revengerat | a7076691e7f7c664382465fe474ce5f186a730ea60a0ecf2623a88ab64bdeeb6

Analysis

max time kernel
94s
max time network
115s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
08-01-2025 02:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a7076691e7f7c664382465fe474ce5f186a730ea60a0ecf2623a88ab64bdeeb6N.exe
Size

578KB
MD5

7a2028a2ec36eb8cd47f9c62d5d2f580
SHA1

3e639c1209d81cbb9be4c5fc4ddd4b942e0d97da
SHA256

a7076691e7f7c664382465fe474ce5f186a730ea60a0ecf2623a88ab64bdeeb6
SHA512

00d6da4735fde6b552487e55ee33cbcf7e071bcaebf5352c1a4f3b28ba79d08e3a404b3a4b2503cc9d6c8692e195d118dc23969d235fb85cbd96dcadcaaeeb89
SSDEEP

6144:bKlx3FcfCElJk125U8SpVUagDsvb6mgmw4sFfTysVufBn597NX2H:boVcfXlJkE5YVUjuOjysgfBnnl2H

Score

10^/10

revengerat discovery stealer trojan

Malware Config

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat
Revengerat family
revengerat

RevengeRat Executable 1 IoCs

stealer

resource	yara_rule
behavioral2/files/0x000a000000023b8d-7.dat	revengerat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	ocs_v6z.exe

Executes dropped EXE 1 IoCs

pid	Process
1760	ocs_v6z.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a7076691e7f7c664382465fe474ce5f186a730ea60a0ecf2623a88ab64bdeeb6N.exe

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	firefox.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1760	ocs_v6z.exe
Token: SeDebugPrivilege	3060	firefox.exe
Token: SeDebugPrivilege	3060	firefox.exe

Suspicious use of FindShellTrayWindow 21 IoCs

pid	Process
3060	firefox.exe
3060	firefox.exe
3060	firefox.exe
3060	firefox.exe
3060	firefox.exe
3060	firefox.exe
3060	firefox.exe
3060	firefox.exe
3060	firefox.exe
3060	firefox.exe
3060	firefox.exe
3060	firefox.exe
3060	firefox.exe
3060	firefox.exe
3060	firefox.exe
3060	firefox.exe
3060	firefox.exe
3060	firefox.exe
3060	firefox.exe
3060	firefox.exe
3060	firefox.exe

Suspicious use of SendNotifyMessage 20 IoCs

pid	Process
3060	firefox.exe
3060	firefox.exe
3060	firefox.exe
3060	firefox.exe
3060	firefox.exe
3060	firefox.exe
3060	firefox.exe
3060	firefox.exe
3060	firefox.exe
3060	firefox.exe
3060	firefox.exe
3060	firefox.exe
3060	firefox.exe
3060	firefox.exe
3060	firefox.exe
3060	firefox.exe
3060	firefox.exe
3060	firefox.exe
3060	firefox.exe
3060	firefox.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2436	a7076691e7f7c664382465fe474ce5f186a730ea60a0ecf2623a88ab64bdeeb6N.exe
1760	ocs_v6z.exe
1760	ocs_v6z.exe
3060	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2436 wrote to memory of 1760	2436	a7076691e7f7c664382465fe474ce5f186a730ea60a0ecf2623a88ab64bdeeb6N.exe	83
PID 2436 wrote to memory of 1760	2436	a7076691e7f7c664382465fe474ce5f186a730ea60a0ecf2623a88ab64bdeeb6N.exe	83
PID 1760 wrote to memory of 4868	1760	ocs_v6z.exe	85
PID 1760 wrote to memory of 4868	1760	ocs_v6z.exe	85
PID 4868 wrote to memory of 3060	4868	firefox.exe	86
PID 4868 wrote to memory of 3060	4868	firefox.exe	86
PID 4868 wrote to memory of 3060	4868	firefox.exe	86
PID 4868 wrote to memory of 3060	4868	firefox.exe	86
PID 4868 wrote to memory of 3060	4868	firefox.exe	86
PID 4868 wrote to memory of 3060	4868	firefox.exe	86
PID 4868 wrote to memory of 3060	4868	firefox.exe	86
PID 4868 wrote to memory of 3060	4868	firefox.exe	86
PID 4868 wrote to memory of 3060	4868	firefox.exe	86
PID 4868 wrote to memory of 3060	4868	firefox.exe	86
PID 4868 wrote to memory of 3060	4868	firefox.exe	86
PID 3060 wrote to memory of 4012	3060	firefox.exe	87
PID 3060 wrote to memory of 4012	3060	firefox.exe	87
PID 3060 wrote to memory of 4012	3060	firefox.exe	87
PID 3060 wrote to memory of 4012	3060	firefox.exe	87
PID 3060 wrote to memory of 4012	3060	firefox.exe	87
PID 3060 wrote to memory of 4012	3060	firefox.exe	87
PID 3060 wrote to memory of 4012	3060	firefox.exe	87
PID 3060 wrote to memory of 4012	3060	firefox.exe	87
PID 3060 wrote to memory of 4012	3060	firefox.exe	87
PID 3060 wrote to memory of 4012	3060	firefox.exe	87
PID 3060 wrote to memory of 4012	3060	firefox.exe	87
PID 3060 wrote to memory of 4012	3060	firefox.exe	87
PID 3060 wrote to memory of 4012	3060	firefox.exe	87
PID 3060 wrote to memory of 4012	3060	firefox.exe	87
PID 3060 wrote to memory of 4012	3060	firefox.exe	87
PID 3060 wrote to memory of 4012	3060	firefox.exe	87
PID 3060 wrote to memory of 4012	3060	firefox.exe	87
PID 3060 wrote to memory of 4012	3060	firefox.exe	87
PID 3060 wrote to memory of 4012	3060	firefox.exe	87
PID 3060 wrote to memory of 4012	3060	firefox.exe	87
PID 3060 wrote to memory of 4012	3060	firefox.exe	87
PID 3060 wrote to memory of 4012	3060	firefox.exe	87
PID 3060 wrote to memory of 4012	3060	firefox.exe	87
PID 3060 wrote to memory of 4012	3060	firefox.exe	87
PID 3060 wrote to memory of 4012	3060	firefox.exe	87
PID 3060 wrote to memory of 4012	3060	firefox.exe	87
PID 3060 wrote to memory of 4012	3060	firefox.exe	87
PID 3060 wrote to memory of 4012	3060	firefox.exe	87
PID 3060 wrote to memory of 4012	3060	firefox.exe	87
PID 3060 wrote to memory of 4012	3060	firefox.exe	87
PID 3060 wrote to memory of 4012	3060	firefox.exe	87
PID 3060 wrote to memory of 4012	3060	firefox.exe	87
PID 3060 wrote to memory of 4012	3060	firefox.exe	87
PID 3060 wrote to memory of 4012	3060	firefox.exe	87
PID 3060 wrote to memory of 4012	3060	firefox.exe	87
PID 3060 wrote to memory of 4012	3060	firefox.exe	87
PID 3060 wrote to memory of 4012	3060	firefox.exe	87
PID 3060 wrote to memory of 4012	3060	firefox.exe	87
PID 3060 wrote to memory of 4012	3060	firefox.exe	87
PID 3060 wrote to memory of 4012	3060	firefox.exe	87
PID 3060 wrote to memory of 4012	3060	firefox.exe	87
PID 3060 wrote to memory of 4012	3060	firefox.exe	87
PID 3060 wrote to memory of 4012	3060	firefox.exe	87
PID 3060 wrote to memory of 4012	3060	firefox.exe	87
PID 3060 wrote to memory of 4012	3060	firefox.exe	87
PID 3060 wrote to memory of 3884	3060	firefox.exe	88
PID 3060 wrote to memory of 3884	3060	firefox.exe	88
PID 3060 wrote to memory of 3884	3060	firefox.exe	88
PID 3060 wrote to memory of 3884	3060	firefox.exe	88

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\a7076691e7f7c664382465fe474ce5f186a730ea60a0ecf2623a88ab64bdeeb6N.exe
"C:\Users\Admin\AppData\Local\Temp\a7076691e7f7c664382465fe474ce5f186a730ea60a0ecf2623a88ab64bdeeb6N.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2436
- C:\Users\Admin\AppData\Local\Temp\OCS\ocs_v6z.exe
  C:\Users\Admin\AppData\Local\Temp\OCS\ocs_v6z.exe -install -3742138 -dcude -87b0d7bb8b0f4880b0848e394944b143 - -de -tnnwinkueebijodi
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1760
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" http://www.download-sponsor.de/exitdownload/thankyou.php?pid=dcude&cid=3742138&appname=[APPNAME]&cbstate=&uid=66a3fd4a-55cf-4eff-8f1b-9c420fc418a6&sid=87b0d7bb8b0f4880b0848e394944b143&scid=&source=de&language=en-US&cdata=utyp-31.userid-363863333161646138303136643863336661626136613565.ua-66697265666f782e657865
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4868
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" http://www.download-sponsor.de/exitdownload/thankyou.php?pid=dcude&cid=3742138&appname=[APPNAME]&cbstate=&uid=66a3fd4a-55cf-4eff-8f1b-9c420fc418a6&sid=87b0d7bb8b0f4880b0848e394944b143&scid=&source=de&language=en-US&cdata=utyp-31.userid-363863333161646138303136643863336661626136613565.ua-66697265666f782e657865
      4⤵
      Checks processor information in registry
      Modifies registry class
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:3060
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1980 -parentBuildID 20240401114208 -prefsHandle 1896 -prefMapHandle 1888 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {40f16dcb-de3f-4f50-829a-a57576170ceb} 3060 "\\.\pipe\gecko-crash-server-pipe.3060" gpu
        5⤵
        
        PID:4012
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2464 -parentBuildID 20240401114208 -prefsHandle 2456 -prefMapHandle 2444 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d5aac60b-ab78-4b81-9c47-63736d710195} 3060 "\\.\pipe\gecko-crash-server-pipe.3060" socket
        5⤵
        
        PID:3884
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2712 -childID 1 -isForBrowser -prefsHandle 3020 -prefMapHandle 3036 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 956 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {983297bb-6ecc-403c-8344-f03afdfb671f} 3060 "\\.\pipe\gecko-crash-server-pipe.3060" tab
        5⤵
        
        PID:2152
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3756 -childID 2 -isForBrowser -prefsHandle 3640 -prefMapHandle 3108 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 956 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {565d537a-7c03-4311-971f-79b9314d6ca6} 3060 "\\.\pipe\gecko-crash-server-pipe.3060" tab
        5⤵
        
        PID:2944
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4356 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4504 -prefMapHandle 4500 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {96d84362-b386-46e5-8f67-21f4e4677c2c} 3060 "\\.\pipe\gecko-crash-server-pipe.3060" utility
        5⤵
        Checks processor information in registry
        
        PID:4736
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5340 -childID 3 -isForBrowser -prefsHandle 5364 -prefMapHandle 5360 -prefsLen 27097 -prefMapSize 244658 -jsInitHandle 956 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {29453c96-c14e-4459-8b0b-4f2b38536f73} 3060 "\\.\pipe\gecko-crash-server-pipe.3060" tab
        5⤵
        
        PID:932
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5468 -childID 4 -isForBrowser -prefsHandle 5548 -prefMapHandle 5544 -prefsLen 27097 -prefMapSize 244658 -jsInitHandle 956 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {669afcfa-a5f4-4b11-8869-b353475906fb} 3060 "\\.\pipe\gecko-crash-server-pipe.3060" tab
        5⤵
        
        PID:3260
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5744 -childID 5 -isForBrowser -prefsHandle 5668 -prefMapHandle 5644 -prefsLen 27097 -prefMapSize 244658 -jsInitHandle 956 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0298df49-f8c3-4318-9d89-654cee3fd671} 3060 "\\.\pipe\gecko-crash-server-pipe.3060" tab
        5⤵
        
        PID:2308
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3600 -childID 6 -isForBrowser -prefsHandle 3720 -prefMapHandle 3688 -prefsLen 30948 -prefMapSize 244658 -jsInitHandle 956 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5b41665d-0b94-4c64-8f21-ab44048035c9} 3060 "\\.\pipe\gecko-crash-server-pipe.3060" tab
        5⤵
        
        PID:1772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\activity-stream.discovery_stream.json

Filesize
24KB

MD5
2d0a9682a34256ab143d47e73aa2a1e0

SHA1
9a32fec75b016c24af5727e6170c2922eb42f17a

SHA256
1db4fb424d40a086154f91ec30ddc9d873ccab02179e3b3cc068c488e76ffe70

SHA512
6d83af56455d4a63eb3987d6f09807c6592e2920e439ea7427937468c5ce704b138051e2e44dd092af941665457a10560cceb1986df5c203e129945799bd18f9

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\cache2\entries\6653BC7BE242C21AA1988A4A42D1DEDA18231C31

Filesize
13KB

MD5
eeaae87040f2c01b752dbaf4cd4ab961

SHA1
056a8a22d0ced52492073b9d2f299f4c40d4c840

SHA256
3e0efd9aca1ccc9ec5eaeb9a5c462c58dd6e159f20c617bdd19d2ecbf2a17ec3

SHA512
ed94b24b57ced926905e91b10303313af95435c8fa8ebbff84d2f7013e8358c81219c0934a606d877040e6ff3444c8baeb93ce724439d34727e8562ba255e238

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl

Filesize
15KB

MD5
96c542dec016d9ec1ecc4dddfcbaac66

SHA1
6199f7648bb744efa58acf7b96fee85d938389e4

SHA256
7f32769d6bb4e875f58ceb9e2fbfdc9bd6b82397eca7a4c5230b0786e68f1798

SHA512
cda2f159c3565bc636e0523c893b293109de2717142871b1ec78f335c12bad96fc3f62bcf56a1a88abdeed2ac3f3e5e9a008b45e24d713e13c23103acc15e658

Download Submit
C:\Users\Admin\AppData\Local\Temp\OCS\ocs_v6z.exe

Filesize
312KB

MD5
09f02c017e40a998537f26d0caee8d22

SHA1
7676d2f17068a9050bbbbe10908e75bc5d59b631

SHA256
fae6c9cfda16a9f4587b0041156a7284bf7cb1fc48e1e34f33b50ebc2d00e2d7

SHA512
0c7d4fad92bb7478e277f6c56e0e0dbd665171a7bea06a6668d9d0120c5f171cbcec37c60b6354a286192f2f0bbf104ccc5550159e863ee03cc2e23243eb93c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\OCS\tnnwinkueebijodi.dat

Filesize
91B

MD5
29931ac60ae442addd2a0830e9ad803d

SHA1
3c840088ad911f95f43c71c02bcf2bb9828ab218

SHA256
28d786ed1eac91eee25869406704cd49da519ce4ab82a1959555e7fc556fcbca

SHA512
4e076872b44999ec3aa08b48b038b1dce1776c4f0a69c48fe4a0f376e3278417a4edce94b00589ca64d4415f13300beefbc26412894c52417892dd713feaabe5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\AlternateServices.bin

Filesize
6KB

MD5
221a90b950da314fafc5085d20dd5bc3

SHA1
788634fc4e27bcc7dc2e4eae33daa597f4adc76b

SHA256
ed30f30b5837599b3693ca89ac21cd614b4ff63c80ee7c740bdef5c26f999e8b

SHA512
2b1a3504e8a6e394ba0ef6382e918671f0f8e1c41eaf97aad47971e3634157102620dd55329f3193da4d7d8114116f18615139dde2b005792d91a6c54778986f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\AlternateServices.bin

Filesize
6KB

MD5
c0d2831bebcdd3e970ffaa1698aaeabd

SHA1
367d0865afe75910dc10c5ddb867b881d92febf8

SHA256
2a02c72f3b5a1668a8879de9e147683a0a2507a6a0b07a910fdb538d3ff4bc5e

SHA512
f324ddf5f51a9cf9adc1e61930493969c47b3f4e5e92250f44c7a097b1a7c01852985671740488999b87b3e86b205f23d07b87e71f7166c5efdacc092c31294d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\datareporting\glean\db\data.safe.tmp

Filesize
21KB

MD5
62151b924c462f1c7a9bf38b2cdb9c23

SHA1
f2e4d6201f148422a3f203bc68efffac953b1475

SHA256
c27d122384dd23c59863f80c085de2c50df940afd8724df26dcd6116d2ee8d63

SHA512
ab48015b26ff1c85958cc4b6a257a602e488cbb484150cd997bf3b68f920029e5d828898b62f3b62d83e6b01e8e8a95d7e3b8a29cbdaefd22b160d0690a10e87

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\datareporting\glean\db\data.safe.tmp

Filesize
24KB

MD5
4908f0b8cd91cbf39bd2e68540cacfcb

SHA1
a036215485f81266a2b892e6c78520bac3fbd07e

SHA256
2c0eb62fdcf797884c6fb74de147726c5f89a2bd27c854034fe4a979b246ca32

SHA512
5439c314b54f1c814cae9140ba79c00ab3415c504a7d54d4e604c07afcfd05f245d4faa7da5deedfb7c29e7e1e3f30d1f13da476b9eb1a6a17db67bf0fa2214a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\datareporting\glean\db\data.safe.tmp

Filesize
22KB

MD5
bd3f67deb212c3626099f7380a4683cd

SHA1
c761f8adb764a62954749c4a5677f15dfc797b3b

SHA256
28f255a2d1d2e95d159ee3e4e73c2ee14acd04aa97366015dfd0c729c7c7b46a

SHA512
a43399697b4d30c335385b0aa4d84e4be036dbc2213f926ae527b547cc5b14c2f34dbe3f55a7d7ffd4eee607119f165eb457c22f4d4c8c2720627e3172095765

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\datareporting\glean\db\data.safe.tmp

Filesize
24KB

MD5
c0cf85aded128b5c0ea6829cc1d2f663

SHA1
1d8bdb71189c5c5053d0dd0e7422973ad0e23862

SHA256
c1687403bddfec754f153dfcc93ba77f5cbdaaebefd418894742951a86ba488a

SHA512
23e91698ee7d9fcdca7a32c4660e53f28066e846431840838d57389982d9eda720e264a3578b41fad7fed86352bda6f95999ede83645cbfc1cc9846cbdbdd8ef

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\datareporting\glean\pending_pings\016500b5-e0c7-4563-8f09-f08d760412d9

Filesize
982B

MD5
dfbfca8b17c59e8d91f26bcec166a4d1

SHA1
04ff2b1350d07d42ebe2ddefdf9cb9979b46f20a

SHA256
ef89e25829641929bc44b1742bd8cb63dc8999e14039297557c69f72d5fec72f

SHA512
48234d983fd1041e9b6f8e485c28df51e653549010b5cc952e91eab1993da4cec9f7dbb62603fda31aaee20293a0c138a9ae73497d303514a369487faaf89287

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\datareporting\glean\pending_pings\b4e12750-6c0e-4a03-b7ad-0cceca1e05a4

Filesize
659B

MD5
dc4c7eb26d24aa3f9f2ba4dba5fc847f

SHA1
25b2945664901bfb7fa7926d884259637aa63360

SHA256
501920b3db429d80fff2d6942657ca8c1da8a94249fde1515e4a8fade4d72178

SHA512
1daa76cddb44c9cae83aebb948905e1ffcb444732746bbe515d05074d4813a3581e6a6046896b3517dd4b307dc15c06ac8aa112ca787f256396b564f00243521

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\prefs-1.js

Filesize
12KB

MD5
e43c082cba1b9a9b275c776c8e7d4018

SHA1
2ae193a307ff1fd33dfaa7cdaf08495605b07c2a

SHA256
64ec6d25bf926801dc3f3b11a7bf3a51dac94f085904646e794eb910d7654266

SHA512
d1ebb3ad7cdc47655b92f1cb4b53fc64b2a7b53fecc6893649bece4bf5708e237f790fe27d47ce69d9146cfb63d13c19cf0ed59a681ae379ed174f3aba146d8e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\prefs-1.js

Filesize
15KB

MD5
46d5514ad9b5d9e883eeebfc7a14ad69

SHA1
b9d845333276033d607a8872803e138a55c57477

SHA256
9b8cdeea9f975c32f0743a6c4650f8afad3b64085a0391a5dbfb0927a21001df

SHA512
969c34ef3801138291d200457ffe6217611d1b43fb8c9e7ae9ad72820ab14bfbfc757d3c447e6c9ef7bd89db4141e928e03716e40c223c2831985c7bbe3aad18

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\prefs.js

Filesize
10KB

MD5
d6cf7c81a644dd57b682b2f512bb446a

SHA1
f537cf3003e75caea618e555986d8ded09fc3c6c

SHA256
2ab8c490b65f146af82fcbe1e8bd2ce94f2acf617ccaf8c5f45c74e855588ee9

SHA512
9f2825b1d06f3f5700633f13ff26d5a819fc8b2fa40c5d12996518b244396c1e97d54efa804564f20c010cfc4272041b8c41fd2700ddd7400002270a3d18d3f5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\prefs.js

Filesize
10KB

MD5
7024b724b2637f7036474159e133dbc8

SHA1
9d585a8df91293c1964dee02cedf8193c61987a8

SHA256
47debaa639d8a548e4b2c56f19bb7376a8aa0888461d1cbae4188d079b675cd3

SHA512
3ba973f10294aaa2c4e0e1f1af78952e026ad33aaa5fb0e9540c6ba9b6fe2d3a5729eeafa7ace0d5adb9449c955d937fea9ed3b0065570a21f9c6c31443805a3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\sessionstore-backups\recovery.baklz4

Filesize
1KB

MD5
b1ae1c28d21194736cca78c3fbc5ac3e

SHA1
79cea1d9d5e19783ba6ff833cefceb64b28e4490

SHA256
e27e44bce96d4c6c1fa01467024d1e42d11b08fca41b28aba608b84b889a7a5e

SHA512
788d473285b90e8ce79a2c01806d43a35a1e6535063b35831dbfe12b423538a690543553ed62e8c5d42e3478f02d36f9e98e14530382ff350dc4bb057fb5582c

Download Submit
memory/1760-17-0x00007FFA03D60000-0x00007FFA04701000-memory.dmp

Filesize
9.6MB

Download
memory/1760-28-0x00007FFA03D60000-0x00007FFA04701000-memory.dmp

Filesize
9.6MB

Download
memory/1760-26-0x00007FFA03D60000-0x00007FFA04701000-memory.dmp

Filesize
9.6MB

Download
memory/1760-25-0x00007FFA03D60000-0x00007FFA04701000-memory.dmp

Filesize
9.6MB

Download
memory/1760-24-0x00007FFA03D60000-0x00007FFA04701000-memory.dmp

Filesize
9.6MB

Download
memory/1760-23-0x00007FFA04015000-0x00007FFA04016000-memory.dmp

Filesize
4KB

Download
memory/1760-22-0x00007FFA03D60000-0x00007FFA04701000-memory.dmp

Filesize
9.6MB

Download
memory/1760-21-0x00007FFA03D60000-0x00007FFA04701000-memory.dmp

Filesize
9.6MB

Download
memory/1760-20-0x00007FFA03D60000-0x00007FFA04701000-memory.dmp

Filesize
9.6MB

Download
memory/1760-19-0x00007FFA03D60000-0x00007FFA04701000-memory.dmp

Filesize
9.6MB

Download
memory/1760-18-0x00007FFA03D60000-0x00007FFA04701000-memory.dmp

Filesize
9.6MB

Download
memory/1760-16-0x00007FFA03D60000-0x00007FFA04701000-memory.dmp

Filesize
9.6MB

Download
memory/1760-14-0x0000000001620000-0x0000000001628000-memory.dmp

Filesize
32KB

Download
memory/1760-13-0x00007FFA03D60000-0x00007FFA04701000-memory.dmp

Filesize
9.6MB

Download
memory/1760-12-0x000000001C720000-0x000000001C7BC000-memory.dmp

Filesize
624KB

Download
memory/1760-11-0x000000001C5D0000-0x000000001C676000-memory.dmp

Filesize
664KB

Download
memory/1760-10-0x00007FFA03D60000-0x00007FFA04701000-memory.dmp

Filesize
9.6MB

Download
memory/1760-9-0x000000001C050000-0x000000001C51E000-memory.dmp

Filesize
4.8MB

Download
memory/1760-8-0x00007FFA04015000-0x00007FFA04016000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads