Analysis Overview
SHA256
a7076691e7f7c664382465fe474ce5f186a730ea60a0ecf2623a88ab64bdeeb6
Threat Level: Known bad
The file JaffaCakes118_7a2028a2ec36eb8cd47f9c62d5d2f580 was found to be: Known bad.
Malicious Activity Summary
RevengeRAT
Revengerat family
RevengeRat Executable
Checks computer location settings
Loads dropped DLL
Executes dropped EXE
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of FindShellTrayWindow
Modifies registry class
Suspicious use of SendNotifyMessage
Checks processor information in registry
Uses Task Scheduler COM API
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2025-01-04 14:12
Signatures
Analysis: behavioral2
Detonation Overview
Submitted
2025-01-04 14:12
Reported
2025-01-04 14:14
Platform
win10v2004-20241007-en
Max time kernel
129s
Max time network
149s
Command Line
Signatures
RevengeRAT
Revengerat family
RevengeRat Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\OCS\ocs_v6z.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\OCS\ocs_v6z.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7a2028a2ec36eb8cd47f9c62d5d2f580.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\OCS\ocs_v6z.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7a2028a2ec36eb8cd47f9c62d5d2f580.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\OCS\ocs_v6z.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\OCS\ocs_v6z.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7a2028a2ec36eb8cd47f9c62d5d2f580.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7a2028a2ec36eb8cd47f9c62d5d2f580.exe"
C:\Users\Admin\AppData\Local\Temp\OCS\ocs_v6z.exe
C:\Users\Admin\AppData\Local\Temp\OCS\ocs_v6z.exe -install -3742138 -dcude -87b0d7bb8b0f4880b0848e394944b143 - -de -uvdgmzcjhicjoyez
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" http://www.download-sponsor.de/exitdownload/thankyou.php?pid=dcude&cid=3742138&appname=[APPNAME]&cbstate=&uid=8dd4523f-794b-4a87-bb2d-72f342034a5e&sid=87b0d7bb8b0f4880b0848e394944b143&scid=&source=de&language=en-US&cdata=utyp-31.userid-363863333161646138303136643863336661626136613565.ua-66697265666f782e657865
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" http://www.download-sponsor.de/exitdownload/thankyou.php?pid=dcude&cid=3742138&appname=[APPNAME]&cbstate=&uid=8dd4523f-794b-4a87-bb2d-72f342034a5e&sid=87b0d7bb8b0f4880b0848e394944b143&scid=&source=de&language=en-US&cdata=utyp-31.userid-363863333161646138303136643863336661626136613565.ua-66697265666f782e657865
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1940 -parentBuildID 20240401114208 -prefsHandle 1880 -prefMapHandle 1480 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {33e266db-376c-418c-93b6-1945661cc1ce} 1068 "\\.\pipe\gecko-crash-server-pipe.1068" gpu
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2444 -parentBuildID 20240401114208 -prefsHandle 2436 -prefMapHandle 2424 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {35e51ecd-8baa-408d-8363-7bec733e56e4} 1068 "\\.\pipe\gecko-crash-server-pipe.1068" socket
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3328 -childID 1 -isForBrowser -prefsHandle 3332 -prefMapHandle 3304 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 896 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8fa6e333-aaab-471a-95bd-3ff974e134ea} 1068 "\\.\pipe\gecko-crash-server-pipe.1068" tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3580 -childID 2 -isForBrowser -prefsHandle 3752 -prefMapHandle 2700 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 896 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d18be2da-44af-4c2a-bd63-1cf66bb334da} 1068 "\\.\pipe\gecko-crash-server-pipe.1068" tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4164 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4200 -prefMapHandle 4228 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c1f04b5c-6212-43f1-87f2-07ca22801aa6} 1068 "\\.\pipe\gecko-crash-server-pipe.1068" utility
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5304 -childID 3 -isForBrowser -prefsHandle 5296 -prefMapHandle 5292 -prefsLen 27097 -prefMapSize 244658 -jsInitHandle 896 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {dd7bd6bf-d982-4cd5-8281-9e6911b13213} 1068 "\\.\pipe\gecko-crash-server-pipe.1068" tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5460 -childID 4 -isForBrowser -prefsHandle 5532 -prefMapHandle 5528 -prefsLen 27097 -prefMapSize 244658 -jsInitHandle 896 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7e170705-93a6-4d41-9ce0-3d4a1448a1fd} 1068 "\\.\pipe\gecko-crash-server-pipe.1068" tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5552 -childID 5 -isForBrowser -prefsHandle 5724 -prefMapHandle 5720 -prefsLen 27097 -prefMapSize 244658 -jsInitHandle 896 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e4f377d2-0048-43c9-bba6-8ad55c40c1ae} 1068 "\\.\pipe\gecko-crash-server-pipe.1068" tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4168 -childID 6 -isForBrowser -prefsHandle 5936 -prefMapHandle 5688 -prefsLen 30948 -prefMapSize 244658 -jsInitHandle 896 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e7af1753-956d-4702-92d5-ed598f1d6e47} 1068 "\\.\pipe\gecko-crash-server-pipe.1068" tab
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.download-sponsor.de | udp |
| DE | 176.9.175.237:80 | www.download-sponsor.de | tcp |
| US | 8.8.8.8:53 | bin.download-sponsor.de | udp |
| DE | 176.9.175.234:80 | bin.download-sponsor.de | tcp |
| US | 8.8.8.8:53 | 237.175.9.176.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 234.175.9.176.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| DE | 176.9.175.237:80 | www.download-sponsor.de | tcp |
| US | 8.8.8.8:53 | www.download-sponsor.de | udp |
| DE | 176.9.175.237:80 | www.download-sponsor.de | tcp |
| US | 8.8.8.8:53 | spocs.getpocket.com | udp |
| US | 8.8.8.8:53 | firefox-api-proxy.cdn.mozilla.net | udp |
| US | 8.8.8.8:53 | www.download-sponsor.de | udp |
| US | 34.149.97.1:443 | firefox-api-proxy.cdn.mozilla.net | tcp |
| US | 8.8.8.8:53 | shavar.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | prod.content-signature-chains.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.ads.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.content-signature-chains.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | shavar.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | prod.ads.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net | udp |
| US | 34.149.97.1:443 | firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.remote-settings.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.remote-settings.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | dcude.download-sponsor.de | udp |
| DE | 176.9.175.237:80 | dcude.download-sponsor.de | tcp |
| US | 8.8.8.8:53 | dcude.download-sponsor.de | udp |
| US | 8.8.8.8:53 | firefox-settings-attachments.cdn.mozilla.net | udp |
| US | 8.8.8.8:53 | dcude.download-sponsor.de | udp |
| US | 8.8.8.8:53 | attachments.prod.remote-settings.prod.webservices.mozgcp.net | udp |
| US | 34.117.121.53:443 | attachments.prod.remote-settings.prod.webservices.mozgcp.net | tcp |
| US | 8.8.8.8:53 | attachments.prod.remote-settings.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | survey.download-sponsor.de | udp |
| DE | 176.9.175.237:80 | survey.download-sponsor.de | tcp |
| US | 8.8.8.8:53 | survey.download-sponsor.de | udp |
| US | 8.8.8.8:53 | survey.download-sponsor.de | udp |
| US | 8.8.8.8:53 | download-sponsor.de | udp |
| US | 8.8.8.8:53 | 64.50.235.44.in-addr.arpa | udp |
| US | 8.8.8.8:53 | files.download-sponsor.de | udp |
| DE | 176.9.175.237:80 | files.download-sponsor.de | tcp |
| US | 8.8.8.8:53 | download-sponsor.de | udp |
| DE | 176.9.175.237:80 | download-sponsor.de | tcp |
| US | 8.8.8.8:53 | files.download-sponsor.de | udp |
| US | 8.8.8.8:53 | d.addelive.com | udp |
| US | 8.8.8.8:53 | download-sponsor.de | udp |
| US | 8.8.8.8:53 | files.download-sponsor.de | udp |
| US | 66.216.109.248:80 | d.addelive.com | tcp |
| US | 8.8.8.8:53 | d.addelive.com | udp |
| US | 8.8.8.8:53 | d.addelive.com | udp |
| US | 66.216.109.248:80 | d.addelive.com | tcp |
| US | 8.8.8.8:53 | download.chip.eu | udp |
| N/A | 127.0.0.1:51791 | tcp | |
| N/A | 127.0.0.1:51800 | tcp | |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | prod.balrog.prod.cloudops.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.balrog.prod.cloudops.mozgcp.net | udp |
| US | 8.8.8.8:53 | ciscobinary.openh264.org | udp |
| NL | 2.18.121.73:80 | ciscobinary.openh264.org | tcp |
| US | 8.8.8.8:53 | a19.dscg10.akamai.net | udp |
| US | 8.8.8.8:53 | a19.dscg10.akamai.net | udp |
| US | 8.8.8.8:53 | redirector.gvt1.com | udp |
| US | 8.8.8.8:53 | 201.181.244.35.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.121.18.2.in-addr.arpa | udp |
| GB | 142.250.180.14:443 | redirector.gvt1.com | tcp |
| US | 8.8.8.8:53 | redirector.gvt1.com | udp |
| US | 8.8.8.8:53 | redirector.gvt1.com | udp |
| GB | 142.250.180.14:443 | redirector.gvt1.com | udp |
| US | 8.8.8.8:53 | r4---sn-aigzrnsz.gvt1.com | udp |
| GB | 74.125.175.169:443 | r4---sn-aigzrnsz.gvt1.com | tcp |
| US | 8.8.8.8:53 | r4.sn-aigzrnsz.gvt1.com | udp |
| US | 8.8.8.8:53 | r4.sn-aigzrnsz.gvt1.com | udp |
| GB | 74.125.175.169:443 | r4.sn-aigzrnsz.gvt1.com | udp |
| US | 8.8.8.8:53 | 14.180.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 169.175.125.74.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 66.216.109.248:80 | d.addelive.com | tcp |
| US | 66.216.109.248:80 | d.addelive.com | tcp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 34.117.121.53:443 | attachments.prod.remote-settings.prod.webservices.mozgcp.net | tcp |
| US | 8.8.8.8:53 | 85.49.80.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | prod.balrog.prod.cloudops.mozgcp.net | udp |
| US | 8.8.8.8:53 | location.services.mozilla.com | udp |
| US | 35.190.72.216:443 | location.services.mozilla.com | tcp |
| US | 8.8.8.8:53 | prod.classify-client.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.classify-client.prod.webservices.mozgcp.net | udp |
| US | 35.190.72.216:443 | prod.classify-client.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | 216.72.190.35.in-addr.arpa | udp |
| US | 8.8.8.8:53 | impressum.thinklabs-ltd.de | udp |
| US | 8.8.8.8:53 | impressum.thinklabs-ltd.de | udp |
| US | 8.8.8.8:53 | impressum.thinklabs-ltd.de | udp |
| US | 8.8.8.8:53 | support.mozilla.org | udp |
| US | 8.8.8.8:53 | us-west1.prod.sumo.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | us-west1.prod.sumo.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\OCS\ocs_v6z.exe
| MD5 | 09f02c017e40a998537f26d0caee8d22 |
| SHA1 | 7676d2f17068a9050bbbbe10908e75bc5d59b631 |
| SHA256 | fae6c9cfda16a9f4587b0041156a7284bf7cb1fc48e1e34f33b50ebc2d00e2d7 |
| SHA512 | 0c7d4fad92bb7478e277f6c56e0e0dbd665171a7bea06a6668d9d0120c5f171cbcec37c60b6354a286192f2f0bbf104ccc5550159e863ee03cc2e23243eb93c7 |
memory/4616-8-0x00007FFEE8D45000-0x00007FFEE8D46000-memory.dmp
memory/4616-9-0x000000001B510000-0x000000001B9DE000-memory.dmp
memory/4616-10-0x00007FFEE8A90000-0x00007FFEE9431000-memory.dmp
memory/4616-11-0x000000001AF80000-0x000000001B026000-memory.dmp
memory/4616-12-0x000000001BAC0000-0x000000001BB5C000-memory.dmp
memory/4616-14-0x00000000008D0000-0x00000000008D8000-memory.dmp
memory/4616-13-0x00007FFEE8A90000-0x00007FFEE9431000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\OCS\uvdgmzcjhicjoyez.dat
| MD5 | 29931ac60ae442addd2a0830e9ad803d |
| SHA1 | 3c840088ad911f95f43c71c02bcf2bb9828ab218 |
| SHA256 | 28d786ed1eac91eee25869406704cd49da519ce4ab82a1959555e7fc556fcbca |
| SHA512 | 4e076872b44999ec3aa08b48b038b1dce1776c4f0a69c48fe4a0f376e3278417a4edce94b00589ca64d4415f13300beefbc26412894c52417892dd713feaabe5 |
memory/4616-16-0x00007FFEE8A90000-0x00007FFEE9431000-memory.dmp
memory/4616-17-0x00007FFEE8A90000-0x00007FFEE9431000-memory.dmp
memory/4616-18-0x00007FFEE8A90000-0x00007FFEE9431000-memory.dmp
memory/4616-19-0x00007FFEE8A90000-0x00007FFEE9431000-memory.dmp
memory/4616-20-0x00007FFEE8A90000-0x00007FFEE9431000-memory.dmp
memory/4616-21-0x00007FFEE8A90000-0x00007FFEE9431000-memory.dmp
memory/4616-22-0x00007FFEE8A90000-0x00007FFEE9431000-memory.dmp
memory/4616-23-0x00007FFEE8D45000-0x00007FFEE8D46000-memory.dmp
memory/4616-24-0x00007FFEE8A90000-0x00007FFEE9431000-memory.dmp
memory/4616-26-0x00007FFEE8A90000-0x00007FFEE9431000-memory.dmp
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\datareporting\glean\pending_pings\5e944395-374a-4661-afd9-c33fb818a143
| MD5 | 7b0e46650bfd15a345ea84cbd1f178c2 |
| SHA1 | 788b88ac0f61513813b2d71ec27923a8c9d25459 |
| SHA256 | 5d1cd755cc29731c0de81c0fe01d9889fa187ddd525e0bedf3627f3f2189d4dc |
| SHA512 | 34ebd560956ff22646870591e964e0e3e6822d88b56ba376ec6503538b3194a93a3bdd0e0171a67674d491d20c4dcc04da9bd7b83678b19515af57aaca96429e |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\datareporting\glean\pending_pings\ac17f046-e8c1-4cb3-baf7-d830b60768f9
| MD5 | 757dcbbceaf13af7a5f589cf1656e9ef |
| SHA1 | 917b8f4d4e7308a55f708c192969754eaead3b34 |
| SHA256 | 11bbf59df435c414947367ff79c8e1ec2a4902e126b1bfcb8c68905372f4c2df |
| SHA512 | 734d67e750f6133c2bdbb170514e5473002e8f3d536be9c5a0af7adb0e97b0c95fe230faea3e6117adfee151b47201d8dd4ac3d75b4e5ca1b554dd4ecc4b023b |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\datareporting\glean\pending_pings\198efe0f-8757-421d-ac9a-996b9cd1a33f
| MD5 | 70ac1d1e5b47ff9e0ddfd17b7b82a1b2 |
| SHA1 | ff5272055a86a19b7ab292e5ed3085e486a10b5d |
| SHA256 | c9944b579fcdf6775a3a038d20067dacd6cf6c54d1f215066a5af428844c3c96 |
| SHA512 | d6fb260ce25f16cd94f4bf83f178957c0dd3f5d58d0ae9545e9289c680085648e72476d2c8518de9f8a3ea4a7ad8d03d8b7339c4c2542cd491ccc7178d1a3aea |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\datareporting\glean\db\data.safe.tmp
| MD5 | 37981a065ffefdfbbcecacefc2f7141c |
| SHA1 | 8dd351580a8a4d39cf0ae8da714a7df7778ad61a |
| SHA256 | 1850f6a95d21e2805452d6676b543588bad1f5b07958266318a83545ee845e72 |
| SHA512 | 9f0dbc7009031dfffd3615a06e5e74c9229cf36d6c95b737e4edc6b368cf88ca466f0495e47077f2a5fc634939e7df8e7a7a091bc5fd96a76f94cd66ece15c49 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\AlternateServices.bin
| MD5 | fcaabc85703ac1b891ee0fec603646f4 |
| SHA1 | 466520e8a83a3798c6f18a38ebe46f55fc1849a9 |
| SHA256 | 74e98b7c189707df55defea24660a03ee44e7a72f09e805504779ad01bad5d5c |
| SHA512 | ce55cb816ff177d19f8a2816864383efa0ba6ad7be97d66feeab55ac315d604fe77d0bd4abf05f2c3486d5e2698141b2aacff21562d8e2a839b258e46cb3e943 |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\y0bypz8z.default-release\activity-stream.discovery_stream.json
| MD5 | e813ab6024279824a454e14c87bcc59c |
| SHA1 | aafb2b644012500489d02f6847c3199dcdcb9008 |
| SHA256 | de4ae1bc046a4805d334bbe5acf1656a23486ab0c3705c5cdf3700cb2bd12a53 |
| SHA512 | 96cb0697a035a99bcd57ba5f3bfdcf246d5c5a26f5ec9d640f4ea9bda17b3f1c4ab9aa6726de3416a00f13d6b51c339860164aeb6b94e0e57790d9f8011990d3 |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\y0bypz8z.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl
| MD5 | 96c542dec016d9ec1ecc4dddfcbaac66 |
| SHA1 | 6199f7648bb744efa58acf7b96fee85d938389e4 |
| SHA256 | 7f32769d6bb4e875f58ceb9e2fbfdc9bd6b82397eca7a4c5230b0786e68f1798 |
| SHA512 | cda2f159c3565bc636e0523c893b293109de2717142871b1ec78f335c12bad96fc3f62bcf56a1a88abdeed2ac3f3e5e9a008b45e24d713e13c23103acc15e658 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\AlternateServices.bin
| MD5 | 7c9b4b0575594b0f4ddc72e06b1a3ddd |
| SHA1 | 06297081357e36e7501619ec6e9b6895eb79a71e |
| SHA256 | 1a7bba63966cbe1c5cda8f44038af27e2f0c7a141fb5e9c0cf41a2ae2f040677 |
| SHA512 | 52f4dd4d203c98961715cba815f06ac8365dda32c9c94b00fecf64c72afe2bfffc74a5da3729de2b6e4b3663acae735fc1c6c245ad9045389e76c46aa5cd7cbb |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\prefs.js
| MD5 | 9def9418fc7f9953d76eb26eb1e15cd6 |
| SHA1 | d4cfb55815d50ad2c9c41e8533334c9b6a311931 |
| SHA256 | 59a903eab6a8c9e0a7799f1154926b4ffa48cb05afec949d979e8902d8bae1d1 |
| SHA512 | 84a76e031f85c8ffd7dd54ed4b0f093ce19c26bbf2d45a9caf9447c52dab996cdea47a3ff5e853cba75dc6c91dda2e17d9026ef5fb57c296896342e46385ab2b |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\datareporting\glean\db\data.safe.tmp
| MD5 | 5e83fb385d2098f0f38558bee26cb5d0 |
| SHA1 | 25ad25f0dbf86eeadc88aa067f858199a94cc292 |
| SHA256 | ae251ab19d637123f1b1778999eb9c5fec3d7033186211f80fce790c423ab747 |
| SHA512 | 3e7e7c6752bab4e0ae98c3cd67e145be96f3bc92147c1ee052ee11143a509df1b109c309afa29cdf04928823903a3b12fad22f5ed17e7aea6291da47cd3e984b |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\datareporting\glean\db\data.safe.tmp
| MD5 | 8708c88a1da9d03583f1368d739e8a51 |
| SHA1 | df332034bbe6b633c89ec6a07d7f8b93f7655f5f |
| SHA256 | 65f763df2b00b0db4782c909078f968ceaf4158e1aeb6c0c07d4978543ef1047 |
| SHA512 | 71f7ff73c06aac586125d679910b06a25ac94e4e9b611b6ad7557c8cfd846aabff12fd6ce8bfc7c296c434c75498fa3842e517eb6d939a6d59c4b5eafe901c60 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\prefs.js
| MD5 | cc36dbb9bae7a7aee07aa6e911145ea0 |
| SHA1 | f32115ae88337116eb225398507ef75fc1c8d117 |
| SHA256 | 4a23f8f2c2f6597e804155ae2247fac4e498f866070e7e9cd8cbe22028a3bc20 |
| SHA512 | ae2309bfbff645fe696c72b1d02d2f17674e0149ee1b21e7dd3adb8c76deed28ebeaa219ae1ff95dde4d141a8f8e8054a18ca403fd0f8130fc099589877bf883 |
C:\Users\Admin\AppData\Local\Temp\tmpaddon
| MD5 | 09372174e83dbbf696ee732fd2e875bb |
| SHA1 | ba360186ba650a769f9303f48b7200fb5eaccee1 |
| SHA256 | c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f |
| SHA512 | b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info
| MD5 | 2a461e9eb87fd1955cea740a3444ee7a |
| SHA1 | b10755914c713f5a4677494dbe8a686ed458c3c5 |
| SHA256 | 4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc |
| SHA512 | 34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll
| MD5 | 842039753bf41fa5e11b3a1383061a87 |
| SHA1 | 3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153 |
| SHA256 | d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c |
| SHA512 | d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\prefs-1.js
| MD5 | 32835023143cb268e4b3c2ee79ebea3d |
| SHA1 | 321bf5b84cb55ed7dce5f6427c0abd66a0919421 |
| SHA256 | a548100d40a780f5268a01ecbb47c58904e7fa1bd7a9f4e1543af1f5c803e4b5 |
| SHA512 | 5a101200694ece6f7822350547775b986eb98c6e2c30e069426bea3d8011154eed394b64cb20ddd8e72fc3cd78cfda28ef49e4c15a29b68d6adeb02f5e5bb828 |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\y0bypz8z.default-release\cache2\entries\6653BC7BE242C21AA1988A4A42D1DEDA18231C31
| MD5 | 47f72a5ea2fef1107a9ae8a2c1a3626f |
| SHA1 | 7409243d05dd29e598ac7b82e3f3d57a6088c6b4 |
| SHA256 | 6db68f9d8c52010bb0aa9bfecb9b2ff5a2d96c8ab44362549c546c401c420768 |
| SHA512 | e48844c3add954c323d61fab56a92490e8c5305bf2e4010ef0be73c9c1133839b23abe0d91a83e79844b31ed010369b0159095ab5ca30bd2c00f280f52c5f510 |
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1
| MD5 | 0a8747a2ac9ac08ae9508f36c6d75692 |
| SHA1 | b287a96fd6cc12433adb42193dfe06111c38eaf0 |
| SHA256 | 32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03 |
| SHA512 | 59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json
| MD5 | bf957ad58b55f64219ab3f793e374316 |
| SHA1 | a11adc9d7f2c28e04d9b35e23b7616d0527118a1 |
| SHA256 | bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda |
| SHA512 | 79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll
| MD5 | daf7ef3acccab478aaa7d6dc1c60f865 |
| SHA1 | f8246162b97ce4a945feced27b6ea114366ff2ad |
| SHA256 | bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e |
| SHA512 | 5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\prefs-1.js
| MD5 | a46e866a6030d49e895523c6dca99fd1 |
| SHA1 | 5422a4d771cc7785bcb862ebcb280ac60f5a8241 |
| SHA256 | 6e113dd146944e7de94a2e06edb22a1ffef9ab7673a44da49b31ebd470687173 |
| SHA512 | 95670e16030f54ad0a13798b02fe190750d472df3650b4ba84f6fd4c6433e6e8101c428ee9c825ed4447bc6bf791e9101e21141853d3b9642f48724b23613cd1 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\sessionstore-backups\recovery.baklz4
| MD5 | c32ba11bad8ba70c64a8da74014dfd51 |
| SHA1 | 1eb696c78fb669de33ed38912999aac154e7213e |
| SHA256 | 5851906ad9e3ea610d38d89862a6be467106afc6a57232993b3613d2b61babec |
| SHA512 | 96eba0c86396023776814e9b4f7496707de3b3da251f386e2f4be4beffd24fbfbcdbc5087fa0fbf2afb340d5dfca4e4d38b99a94447fee6de63b766daf7612fe |
Analysis: behavioral1
Detonation Overview
Submitted
2025-01-04 14:12
Reported
2025-01-04 14:14
Platform
win7-20240903-en
Max time kernel
128s
Max time network
148s
Command Line
Signatures
RevengeRAT
Revengerat family
RevengeRat Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\OCS\ocs_v6z.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7a2028a2ec36eb8cd47f9c62d5d2f580.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7a2028a2ec36eb8cd47f9c62d5d2f580.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7a2028a2ec36eb8cd47f9c62d5d2f580.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_Classes\Local Settings | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7a2028a2ec36eb8cd47f9c62d5d2f580.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\OCS\ocs_v6z.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\OCS\ocs_v6z.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7a2028a2ec36eb8cd47f9c62d5d2f580.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7a2028a2ec36eb8cd47f9c62d5d2f580.exe"
C:\Users\Admin\AppData\Local\Temp\OCS\ocs_v6z.exe
C:\Users\Admin\AppData\Local\Temp\OCS\ocs_v6z.exe -install -3742138 -dcude -87b0d7bb8b0f4880b0848e394944b143 - -de -qpttxdmpowjzoiwg
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" http://www.download-sponsor.de/exitdownload/thankyou.php?pid=dcude&cid=3742138&appname=[APPNAME]&cbstate=&uid=cfddc19e-6691-4898-a955-cf964201779b&sid=87b0d7bb8b0f4880b0848e394944b143&scid=&source=de&language=en-US&cdata=utyp-31.userid-363863333161646138303136643863336661626136613565.ua-66697265666f782e657865
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" http://www.download-sponsor.de/exitdownload/thankyou.php?pid=dcude&cid=3742138&appname=[APPNAME]&cbstate=&uid=cfddc19e-6691-4898-a955-cf964201779b&sid=87b0d7bb8b0f4880b0848e394944b143&scid=&source=de&language=en-US&cdata=utyp-31.userid-363863333161646138303136643863336661626136613565.ua-66697265666f782e657865
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2704.0.936333540\1948376992" -parentBuildID 20221007134813 -prefsHandle 1260 -prefMapHandle 1100 -prefsLen 20847 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {3aa10d9b-8b75-41cc-bebd-1f47f482e04e} 2704 "\\.\pipe\gecko-crash-server-pipe.2704" 1336 fdd3758 gpu
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2704.1.1915393697\1548377500" -parentBuildID 20221007134813 -prefsHandle 1544 -prefMapHandle 1540 -prefsLen 21708 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {de5fcde2-e588-48f4-a060-d9c828184e0c} 2704 "\\.\pipe\gecko-crash-server-pipe.2704" 1556 402fe58 socket
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2704.2.1034919800\1324804149" -childID 1 -isForBrowser -prefsHandle 1996 -prefMapHandle 1980 -prefsLen 21746 -prefMapSize 233444 -jsInitHandle 612 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {2263d3eb-58e3-4c0c-b4be-4866ccbd2f63} 2704 "\\.\pipe\gecko-crash-server-pipe.2704" 2032 199cbb58 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2704.3.876552681\125274568" -childID 2 -isForBrowser -prefsHandle 2704 -prefMapHandle 2700 -prefsLen 26216 -prefMapSize 233444 -jsInitHandle 612 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c11688f7-e017-4d43-aba2-0e71e41bbfb1} 2704 "\\.\pipe\gecko-crash-server-pipe.2704" 2716 1d5c4e58 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2704.4.734205664\1901521863" -childID 3 -isForBrowser -prefsHandle 3880 -prefMapHandle 3876 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 612 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {41353c02-5a14-4ca3-bfb8-637c53ba4fd8} 2704 "\\.\pipe\gecko-crash-server-pipe.2704" 3892 20192558 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2704.5.1088140115\116756431" -childID 4 -isForBrowser -prefsHandle 3992 -prefMapHandle 3996 -prefsLen 26356 -prefMapSize 233444 -jsInitHandle 612 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {5ceafb60-cd05-47d0-b3e0-2f0d21bfc0eb} 2704 "\\.\pipe\gecko-crash-server-pipe.2704" 3980 203c7258 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2704.6.402539474\1669640577" -childID 5 -isForBrowser -prefsHandle 4112 -prefMapHandle 4116 -prefsLen 26356 -prefMapSize 233444 -jsInitHandle 612 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {53430fe0-c418-40ec-b9c9-4d8f112b8937} 2704 "\\.\pipe\gecko-crash-server-pipe.2704" 4100 203ca858 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2704.7.1614175359\1887038057" -childID 6 -isForBrowser -prefsHandle 2764 -prefMapHandle 3316 -prefsLen 27487 -prefMapSize 233444 -jsInitHandle 612 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {15e60910-6b64-4163-aff0-0e8ebd555f99} 2704 "\\.\pipe\gecko-crash-server-pipe.2704" 3012 e60a58 tab
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.download-sponsor.de | udp |
| DE | 176.9.175.237:80 | www.download-sponsor.de | tcp |
| US | 8.8.8.8:53 | bin.download-sponsor.de | udp |
| DE | 176.9.175.234:80 | bin.download-sponsor.de | tcp |
| US | 8.8.8.8:53 | spocs.getpocket.com | udp |
| US | 8.8.8.8:53 | getpocket.cdn.mozilla.net | udp |
| DE | 176.9.175.237:80 | www.download-sponsor.de | tcp |
| DE | 176.9.175.237:80 | www.download-sponsor.de | tcp |
| US | 8.8.8.8:53 | www.download-sponsor.de | udp |
| US | 8.8.8.8:53 | prod.ads.prod.webservices.mozgcp.net | udp |
| US | 34.120.5.221:443 | getpocket.cdn.mozilla.net | tcp |
| US | 8.8.8.8:53 | prod.ads.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | www.download-sponsor.de | udp |
| US | 8.8.8.8:53 | prod.content-signature-chains.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.pocket.prod.cloudops.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.content-signature-chains.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.pocket.prod.cloudops.mozgcp.net | udp |
| US | 8.8.8.8:53 | shavar.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | dcude.download-sponsor.de | udp |
| US | 8.8.8.8:53 | shavar.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | prod.remote-settings.prod.webservices.mozgcp.net | udp |
| DE | 176.9.175.237:80 | dcude.download-sponsor.de | tcp |
| US | 8.8.8.8:53 | dcude.download-sponsor.de | udp |
| US | 8.8.8.8:53 | prod.remote-settings.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | dcude.download-sponsor.de | udp |
| US | 8.8.8.8:53 | survey.download-sponsor.de | udp |
| US | 8.8.8.8:53 | firefox-settings-attachments.cdn.mozilla.net | udp |
| US | 34.117.121.53:443 | firefox-settings-attachments.cdn.mozilla.net | tcp |
| US | 8.8.8.8:53 | survey.download-sponsor.de | udp |
| US | 8.8.8.8:53 | attachments.prod.remote-settings.prod.webservices.mozgcp.net | udp |
| DE | 176.9.175.237:80 | survey.download-sponsor.de | tcp |
| US | 8.8.8.8:53 | attachments.prod.remote-settings.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | survey.download-sponsor.de | udp |
| US | 8.8.8.8:53 | d.addelive.com | udp |
| US | 8.8.8.8:53 | download-sponsor.de | udp |
| US | 8.8.8.8:53 | files.download-sponsor.de | udp |
| US | 66.216.109.248:80 | d.addelive.com | tcp |
| US | 8.8.8.8:53 | d.addelive.com | udp |
| US | 8.8.8.8:53 | download-sponsor.de | udp |
| DE | 176.9.175.237:80 | download-sponsor.de | tcp |
| US | 8.8.8.8:53 | files.download-sponsor.de | udp |
| DE | 176.9.175.237:80 | files.download-sponsor.de | tcp |
| US | 8.8.8.8:53 | d.addelive.com | udp |
| US | 8.8.8.8:53 | files.download-sponsor.de | udp |
| US | 8.8.8.8:53 | download-sponsor.de | udp |
| US | 66.216.109.248:80 | d.addelive.com | tcp |
| US | 8.8.8.8:53 | download.chip.eu | udp |
| N/A | 127.0.0.1:49213 | tcp | |
| N/A | 127.0.0.1:49219 | tcp | |
| US | 8.8.8.8:53 | prod.balrog.prod.cloudops.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.balrog.prod.cloudops.mozgcp.net | udp |
| US | 8.8.8.8:53 | ciscobinary.openh264.org | udp |
| NL | 2.18.121.79:80 | ciscobinary.openh264.org | tcp |
| US | 8.8.8.8:53 | a19.dscg10.akamai.net | udp |
| US | 8.8.8.8:53 | a19.dscg10.akamai.net | udp |
| US | 8.8.8.8:53 | redirector.gvt1.com | udp |
| GB | 142.250.180.14:443 | redirector.gvt1.com | tcp |
| US | 8.8.8.8:53 | redirector.gvt1.com | udp |
| US | 8.8.8.8:53 | redirector.gvt1.com | udp |
| GB | 142.250.180.14:443 | redirector.gvt1.com | udp |
| US | 8.8.8.8:53 | r4---sn-aigzrnsz.gvt1.com | udp |
| US | 8.8.8.8:53 | r4.sn-aigzrnsz.gvt1.com | udp |
| GB | 74.125.175.169:443 | r4.sn-aigzrnsz.gvt1.com | tcp |
| US | 8.8.8.8:53 | r4.sn-aigzrnsz.gvt1.com | udp |
| GB | 74.125.175.169:443 | r4.sn-aigzrnsz.gvt1.com | udp |
| US | 66.216.109.248:80 | d.addelive.com | tcp |
| US | 66.216.109.248:80 | d.addelive.com | tcp |
| US | 8.8.8.8:53 | impressum.thinklabs-ltd.de | udp |
| US | 8.8.8.8:53 | impressum.thinklabs-ltd.de | udp |
| US | 8.8.8.8:53 | impressum.thinklabs-ltd.de | udp |
| US | 8.8.8.8:53 | support.mozilla.org | udp |
| US | 8.8.8.8:53 | us-west1.prod.sumo.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | us-west1.prod.sumo.prod.webservices.mozgcp.net | udp |
Files
\Users\Admin\AppData\Local\Temp\OCS\ocs_v6z.exe
| MD5 | 09f02c017e40a998537f26d0caee8d22 |
| SHA1 | 7676d2f17068a9050bbbbe10908e75bc5d59b631 |
| SHA256 | fae6c9cfda16a9f4587b0041156a7284bf7cb1fc48e1e34f33b50ebc2d00e2d7 |
| SHA512 | 0c7d4fad92bb7478e277f6c56e0e0dbd665171a7bea06a6668d9d0120c5f171cbcec37c60b6354a286192f2f0bbf104ccc5550159e863ee03cc2e23243eb93c7 |
memory/2540-12-0x000007FEF621E000-0x000007FEF621F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\OCS\qpttxdmpowjzoiwg.dat
| MD5 | 29931ac60ae442addd2a0830e9ad803d |
| SHA1 | 3c840088ad911f95f43c71c02bcf2bb9828ab218 |
| SHA256 | 28d786ed1eac91eee25869406704cd49da519ce4ab82a1959555e7fc556fcbca |
| SHA512 | 4e076872b44999ec3aa08b48b038b1dce1776c4f0a69c48fe4a0f376e3278417a4edce94b00589ca64d4415f13300beefbc26412894c52417892dd713feaabe5 |
memory/2540-14-0x000007FEF5F60000-0x000007FEF68FD000-memory.dmp
memory/2540-15-0x000007FEF5F60000-0x000007FEF68FD000-memory.dmp
memory/2540-16-0x000007FEF5F60000-0x000007FEF68FD000-memory.dmp
memory/2540-17-0x000007FEF5F60000-0x000007FEF68FD000-memory.dmp
memory/2540-18-0x000007FEF5F60000-0x000007FEF68FD000-memory.dmp
memory/2540-19-0x000007FEF5F60000-0x000007FEF68FD000-memory.dmp
memory/2540-20-0x000007FEF5F60000-0x000007FEF68FD000-memory.dmp
memory/2540-21-0x000007FEF5F60000-0x000007FEF68FD000-memory.dmp
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4k8o8gx5.default-release\datareporting\glean\pending_pings\d879c5a0-a2a1-44ac-89af-04da7481f52d
| MD5 | e5ad5bd78029ede126f25fea2d2ad21c |
| SHA1 | ccce16c183318e132346757a0ca0883682db2221 |
| SHA256 | 2a8638903c57a328a59095d2a6267e7a0d56655d75140080d1084478a16a69c1 |
| SHA512 | cf531e6d8923285ce05c2ed2a43a8d309f03ff3910f3d06f6e1030620ad19ed3a5dfa5f0deb31f00bb6606fed9360262478fd9420d0c48841e41c5d951c3050b |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4k8o8gx5.default-release\datareporting\glean\pending_pings\1bdf98fa-e455-4d69-aaed-39909904edd3
| MD5 | d56b394f26f5f90fbb730343330c4fa5 |
| SHA1 | 1d4fa38ca599f78b6047ae394f8aa7e168dc0fe1 |
| SHA256 | 40ac0fae7dae12a606f27bb2397b34c1a02e6b38d0d8f3555f5fb367b7c78bdf |
| SHA512 | 54f3d01ed9e5a9b63cb5462aba9fa7db68fc50d8524901e316090935395d7269c25702b689e19e8e1fe04e3666677468e67f78ca6241c28e7263510ad8d7f00d |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4k8o8gx5.default-release\datareporting\glean\db\data.safe.bin
| MD5 | 60fe1d6795f0ae303d59368826784ffa |
| SHA1 | f2aeb10b9c0be5bb23ef5a274af73320b1ef0b0d |
| SHA256 | ccf60f21e90359c83afc759b267ab78c6a052b475725484cd392ab36df526f60 |
| SHA512 | d566ae22ba67df19ff1d2fce0b9f3f78ae202a3bb4d994f70169bc9ac586d5134f3a8bd4b7ce2168bfdfaa361605118fd184b18d0a847f7149ac394f0aa4f4d0 |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\4k8o8gx5.default-release\activity-stream.discovery_stream.json.tmp
| MD5 | 0e4cef3497832616b63ebca4ef7e7be1 |
| SHA1 | b3ebc44aa98c38835db376a8577e23bbf52a9628 |
| SHA256 | d86a45afc08afc92261fef9f79dd41d856057a97fe9bdeee6225f55066436a6c |
| SHA512 | 1eee2466477fe0f81b6635400acf779c77ea6508ac8f1d55be6404f0aec4c4377887b3ba35fdb3b204e9233d0a1ee7365d7c89673b191ede4746353b839abb6d |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\4k8o8gx5.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl
| MD5 | 96c542dec016d9ec1ecc4dddfcbaac66 |
| SHA1 | 6199f7648bb744efa58acf7b96fee85d938389e4 |
| SHA256 | 7f32769d6bb4e875f58ceb9e2fbfdc9bd6b82397eca7a4c5230b0786e68f1798 |
| SHA512 | cda2f159c3565bc636e0523c893b293109de2717142871b1ec78f335c12bad96fc3f62bcf56a1a88abdeed2ac3f3e5e9a008b45e24d713e13c23103acc15e658 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4k8o8gx5.default-release\prefs.js
| MD5 | 5cfbb6bccb5c6a8216ca23bfe1215ea3 |
| SHA1 | 2ca9472ae16bf8d69c64b997a98ec48785815fb9 |
| SHA256 | 960d95429930c66d21829ae6d8cb26f2d58241eb2a026f3a64f9321fb41f32ca |
| SHA512 | 3887287543498a49f72ee203e66935962e7b22111bc0bccfc86b798c336699146873ba5f24014fe8b5ad05ef23fbdb47aa30b55e2a6ef72b82051a16805132db |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4k8o8gx5.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | 74659f11a15ad34d68f0b86d755bcdb6 |
| SHA1 | 75cbec0a4aff142ea6012af10aa4451276e8cb35 |
| SHA256 | dd2d57cdb2e269cddebf9b2f5326a17a994d818253c20445619aa1ff16743731 |
| SHA512 | 66c9e8c902b38b77395205386f6a6600eef79cc90da6c7cb055b7b1bafcb7d7a856005463e8c245ceedbaff9943e6c2211f24aa9b535666183c00f556820f951 |
C:\Users\Admin\AppData\Local\Temp\tmpaddon
| MD5 | 85430baed3398695717b0263807cf97c |
| SHA1 | fffbee923cea216f50fce5d54219a188a5100f41 |
| SHA256 | a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e |
| SHA512 | 06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4k8o8gx5.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll
| MD5 | fe3355639648c417e8307c6d051e3e37 |
| SHA1 | f54602d4b4778da21bc97c7238fc66aa68c8ee34 |
| SHA256 | 1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e |
| SHA512 | 8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4k8o8gx5.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info
| MD5 | 3d33cdc0b3d281e67dd52e14435dd04f |
| SHA1 | 4db88689282fd4f9e9e6ab95fcbb23df6e6485db |
| SHA256 | f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b |
| SHA512 | a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4k8o8gx5.default-release\prefs-1.js
| MD5 | 404cb379c821ab19871aefbae3164b65 |
| SHA1 | 1093d2a4c29edc6890c8252f9f498d8329982475 |
| SHA256 | 92f836049a542df66ae32cda1ee5883f7ad37fba31b533af9c840910900b86c3 |
| SHA512 | 4a3a680aa94c046b30dd41ded78c86f9d5647d3274647bf29937bf544bcfd088ebd7b76d01099a47e996ad411ffdffe6f95c09db7afc41c324528c288b6eca15 |
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1
| MD5 | a01c5ecd6108350ae23d2cddf0e77c17 |
| SHA1 | c6ac28a2cd979f1f9a75d56271821d5ff665e2b6 |
| SHA256 | 345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42 |
| SHA512 | b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4k8o8gx5.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt
| MD5 | 49ddb419d96dceb9069018535fb2e2fc |
| SHA1 | 62aa6fea895a8b68d468a015f6e6ab400d7a7ca6 |
| SHA256 | 2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539 |
| SHA512 | 48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4k8o8gx5.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json
| MD5 | 8be33af717bb1b67fbd61c3f4b807e9e |
| SHA1 | 7cf17656d174d951957ff36810e874a134dd49e0 |
| SHA256 | e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd |
| SHA512 | 6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4k8o8gx5.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll
| MD5 | 33bf7b0439480effb9fb212efce87b13 |
| SHA1 | cee50f2745edc6dc291887b6075ca64d716f495a |
| SHA256 | 8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e |
| SHA512 | d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4k8o8gx5.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib
| MD5 | 688bed3676d2104e7f17ae1cd2c59404 |
| SHA1 | 952b2cdf783ac72fcb98338723e9afd38d47ad8e |
| SHA256 | 33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237 |
| SHA512 | 7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4k8o8gx5.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig
| MD5 | 937326fead5fd401f6cca9118bd9ade9 |
| SHA1 | 4526a57d4ae14ed29b37632c72aef3c408189d91 |
| SHA256 | 68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81 |
| SHA512 | b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4k8o8gx5.default-release\prefs-1.js
| MD5 | bde8b75a55b8c84a1b5f9379a1ee03c5 |
| SHA1 | 828dabfb8cb9d9facdb6b1d3eb36de2c5a68f46c |
| SHA256 | bb7f62b8cd8f1d7b66944af90a86b159f059b3079591836880236cf8a7683cdc |
| SHA512 | 2da65340eb95cb9724201b9658872c5feb96c0001ed1617679aac4ddd60569eb15cfc8192cb1bb08e99a841ad4c002388414c28ea25b863869d9dc008f24ae88 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4k8o8gx5.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | f3786393456f598b7a3736377173848e |
| SHA1 | 2399caf5eab53194d81c45529050d7944241b0d2 |
| SHA256 | 1c5c45bc8fd013ccf990055702c623c348b3ebf1a312c9565cca3bbc2503d09f |
| SHA512 | 9ab9f56ba4d44683779e3ca5f9ab8800c9c4204639a1c9881e01917e7c4605a54400c26e65c37f730dab8c1cba8d2a8fabaa83430fcb9e23b326fec44a004823 |