc3d7dbb5a80dcc90e3a6a2a8aba6628450697cf94a92e6e2bc1f6d3cd15b923ce8b83590 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ytcgl2sn.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll
| MD5 | fe3355639648c417e8307c6d051e3e37 |
| SHA1 | f54602d4b4778da21bc97c7238fc66aa68c8ee34 |
| SHA256 | 1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e |
| SHA512 | 8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c |
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1
| MD5 | a01c5ecd6108350ae23d2cddf0e77c17 |
| SHA1 | c6ac28a2cd979f1f9a75d56271821d5ff665e2b6 |
| SHA256 | 345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42 |
| SHA512 | b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ytcgl2sn.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt
| MD5 | 49ddb419d96dceb9069018535fb2e2fc |
| SHA1 | 62aa6fea895a8b68d468a015f6e6ab400d7a7ca6 |
| SHA256 | 2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539 |
| SHA512 | 48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ytcgl2sn.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json
| MD5 | 8be33af717bb1b67fbd61c3f4b807e9e |
| SHA1 | 7cf17656d174d951957ff36810e874a134dd49e0 |
| SHA256 | e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd |
| SHA512 | 6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ytcgl2sn.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig
| MD5 | 937326fead5fd401f6cca9118bd9ade9 |
| SHA1 | 4526a57d4ae14ed29b37632c72aef3c408189d91 |
| SHA256 | 68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81 |
| SHA512 | b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ytcgl2sn.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib
| MD5 | 688bed3676d2104e7f17ae1cd2c59404 |
| SHA1 | 952b2cdf783ac72fcb98338723e9afd38d47ad8e |
| SHA256 | 33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237 |
| SHA512 | 7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ytcgl2sn.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll
| MD5 | 33bf7b0439480effb9fb212efce87b13 |
| SHA1 | cee50f2745edc6dc291887b6075ca64d716f495a |
| SHA256 | 8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e |
| SHA512 | d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ytcgl2sn.default-release\prefs-1.js
| MD5 | 6ecea811e7ab810366d6629776616e7e |
| SHA1 | 90553612695e2e0b0ae1db9a7ea0b185ac222f5a |
| SHA256 | 8f3b20fd5e6a6c74800c3de002dcebea347948edfc5bcb9e28242673e59e3ba5 |
| SHA512 | c7843c0a01e2f317598b98752397f88311630e9304d978cab1faeceee7e07fd1372cbf4527a3463598c51dd3022f7c46e0e71fdd6f797c508a0d33f115c2770f |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ytcgl2sn.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | a84867d78386fbd0ddb0035ae10fe296 |
| SHA1 | b28f66a3734a633811ce29824d3eba241e87128c |
| SHA256 | 75dbe15f3b66f0d43d495b10fb0432f510c4c3e26c3d3eb62490026254f4b881 |
| SHA512 | ad5481740cf01f8f75d064e5f9f1b8dca532be8bdcf3ec6c582e6eaf5f8e955e4b104a6fd7d91c1aa3061e967b1b4ff97a4a2d65359957c9eecffe56c84b6db5 |
Analysis: behavioral2
Detonation Overview
Submitted
2025-01-04 21:44
Reported
2025-01-04 21:47
Platform
win10v2004-20241007-en
Max time kernel
130s
Max time network
147s
Command Line
Signatures
RevengeRAT
Revengerat family
RevengeRat Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\OCS\ocs_v71a.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\OCS\ocs_v71a.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7be5ddc2eade9ceb8ef531ff9b5f0f80.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\OCS\ocs_v71a.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7be5ddc2eade9ceb8ef531ff9b5f0f80.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\OCS\ocs_v71a.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\OCS\ocs_v71a.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7be5ddc2eade9ceb8ef531ff9b5f0f80.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7be5ddc2eade9ceb8ef531ff9b5f0f80.exe"
C:\Users\Admin\AppData\Local\Temp\OCS\ocs_v71a.exe
C:\Users\Admin\AppData\Local\Temp\OCS\ocs_v71a.exe -install -177174 -dcude -7fb2858e83124b498595233b7a6adbae - -de -tqkjmzcohpojjceq -590454
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" http://www.download-sponsor.de/exitdownload/thankyou.php?pid=dcude&cid=177174&appname=[APPNAME]&cbstate=&uid=e94b4df6-b7fc-408d-a509-340bb2501e0a&sid=7fb2858e83124b498595233b7a6adbae&scid=&source=de&language=en-cl&cdata=utyp-31.ua-66697265666f782e657865.userid-326239623662343931313532623565393663383366316166
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" http://www.download-sponsor.de/exitdownload/thankyou.php?pid=dcude&cid=177174&appname=[APPNAME]&cbstate=&uid=e94b4df6-b7fc-408d-a509-340bb2501e0a&sid=7fb2858e83124b498595233b7a6adbae&scid=&source=de&language=en-cl&cdata=utyp-31.ua-66697265666f782e657865.userid-326239623662343931313532623565393663383366316166
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1916 -parentBuildID 20240401114208 -prefsHandle 1736 -prefMapHandle 1728 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1bf9f5a0-ba37-451e-967d-c2a21cc4678e} 4292 "\\.\pipe\gecko-crash-server-pipe.4292" gpu
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2396 -parentBuildID 20240401114208 -prefsHandle 2388 -prefMapHandle 2384 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {951caf40-a908-4e20-88af-b9f55fb4d0b8} 4292 "\\.\pipe\gecko-crash-server-pipe.4292" socket
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3040 -childID 1 -isForBrowser -prefsHandle 3044 -prefMapHandle 3272 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 900 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e1e52378-5370-4aeb-93a1-9dcb95a0ff1a} 4292 "\\.\pipe\gecko-crash-server-pipe.4292" tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4052 -childID 2 -isForBrowser -prefsHandle 4076 -prefMapHandle 4072 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 900 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f805ee06-ca51-42f1-bbc3-1052e990b600} 4292 "\\.\pipe\gecko-crash-server-pipe.4292" tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4808 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4836 -prefMapHandle 4824 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9b34f409-20b3-4588-8dc5-c01e352c94a4} 4292 "\\.\pipe\gecko-crash-server-pipe.4292" utility
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4784 -childID 3 -isForBrowser -prefsHandle 5204 -prefMapHandle 5200 -prefsLen 27097 -prefMapSize 244658 -jsInitHandle 900 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {73a37328-976b-4d7b-94de-b900f5934d10} 4292 "\\.\pipe\gecko-crash-server-pipe.4292" tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5420 -childID 4 -isForBrowser -prefsHandle 5340 -prefMapHandle 5348 -prefsLen 27097 -prefMapSize 244658 -jsInitHandle 900 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6491fad7-0fee-4230-bb2a-9969d1d9879b} 4292 "\\.\pipe\gecko-crash-server-pipe.4292" tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5324 -childID 5 -isForBrowser -prefsHandle 5568 -prefMapHandle 5572 -prefsLen 27097 -prefMapSize 244658 -jsInitHandle 900 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e200b9ff-ffde-4711-8ecf-e56ea6e3e5f9} 4292 "\\.\pipe\gecko-crash-server-pipe.4292" tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6136 -childID 6 -isForBrowser -prefsHandle 1448 -prefMapHandle 6044 -prefsLen 30948 -prefMapSize 244658 -jsInitHandle 900 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8e80fe41-a85e-480c-9b8a-e47e9d0009ca} 4292 "\\.\pipe\gecko-crash-server-pipe.4292" tab
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.49.80.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | thinklabs-ltd.de | udp |
| DE | 176.9.175.237:80 | thinklabs-ltd.de | tcp |
| US | 8.8.8.8:53 | bin.download-sponsor.de | udp |
| DE | 176.9.175.234:443 | bin.download-sponsor.de | tcp |
| US | 8.8.8.8:53 | 237.175.9.176.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 234.175.9.176.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.download-sponsor.de | udp |
| US | 8.8.8.8:53 | spocs.getpocket.com | udp |
| US | 8.8.8.8:53 | firefox-api-proxy.cdn.mozilla.net | udp |
| DE | 176.9.175.237:80 | www.download-sponsor.de | tcp |
| DE | 176.9.175.237:80 | www.download-sponsor.de | tcp |
| US | 8.8.8.8:53 | www.download-sponsor.de | udp |
| US | 8.8.8.8:53 | prod.ads.prod.webservices.mozgcp.net | udp |
| US | 34.149.97.1:443 | firefox-api-proxy.cdn.mozilla.net | tcp |
| US | 8.8.8.8:53 | firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net | udp |
| US | 8.8.8.8:53 | firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.ads.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | www.download-sponsor.de | udp |
| US | 8.8.8.8:53 | prod.content-signature-chains.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.content-signature-chains.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | shavar.prod.mozaws.net | udp |
| US | 34.149.97.1:443 | firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net | udp |
| US | 8.8.8.8:53 | shavar.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | dcude.download-sponsor.de | udp |
| US | 8.8.8.8:53 | prod.remote-settings.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.remote-settings.prod.webservices.mozgcp.net | udp |
| DE | 176.9.175.237:80 | dcude.download-sponsor.de | tcp |
| US | 8.8.8.8:53 | dcude.download-sponsor.de | udp |
| US | 8.8.8.8:53 | dcude.download-sponsor.de | udp |
| US | 8.8.8.8:53 | survey.download-sponsor.de | udp |
| DE | 176.9.175.237:80 | survey.download-sponsor.de | tcp |
| US | 8.8.8.8:53 | survey.download-sponsor.de | udp |
| US | 8.8.8.8:53 | firefox-settings-attachments.cdn.mozilla.net | udp |
| US | 8.8.8.8:53 | survey.download-sponsor.de | udp |
| US | 34.117.121.53:443 | firefox-settings-attachments.cdn.mozilla.net | tcp |
| US | 8.8.8.8:53 | attachments.prod.remote-settings.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | attachments.prod.remote-settings.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | d.addelive.com | udp |
| US | 8.8.8.8:53 | download-sponsor.de | udp |
| US | 8.8.8.8:53 | files.download-sponsor.de | udp |
| DE | 176.9.175.237:80 | files.download-sponsor.de | tcp |
| DE | 176.9.175.237:80 | files.download-sponsor.de | tcp |
| US | 66.216.109.248:80 | d.addelive.com | tcp |
| US | 8.8.8.8:53 | download-sponsor.de | udp |
| US | 8.8.8.8:53 | files.download-sponsor.de | udp |
| US | 8.8.8.8:53 | d.addelive.com | udp |
| US | 8.8.8.8:53 | d.addelive.com | udp |
| US | 8.8.8.8:53 | files.download-sponsor.de | udp |
| US | 8.8.8.8:53 | download-sponsor.de | udp |
| US | 66.216.109.248:80 | d.addelive.com | tcp |
| US | 8.8.8.8:53 | 34.58.188.54.in-addr.arpa | udp |
| US | 8.8.8.8:53 | download.chip.eu | udp |
| N/A | 127.0.0.1:59312 | tcp | |
| N/A | 127.0.0.1:59320 | tcp | |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | prod.balrog.prod.cloudops.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.balrog.prod.cloudops.mozgcp.net | udp |
| US | 8.8.8.8:53 | ciscobinary.openh264.org | udp |
| DE | 2.22.61.59:80 | ciscobinary.openh264.org | tcp |
| US | 8.8.8.8:53 | a19.dscg10.akamai.net | udp |
| US | 8.8.8.8:53 | 201.181.244.35.in-addr.arpa | udp |
| US | 8.8.8.8:53 | a19.dscg10.akamai.net | udp |
| US | 8.8.8.8:53 | redirector.gvt1.com | udp |
| US | 8.8.8.8:53 | redirector.gvt1.com | udp |
| GB | 142.250.180.14:443 | redirector.gvt1.com | tcp |
| US | 8.8.8.8:53 | redirector.gvt1.com | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 59.61.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.180.250.142.in-addr.arpa | udp |
| GB | 142.250.180.14:443 | redirector.gvt1.com | udp |
| US | 8.8.8.8:53 | r4---sn-aigzrnsz.gvt1.com | udp |
| GB | 74.125.175.169:443 | r4---sn-aigzrnsz.gvt1.com | tcp |
| US | 8.8.8.8:53 | r4.sn-aigzrnsz.gvt1.com | udp |
| US | 8.8.8.8:53 | r4.sn-aigzrnsz.gvt1.com | udp |
| GB | 74.125.175.169:443 | r4.sn-aigzrnsz.gvt1.com | udp |
| US | 66.216.109.248:80 | d.addelive.com | tcp |
| US | 8.8.8.8:53 | 169.175.125.74.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 66.216.109.248:80 | d.addelive.com | tcp |
| US | 8.8.8.8:53 | 75.117.19.2.in-addr.arpa | udp |
| US | 34.117.121.53:443 | attachments.prod.remote-settings.prod.webservices.mozgcp.net | tcp |
| US | 8.8.8.8:53 | prod.balrog.prod.cloudops.mozgcp.net | udp |
| US | 8.8.8.8:53 | location.services.mozilla.com | udp |
| US | 8.8.8.8:53 | prod.balrog.prod.cloudops.mozgcp.net | udp |
| US | 35.190.72.216:443 | location.services.mozilla.com | tcp |
| US | 8.8.8.8:53 | prod.classify-client.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.classify-client.prod.webservices.mozgcp.net | udp |
| US | 35.190.72.216:443 | prod.classify-client.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | 216.72.190.35.in-addr.arpa | udp |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | impressum.thinklabs-ltd.de | udp |
| US | 8.8.8.8:53 | impressum.thinklabs-ltd.de | udp |
| US | 8.8.8.8:53 | support.mozilla.org | udp |
| US | 8.8.8.8:53 | us-west1.prod.sumo.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | us-west1.prod.sumo.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 182.129.81.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\OCS\ocs_v71a.exe
| MD5 | 317ec5f92cfbf04a53e8125b66b3b4af |
| SHA1 | 16068b8977b4dc562ae782d91bc009472667e331 |
| SHA256 | 7612ef3877c3e4e305a6c22941141601b489a73bc088622a40ebd93bee25bae5 |
| SHA512 | ed772da641a5c128677c4c285c648c1d8e539c34522b95c14f614797bb0d188571c7c257441d45598809aa3f8b4690bd53230282726e077c86c8d9fe71c1db65 |
memory/1676-8-0x00007FFEF0DC5000-0x00007FFEF0DC6000-memory.dmp
memory/1676-10-0x000000001B670000-0x000000001BB3E000-memory.dmp
memory/1676-11-0x000000001BBF0000-0x000000001BC96000-memory.dmp
memory/1676-9-0x00007FFEF0B10000-0x00007FFEF14B1000-memory.dmp
memory/1676-12-0x000000001BD40000-0x000000001BDDC000-memory.dmp
memory/1676-13-0x00007FFEF0B10000-0x00007FFEF14B1000-memory.dmp
memory/1676-14-0x0000000000BA0000-0x0000000000BA8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\OCS\tqkjmzcohpojjceq.dat
| MD5 | 318e45502e86157d81e731c838336f04 |
| SHA1 | c032662679f135414d4fe368ed431f17e738e93b |
| SHA256 | 790fef04a24c00fac59fe385a3bcecd44f06d9b3b24f225f54e81b7ed95a6d64 |
| SHA512 | cfd3933901fd6e755a97d6de66640ccea892bc2ebd3d2b957f6359f5149822d579a1805655a08b1f30f3cd7a84bf5eb484191b4edd1e11fca12443dcd2e51e6b |
memory/1676-16-0x00007FFEF0B10000-0x00007FFEF14B1000-memory.dmp
memory/1676-17-0x00007FFEF0B10000-0x00007FFEF14B1000-memory.dmp
memory/1676-18-0x00007FFEF0B10000-0x00007FFEF14B1000-memory.dmp
memory/1676-19-0x00007FFEF0B10000-0x00007FFEF14B1000-memory.dmp
memory/1676-20-0x00007FFEF0B10000-0x00007FFEF14B1000-memory.dmp
memory/1676-21-0x00007FFEF0B10000-0x00007FFEF14B1000-memory.dmp
memory/1676-22-0x00007FFEF0DC5000-0x00007FFEF0DC6000-memory.dmp
memory/1676-23-0x00007FFEF0B10000-0x00007FFEF14B1000-memory.dmp
memory/1676-25-0x00007FFEF0B10000-0x00007FFEF14B1000-memory.dmp
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\datareporting\glean\pending_pings\e1c68ac1-435b-40dd-829b-4398b5b5c5e5
| MD5 | d7d30724fa5751913ed9ce2877ec8196 |
| SHA1 | 47929adec7a41114b6281a916b3617521a1016ee |
| SHA256 | eed1238f0573a9cb774e96758788d98e81d6ac4cb7e3c3a6108b87738bcd37e4 |
| SHA512 | 064f0d155f8bfaad12bb0cdf9f0fec586a558eb85a48b9df3aaeea0d7d2283c766ae943ef26215f11d45cf6d6a0b82da595e26b9326893ec0427c16281645c31 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\datareporting\glean\pending_pings\86b7c63b-119c-4496-a098-4643b4d50fc0
| MD5 | 3cee7df8aff57301aa892189d0ca729c |
| SHA1 | e6b2ca026dbdf1b69e277253988456b198f87b8b |
| SHA256 | 45304be9f09aa1da4dce34adf83b8e9df1eba4f48afbba9ef2aa49c52d21cde5 |
| SHA512 | f3b8b6db04708adece509095d85547925dc7edbb65fa4507ee9cf8fe4ca31a6921213827ded087d7ff5dd21e8a4c0a0120d4ac43893c88f2bfdf3495690ee530 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\datareporting\glean\pending_pings\d48c4ff7-2060-49a7-8b3d-b2864d9243d5
| MD5 | 239083fc3046eac5dc154be8cacfa0fb |
| SHA1 | 5eb62aff27c880b7c6bf36de404652fa9b2f25c9 |
| SHA256 | 02c40acc44c390005245274725eb9963833a1649a91285e5a219da3f6f0070c7 |
| SHA512 | ad20f6ecefc208ee1d57199ab7c2af17412bb614fe8e137f06b474e03931d3c2966b59a76864ffb0de6b00c2eb48887380fe854109173796da1104211eaa3a20 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\datareporting\glean\db\data.safe.tmp
| MD5 | 2197801758504ea2ea4bc482c4082fb2 |
| SHA1 | 35899607690fd40828e94b363b9c5ec6ffece0c7 |
| SHA256 | 02e0a1b7dc969518c1138daa3434aef009e60dc3e11d138c8d03860254e898bb |
| SHA512 | 039c5ad68a228e32368411df2fc403508020974be81d5acbec272f01c88c11c766edab7aa6eb559fa303cbb10ef455778b9b51b3541c6666735e677914303695 |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\qgf82dd5.default-release\activity-stream.discovery_stream.json
| MD5 | 9aed554b027d9b4c143d1357f2e8668e |
| SHA1 | 386eb69fd162d71a4dfb1b9f02e4e8dcd0242c68 |
| SHA256 | 1289af8225932e646652511247423f2c22de65af38c5522ef19e4ae7b2f5ee18 |
| SHA512 | f4895dafc73df61fbd767d45d976a034f9e656c6ae7719dd4a2eedf19de175630163d6b1a5e9981828680e47aef2eb35b9c974c58ad546b70fc6e23fb34024fd |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\datareporting\glean\db\data.safe.tmp
| MD5 | b41bf7b6380f756d9f48206cfcc62945 |
| SHA1 | 2aa3b06eec6586ada857ba9aa950e2d18d874fe9 |
| SHA256 | b3245e1f452f2e986b07277d30edf22eb9642733cb4af33791126825465d261b |
| SHA512 | a0b1d5b0b77e504a48b4bfa46273b7bcd8c6074f9547c11765897e7188f3f077160a326b217a3d4dad577be0d7986738f1ad3b36f31da207f8cb1ed2ae82939c |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\prefs.js
| MD5 | e53ffc250ce05c4e4a9cb4699a18137a |
| SHA1 | 5c1f9de2a852220f8fbbc870025382c0e176d6b4 |
| SHA256 | 3eedfe527a08b1041fddb0f02e5ee964c45a29144a3a1dfc45b731baddd4e09e |
| SHA512 | 5058dbaa6f9b717514f0e5d33b90fbf40f937dc5c646bb4ba2a2afd8a2b11b7169c5711d686bbe98db0e96e1e7a1512d0e80bcdccbe0105a37d3e40b1f6b09e6 |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\qgf82dd5.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl
| MD5 | 96c542dec016d9ec1ecc4dddfcbaac66 |
| SHA1 | 6199f7648bb744efa58acf7b96fee85d938389e4 |
| SHA256 | 7f32769d6bb4e875f58ceb9e2fbfdc9bd6b82397eca7a4c5230b0786e68f1798 |
| SHA512 | cda2f159c3565bc636e0523c893b293109de2717142871b1ec78f335c12bad96fc3f62bcf56a1a88abdeed2ac3f3e5e9a008b45e24d713e13c23103acc15e658 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\datareporting\glean\db\data.safe.tmp
| MD5 | f94cd6ecdaa3a780413a9129ae10a83c |
| SHA1 | 1cc9ce086152eeb1e8b74af24ddea15f2b8a5211 |
| SHA256 | 31628fa48ebbff07077cfb98a8ff3c14887ce553d91e192e14ae70a3803bb066 |
| SHA512 | df3cb38ef3f329d9bb82f7bf0ce07518af2467e6b6fee8f7f2a94d024f90e9156708d2e24c761bb33caab8b79a4f0609f1f3c9872d586a4ddb2befe8ae06c6fc |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\prefs-1.js
| MD5 | 50eeaa13c2130f87187f626ccefc17f0 |
| SHA1 | 6ec342a586285a987bb8116c7de930af706f0ad1 |
| SHA256 | a25a6d70a20d520931865624d8c2f3af890e9c2fd20c57495453f650bae41674 |
| SHA512 | 75ca3c43819962220031d655ea0049dfab08d4486f8bf45f7f9900c03f1968b826a54cf9e007023022c15dd8323eb982270ba464d0b28be589713c41827c6238 |
C:\Users\Admin\AppData\Local\Temp\tmpaddon
| MD5 | 09372174e83dbbf696ee732fd2e875bb |
| SHA1 | ba360186ba650a769f9303f48b7200fb5eaccee1 |
| SHA256 | c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f |
| SHA512 | b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info
| MD5 | 2a461e9eb87fd1955cea740a3444ee7a |
| SHA1 | b10755914c713f5a4677494dbe8a686ed458c3c5 |
| SHA256 | 4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc |
| SHA512 | 34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll
| MD5 | 842039753bf41fa5e11b3a1383061a87 |
| SHA1 | 3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153 |
| SHA256 | d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c |
| SHA512 | d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\AlternateServices.bin
| MD5 | 68d0dbcb6207cfaf41f92fd8593ae897 |
| SHA1 | 4830e057d1836b23cf6e78c41033bf8f62974454 |
| SHA256 | 7b42d5e4e1de42d22d5a5650188e3576652f8c16a9b5cce58251ad7c346e6eac |
| SHA512 | aa68279c5f22329c3b4496dc5d56b60ad207e7224a1df7f655bbd5852fbac60d8a9c08fbae17db4a9933b2543e08afcaa2655a17bb6a8974fc8138adfb0fc4e6 |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\qgf82dd5.default-release\cache2\entries\6653BC7BE242C21AA1988A4A42D1DEDA18231C31
| MD5 | 7b7e6315edc665ae1c7275c6ad580fd3 |
| SHA1 | 6fd435baf2f46f391f7bc22bbc018816b8db9133 |
| SHA256 | 117c0bab05de12914b7ad9fec8a3eea964ee90c4b22cadaf2d0f395d88604cb6 |
| SHA512 | bcb5c02612cb5fad94511d307c729e1b42145ee84d09178406a9c5880b052efb888c38842d23caf02dd5971f2b07ed29c273dc74bfe62ec10a9000979e05182c |
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1
| MD5 | 0a8747a2ac9ac08ae9508f36c6d75692 |
| SHA1 | b287a96fd6cc12433adb42193dfe06111c38eaf0 |
| SHA256 | 32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03 |
| SHA512 | 59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json
| MD5 | bf957ad58b55f64219ab3f793e374316 |
| SHA1 | a11adc9d7f2c28e04d9b35e23b7616d0527118a1 |
| SHA256 | bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda |
| SHA512 | 79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll
| MD5 | daf7ef3acccab478aaa7d6dc1c60f865 |
| SHA1 | f8246162b97ce4a945feced27b6ea114366ff2ad |
| SHA256 | bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e |
| SHA512 | 5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\prefs-1.js
| MD5 | db299ad97caa670d2bdd270f4e078d27 |
| SHA1 | 0f378270c1ddda082e6fb8e84972b6adf3e33d19 |
| SHA256 | 8344169d7ea6a0494a4505d5782aaba5714a8d3d1426f36581b9c2fca50b48c4 |
| SHA512 | 7fe82f0df23318361705ee4485d111204645760906df059dde9258472f8550b4f2f02f213e967144bff9f27bd060c72274f98759881ba5bc568a5255d3a2641e |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\sessionstore-backups\recovery.baklz4
| MD5 | 567543c49ea5e246e2dfb388de30e30f |
| SHA1 | f5df2063799a870cb52b3bdab5b664329ed505a9 |
| SHA256 | 4de06b70e919b3d273dd4832fa92d96b64b70b46193d1f1514bc8f9f802cafa4 |
| SHA512 | 2f9efdf66f0b4287ba53c6fb66af67fdf4a11491c816f07e18cac6e8004154205ebcfa5e6177be956326cd6cd8db0787a7639ec94fb4a1410955eb492931e8ed |