revengerat | a7076691e7f7c664382465fe474ce5f186a730ea60a0ecf2623a88ab64bdeeb6

Analysis

max time kernel
129s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
04-01-2025 14:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_7a2028a2ec36eb8cd47f9c62d5d2f580.exe
Size

578KB
MD5

7a2028a2ec36eb8cd47f9c62d5d2f580
SHA1

3e639c1209d81cbb9be4c5fc4ddd4b942e0d97da
SHA256

a7076691e7f7c664382465fe474ce5f186a730ea60a0ecf2623a88ab64bdeeb6
SHA512

00d6da4735fde6b552487e55ee33cbcf7e071bcaebf5352c1a4f3b28ba79d08e3a404b3a4b2503cc9d6c8692e195d118dc23969d235fb85cbd96dcadcaaeeb89
SSDEEP

6144:bKlx3FcfCElJk125U8SpVUagDsvb6mgmw4sFfTysVufBn597NX2H:boVcfXlJkE5YVUjuOjysgfBnnl2H

Score

10^/10

revengerat discovery stealer trojan

Malware Config

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat
Revengerat family
revengerat

RevengeRat Executable 1 IoCs

stealer

resource	yara_rule
behavioral2/files/0x000a000000023b98-6.dat	revengerat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	ocs_v6z.exe

Executes dropped EXE 1 IoCs

pid	Process
4616	ocs_v6z.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_7a2028a2ec36eb8cd47f9c62d5d2f580.exe

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	firefox.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	4616	ocs_v6z.exe
Token: SeDebugPrivilege	1068	firefox.exe
Token: SeDebugPrivilege	1068	firefox.exe
Token: SeDebugPrivilege	1068	firefox.exe
Token: SeDebugPrivilege	1068	firefox.exe
Token: SeDebugPrivilege	1068	firefox.exe

Suspicious use of FindShellTrayWindow 21 IoCs

pid	Process
1068	firefox.exe
1068	firefox.exe
1068	firefox.exe
1068	firefox.exe
1068	firefox.exe
1068	firefox.exe
1068	firefox.exe
1068	firefox.exe
1068	firefox.exe
1068	firefox.exe
1068	firefox.exe
1068	firefox.exe
1068	firefox.exe
1068	firefox.exe
1068	firefox.exe
1068	firefox.exe
1068	firefox.exe
1068	firefox.exe
1068	firefox.exe
1068	firefox.exe
1068	firefox.exe

Suspicious use of SendNotifyMessage 20 IoCs

pid	Process
1068	firefox.exe
1068	firefox.exe
1068	firefox.exe
1068	firefox.exe
1068	firefox.exe
1068	firefox.exe
1068	firefox.exe
1068	firefox.exe
1068	firefox.exe
1068	firefox.exe
1068	firefox.exe
1068	firefox.exe
1068	firefox.exe
1068	firefox.exe
1068	firefox.exe
1068	firefox.exe
1068	firefox.exe
1068	firefox.exe
1068	firefox.exe
1068	firefox.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1396	JaffaCakes118_7a2028a2ec36eb8cd47f9c62d5d2f580.exe
4616	ocs_v6z.exe
4616	ocs_v6z.exe
1068	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1396 wrote to memory of 4616	1396	JaffaCakes118_7a2028a2ec36eb8cd47f9c62d5d2f580.exe	82
PID 1396 wrote to memory of 4616	1396	JaffaCakes118_7a2028a2ec36eb8cd47f9c62d5d2f580.exe	82
PID 4616 wrote to memory of 4792	4616	ocs_v6z.exe	85
PID 4616 wrote to memory of 4792	4616	ocs_v6z.exe	85
PID 4792 wrote to memory of 1068	4792	firefox.exe	86
PID 4792 wrote to memory of 1068	4792	firefox.exe	86
PID 4792 wrote to memory of 1068	4792	firefox.exe	86
PID 4792 wrote to memory of 1068	4792	firefox.exe	86
PID 4792 wrote to memory of 1068	4792	firefox.exe	86
PID 4792 wrote to memory of 1068	4792	firefox.exe	86
PID 4792 wrote to memory of 1068	4792	firefox.exe	86
PID 4792 wrote to memory of 1068	4792	firefox.exe	86
PID 4792 wrote to memory of 1068	4792	firefox.exe	86
PID 4792 wrote to memory of 1068	4792	firefox.exe	86
PID 4792 wrote to memory of 1068	4792	firefox.exe	86
PID 1068 wrote to memory of 4548	1068	firefox.exe	87
PID 1068 wrote to memory of 4548	1068	firefox.exe	87
PID 1068 wrote to memory of 4548	1068	firefox.exe	87
PID 1068 wrote to memory of 4548	1068	firefox.exe	87
PID 1068 wrote to memory of 4548	1068	firefox.exe	87
PID 1068 wrote to memory of 4548	1068	firefox.exe	87
PID 1068 wrote to memory of 4548	1068	firefox.exe	87
PID 1068 wrote to memory of 4548	1068	firefox.exe	87
PID 1068 wrote to memory of 4548	1068	firefox.exe	87
PID 1068 wrote to memory of 4548	1068	firefox.exe	87
PID 1068 wrote to memory of 4548	1068	firefox.exe	87
PID 1068 wrote to memory of 4548	1068	firefox.exe	87
PID 1068 wrote to memory of 4548	1068	firefox.exe	87
PID 1068 wrote to memory of 4548	1068	firefox.exe	87
PID 1068 wrote to memory of 4548	1068	firefox.exe	87
PID 1068 wrote to memory of 4548	1068	firefox.exe	87
PID 1068 wrote to memory of 4548	1068	firefox.exe	87
PID 1068 wrote to memory of 4548	1068	firefox.exe	87
PID 1068 wrote to memory of 4548	1068	firefox.exe	87
PID 1068 wrote to memory of 4548	1068	firefox.exe	87
PID 1068 wrote to memory of 4548	1068	firefox.exe	87
PID 1068 wrote to memory of 4548	1068	firefox.exe	87
PID 1068 wrote to memory of 4548	1068	firefox.exe	87
PID 1068 wrote to memory of 4548	1068	firefox.exe	87
PID 1068 wrote to memory of 4548	1068	firefox.exe	87
PID 1068 wrote to memory of 4548	1068	firefox.exe	87
PID 1068 wrote to memory of 4548	1068	firefox.exe	87
PID 1068 wrote to memory of 4548	1068	firefox.exe	87
PID 1068 wrote to memory of 4548	1068	firefox.exe	87
PID 1068 wrote to memory of 4548	1068	firefox.exe	87
PID 1068 wrote to memory of 4548	1068	firefox.exe	87
PID 1068 wrote to memory of 4548	1068	firefox.exe	87
PID 1068 wrote to memory of 4548	1068	firefox.exe	87
PID 1068 wrote to memory of 4548	1068	firefox.exe	87
PID 1068 wrote to memory of 4548	1068	firefox.exe	87
PID 1068 wrote to memory of 4548	1068	firefox.exe	87
PID 1068 wrote to memory of 4548	1068	firefox.exe	87
PID 1068 wrote to memory of 4548	1068	firefox.exe	87
PID 1068 wrote to memory of 4548	1068	firefox.exe	87
PID 1068 wrote to memory of 4548	1068	firefox.exe	87
PID 1068 wrote to memory of 4548	1068	firefox.exe	87
PID 1068 wrote to memory of 4548	1068	firefox.exe	87
PID 1068 wrote to memory of 4548	1068	firefox.exe	87
PID 1068 wrote to memory of 4548	1068	firefox.exe	87
PID 1068 wrote to memory of 4548	1068	firefox.exe	87
PID 1068 wrote to memory of 3624	1068	firefox.exe	88
PID 1068 wrote to memory of 3624	1068	firefox.exe	88
PID 1068 wrote to memory of 3624	1068	firefox.exe	88
PID 1068 wrote to memory of 3624	1068	firefox.exe	88

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7a2028a2ec36eb8cd47f9c62d5d2f580.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7a2028a2ec36eb8cd47f9c62d5d2f580.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1396
- C:\Users\Admin\AppData\Local\Temp\OCS\ocs_v6z.exe
  C:\Users\Admin\AppData\Local\Temp\OCS\ocs_v6z.exe -install -3742138 -dcude -87b0d7bb8b0f4880b0848e394944b143 - -de -uvdgmzcjhicjoyez
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4616
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" http://www.download-sponsor.de/exitdownload/thankyou.php?pid=dcude&cid=3742138&appname=[APPNAME]&cbstate=&uid=8dd4523f-794b-4a87-bb2d-72f342034a5e&sid=87b0d7bb8b0f4880b0848e394944b143&scid=&source=de&language=en-US&cdata=utyp-31.userid-363863333161646138303136643863336661626136613565.ua-66697265666f782e657865
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4792
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" http://www.download-sponsor.de/exitdownload/thankyou.php?pid=dcude&cid=3742138&appname=[APPNAME]&cbstate=&uid=8dd4523f-794b-4a87-bb2d-72f342034a5e&sid=87b0d7bb8b0f4880b0848e394944b143&scid=&source=de&language=en-US&cdata=utyp-31.userid-363863333161646138303136643863336661626136613565.ua-66697265666f782e657865
      4⤵
      Checks processor information in registry
      Modifies registry class
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1068
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1940 -parentBuildID 20240401114208 -prefsHandle 1880 -prefMapHandle 1480 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {33e266db-376c-418c-93b6-1945661cc1ce} 1068 "\\.\pipe\gecko-crash-server-pipe.1068" gpu
        5⤵
        
        PID:4548
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2444 -parentBuildID 20240401114208 -prefsHandle 2436 -prefMapHandle 2424 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {35e51ecd-8baa-408d-8363-7bec733e56e4} 1068 "\\.\pipe\gecko-crash-server-pipe.1068" socket
        5⤵
        
        PID:3624
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3328 -childID 1 -isForBrowser -prefsHandle 3332 -prefMapHandle 3304 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 896 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8fa6e333-aaab-471a-95bd-3ff974e134ea} 1068 "\\.\pipe\gecko-crash-server-pipe.1068" tab
        5⤵
        
        PID:1000
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3580 -childID 2 -isForBrowser -prefsHandle 3752 -prefMapHandle 2700 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 896 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d18be2da-44af-4c2a-bd63-1cf66bb334da} 1068 "\\.\pipe\gecko-crash-server-pipe.1068" tab
        5⤵
        
        PID:3472
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4164 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4200 -prefMapHandle 4228 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c1f04b5c-6212-43f1-87f2-07ca22801aa6} 1068 "\\.\pipe\gecko-crash-server-pipe.1068" utility
        5⤵
        Checks processor information in registry
        
        PID:4012
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5304 -childID 3 -isForBrowser -prefsHandle 5296 -prefMapHandle 5292 -prefsLen 27097 -prefMapSize 244658 -jsInitHandle 896 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {dd7bd6bf-d982-4cd5-8281-9e6911b13213} 1068 "\\.\pipe\gecko-crash-server-pipe.1068" tab
        5⤵
        
        PID:4356
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5460 -childID 4 -isForBrowser -prefsHandle 5532 -prefMapHandle 5528 -prefsLen 27097 -prefMapSize 244658 -jsInitHandle 896 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7e170705-93a6-4d41-9ce0-3d4a1448a1fd} 1068 "\\.\pipe\gecko-crash-server-pipe.1068" tab
        5⤵
        
        PID:4352
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5552 -childID 5 -isForBrowser -prefsHandle 5724 -prefMapHandle 5720 -prefsLen 27097 -prefMapSize 244658 -jsInitHandle 896 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e4f377d2-0048-43c9-bba6-8ad55c40c1ae} 1068 "\\.\pipe\gecko-crash-server-pipe.1068" tab
        5⤵
        
        PID:4456
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4168 -childID 6 -isForBrowser -prefsHandle 5936 -prefMapHandle 5688 -prefsLen 30948 -prefMapSize 244658 -jsInitHandle 896 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e7af1753-956d-4702-92d5-ed598f1d6e47} 1068 "\\.\pipe\gecko-crash-server-pipe.1068" tab
        5⤵
        
        PID:2704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\y0bypz8z.default-release\activity-stream.discovery_stream.json

Filesize
22KB

MD5
e813ab6024279824a454e14c87bcc59c

SHA1
aafb2b644012500489d02f6847c3199dcdcb9008

SHA256
de4ae1bc046a4805d334bbe5acf1656a23486ab0c3705c5cdf3700cb2bd12a53

SHA512
96cb0697a035a99bcd57ba5f3bfdcf246d5c5a26f5ec9d640f4ea9bda17b3f1c4ab9aa6726de3416a00f13d6b51c339860164aeb6b94e0e57790d9f8011990d3

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\y0bypz8z.default-release\cache2\entries\6653BC7BE242C21AA1988A4A42D1DEDA18231C31

Filesize
13KB

MD5
47f72a5ea2fef1107a9ae8a2c1a3626f

SHA1
7409243d05dd29e598ac7b82e3f3d57a6088c6b4

SHA256
6db68f9d8c52010bb0aa9bfecb9b2ff5a2d96c8ab44362549c546c401c420768

SHA512
e48844c3add954c323d61fab56a92490e8c5305bf2e4010ef0be73c9c1133839b23abe0d91a83e79844b31ed010369b0159095ab5ca30bd2c00f280f52c5f510

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\y0bypz8z.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl

Filesize
15KB

MD5
96c542dec016d9ec1ecc4dddfcbaac66

SHA1
6199f7648bb744efa58acf7b96fee85d938389e4

SHA256
7f32769d6bb4e875f58ceb9e2fbfdc9bd6b82397eca7a4c5230b0786e68f1798

SHA512
cda2f159c3565bc636e0523c893b293109de2717142871b1ec78f335c12bad96fc3f62bcf56a1a88abdeed2ac3f3e5e9a008b45e24d713e13c23103acc15e658

Download Submit
C:\Users\Admin\AppData\Local\Temp\OCS\ocs_v6z.exe

Filesize
312KB

MD5
09f02c017e40a998537f26d0caee8d22

SHA1
7676d2f17068a9050bbbbe10908e75bc5d59b631

SHA256
fae6c9cfda16a9f4587b0041156a7284bf7cb1fc48e1e34f33b50ebc2d00e2d7

SHA512
0c7d4fad92bb7478e277f6c56e0e0dbd665171a7bea06a6668d9d0120c5f171cbcec37c60b6354a286192f2f0bbf104ccc5550159e863ee03cc2e23243eb93c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\OCS\uvdgmzcjhicjoyez.dat

Filesize
91B

MD5
29931ac60ae442addd2a0830e9ad803d

SHA1
3c840088ad911f95f43c71c02bcf2bb9828ab218

SHA256
28d786ed1eac91eee25869406704cd49da519ce4ab82a1959555e7fc556fcbca

SHA512
4e076872b44999ec3aa08b48b038b1dce1776c4f0a69c48fe4a0f376e3278417a4edce94b00589ca64d4415f13300beefbc26412894c52417892dd713feaabe5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\AlternateServices.bin

Filesize
6KB

MD5
fcaabc85703ac1b891ee0fec603646f4

SHA1
466520e8a83a3798c6f18a38ebe46f55fc1849a9

SHA256
74e98b7c189707df55defea24660a03ee44e7a72f09e805504779ad01bad5d5c

SHA512
ce55cb816ff177d19f8a2816864383efa0ba6ad7be97d66feeab55ac315d604fe77d0bd4abf05f2c3486d5e2698141b2aacff21562d8e2a839b258e46cb3e943

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\AlternateServices.bin

Filesize
6KB

MD5
7c9b4b0575594b0f4ddc72e06b1a3ddd

SHA1
06297081357e36e7501619ec6e9b6895eb79a71e

SHA256
1a7bba63966cbe1c5cda8f44038af27e2f0c7a141fb5e9c0cf41a2ae2f040677

SHA512
52f4dd4d203c98961715cba815f06ac8365dda32c9c94b00fecf64c72afe2bfffc74a5da3729de2b6e4b3663acae735fc1c6c245ad9045389e76c46aa5cd7cbb

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\datareporting\glean\db\data.safe.tmp

Filesize
14KB

MD5
8708c88a1da9d03583f1368d739e8a51

SHA1
df332034bbe6b633c89ec6a07d7f8b93f7655f5f

SHA256
65f763df2b00b0db4782c909078f968ceaf4158e1aeb6c0c07d4978543ef1047

SHA512
71f7ff73c06aac586125d679910b06a25ac94e4e9b611b6ad7557c8cfd846aabff12fd6ce8bfc7c296c434c75498fa3842e517eb6d939a6d59c4b5eafe901c60

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
37981a065ffefdfbbcecacefc2f7141c

SHA1
8dd351580a8a4d39cf0ae8da714a7df7778ad61a

SHA256
1850f6a95d21e2805452d6676b543588bad1f5b07958266318a83545ee845e72

SHA512
9f0dbc7009031dfffd3615a06e5e74c9229cf36d6c95b737e4edc6b368cf88ca466f0495e47077f2a5fc634939e7df8e7a7a091bc5fd96a76f94cd66ece15c49

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\datareporting\glean\db\data.safe.tmp

Filesize
14KB

MD5
5e83fb385d2098f0f38558bee26cb5d0

SHA1
25ad25f0dbf86eeadc88aa067f858199a94cc292

SHA256
ae251ab19d637123f1b1778999eb9c5fec3d7033186211f80fce790c423ab747

SHA512
3e7e7c6752bab4e0ae98c3cd67e145be96f3bc92147c1ee052ee11143a509df1b109c309afa29cdf04928823903a3b12fad22f5ed17e7aea6291da47cd3e984b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\datareporting\glean\pending_pings\198efe0f-8757-421d-ac9a-996b9cd1a33f

Filesize
982B

MD5
70ac1d1e5b47ff9e0ddfd17b7b82a1b2

SHA1
ff5272055a86a19b7ab292e5ed3085e486a10b5d

SHA256
c9944b579fcdf6775a3a038d20067dacd6cf6c54d1f215066a5af428844c3c96

SHA512
d6fb260ce25f16cd94f4bf83f178957c0dd3f5d58d0ae9545e9289c680085648e72476d2c8518de9f8a3ea4a7ad8d03d8b7339c4c2542cd491ccc7178d1a3aea

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\datareporting\glean\pending_pings\5e944395-374a-4661-afd9-c33fb818a143

Filesize
671B

MD5
7b0e46650bfd15a345ea84cbd1f178c2

SHA1
788b88ac0f61513813b2d71ec27923a8c9d25459

SHA256
5d1cd755cc29731c0de81c0fe01d9889fa187ddd525e0bedf3627f3f2189d4dc

SHA512
34ebd560956ff22646870591e964e0e3e6822d88b56ba376ec6503538b3194a93a3bdd0e0171a67674d491d20c4dcc04da9bd7b83678b19515af57aaca96429e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\datareporting\glean\pending_pings\ac17f046-e8c1-4cb3-baf7-d830b60768f9

Filesize
29KB

MD5
757dcbbceaf13af7a5f589cf1656e9ef

SHA1
917b8f4d4e7308a55f708c192969754eaead3b34

SHA256
11bbf59df435c414947367ff79c8e1ec2a4902e126b1bfcb8c68905372f4c2df

SHA512
734d67e750f6133c2bdbb170514e5473002e8f3d536be9c5a0af7adb0e97b0c95fe230faea3e6117adfee151b47201d8dd4ac3d75b4e5ca1b554dd4ecc4b023b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\prefs-1.js

Filesize
11KB

MD5
32835023143cb268e4b3c2ee79ebea3d

SHA1
321bf5b84cb55ed7dce5f6427c0abd66a0919421

SHA256
a548100d40a780f5268a01ecbb47c58904e7fa1bd7a9f4e1543af1f5c803e4b5

SHA512
5a101200694ece6f7822350547775b986eb98c6e2c30e069426bea3d8011154eed394b64cb20ddd8e72fc3cd78cfda28ef49e4c15a29b68d6adeb02f5e5bb828

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\prefs-1.js

Filesize
15KB

MD5
a46e866a6030d49e895523c6dca99fd1

SHA1
5422a4d771cc7785bcb862ebcb280ac60f5a8241

SHA256
6e113dd146944e7de94a2e06edb22a1ffef9ab7673a44da49b31ebd470687173

SHA512
95670e16030f54ad0a13798b02fe190750d472df3650b4ba84f6fd4c6433e6e8101c428ee9c825ed4447bc6bf791e9101e21141853d3b9642f48724b23613cd1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\prefs.js

Filesize
10KB

MD5
9def9418fc7f9953d76eb26eb1e15cd6

SHA1
d4cfb55815d50ad2c9c41e8533334c9b6a311931

SHA256
59a903eab6a8c9e0a7799f1154926b4ffa48cb05afec949d979e8902d8bae1d1

SHA512
84a76e031f85c8ffd7dd54ed4b0f093ce19c26bbf2d45a9caf9447c52dab996cdea47a3ff5e853cba75dc6c91dda2e17d9026ef5fb57c296896342e46385ab2b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\prefs.js

Filesize
10KB

MD5
cc36dbb9bae7a7aee07aa6e911145ea0

SHA1
f32115ae88337116eb225398507ef75fc1c8d117

SHA256
4a23f8f2c2f6597e804155ae2247fac4e498f866070e7e9cd8cbe22028a3bc20

SHA512
ae2309bfbff645fe696c72b1d02d2f17674e0149ee1b21e7dd3adb8c76deed28ebeaa219ae1ff95dde4d141a8f8e8054a18ca403fd0f8130fc099589877bf883

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\sessionstore-backups\recovery.baklz4

Filesize
1KB

MD5
c32ba11bad8ba70c64a8da74014dfd51

SHA1
1eb696c78fb669de33ed38912999aac154e7213e

SHA256
5851906ad9e3ea610d38d89862a6be467106afc6a57232993b3613d2b61babec

SHA512
96eba0c86396023776814e9b4f7496707de3b3da251f386e2f4be4beffd24fbfbcdbc5087fa0fbf2afb340d5dfca4e4d38b99a94447fee6de63b766daf7612fe

Download Submit
memory/4616-17-0x00007FFEE8A90000-0x00007FFEE9431000-memory.dmp

Filesize
9.6MB

Download
memory/4616-20-0x00007FFEE8A90000-0x00007FFEE9431000-memory.dmp

Filesize
9.6MB

Download
memory/4616-16-0x00007FFEE8A90000-0x00007FFEE9431000-memory.dmp

Filesize
9.6MB

Download
memory/4616-21-0x00007FFEE8A90000-0x00007FFEE9431000-memory.dmp

Filesize
9.6MB

Download
memory/4616-13-0x00007FFEE8A90000-0x00007FFEE9431000-memory.dmp

Filesize
9.6MB

Download
memory/4616-19-0x00007FFEE8A90000-0x00007FFEE9431000-memory.dmp

Filesize
9.6MB

Download
memory/4616-18-0x00007FFEE8A90000-0x00007FFEE9431000-memory.dmp

Filesize
9.6MB

Download
memory/4616-14-0x00000000008D0000-0x00000000008D8000-memory.dmp

Filesize
32KB

Download
memory/4616-22-0x00007FFEE8A90000-0x00007FFEE9431000-memory.dmp

Filesize
9.6MB

Download
memory/4616-23-0x00007FFEE8D45000-0x00007FFEE8D46000-memory.dmp

Filesize
4KB

Download
memory/4616-26-0x00007FFEE8A90000-0x00007FFEE9431000-memory.dmp

Filesize
9.6MB

Download
memory/4616-12-0x000000001BAC0000-0x000000001BB5C000-memory.dmp

Filesize
624KB

Download
memory/4616-11-0x000000001AF80000-0x000000001B026000-memory.dmp

Filesize
664KB

Download
memory/4616-10-0x00007FFEE8A90000-0x00007FFEE9431000-memory.dmp

Filesize
9.6MB

Download
memory/4616-9-0x000000001B510000-0x000000001B9DE000-memory.dmp

Filesize
4.8MB

Download
memory/4616-8-0x00007FFEE8D45000-0x00007FFEE8D46000-memory.dmp

Filesize
4KB

Download
memory/4616-24-0x00007FFEE8A90000-0x00007FFEE9431000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads