Malware Analysis Report

2025-04-14 05:10

Sample ID 250108-ckhqhszjcx
Target a7076691e7f7c664382465fe474ce5f186a730ea60a0ecf2623a88ab64bdeeb6N.exe
SHA256 a7076691e7f7c664382465fe474ce5f186a730ea60a0ecf2623a88ab64bdeeb6
Tags
revengerat discovery stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a7076691e7f7c664382465fe474ce5f186a730ea60a0ecf2623a88ab64bdeeb6

Threat Level: Known bad

The file a7076691e7f7c664382465fe474ce5f186a730ea60a0ecf2623a88ab64bdeeb6N.exe was found to be: Known bad.

Malicious Activity Summary

revengerat discovery stealer trojan

Revengerat family

RevengeRAT

RevengeRat Executable

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Checks processor information in registry

Uses Task Scheduler COM API

Modifies registry class

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-01-08 02:07

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-01-08 02:07

Reported

2025-01-08 02:10

Platform

win7-20240903-en

Max time kernel

68s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a7076691e7f7c664382465fe474ce5f186a730ea60a0ecf2623a88ab64bdeeb6N.exe"

Signatures

RevengeRAT

trojan revengerat

Revengerat family

revengerat

RevengeRat Executable

stealer
Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\OCS\ocs_v6z.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a7076691e7f7c664382465fe474ce5f186a730ea60a0ecf2623a88ab64bdeeb6N.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2744 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\a7076691e7f7c664382465fe474ce5f186a730ea60a0ecf2623a88ab64bdeeb6N.exe C:\Users\Admin\AppData\Local\Temp\OCS\ocs_v6z.exe
PID 2744 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\a7076691e7f7c664382465fe474ce5f186a730ea60a0ecf2623a88ab64bdeeb6N.exe C:\Users\Admin\AppData\Local\Temp\OCS\ocs_v6z.exe
PID 2744 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\a7076691e7f7c664382465fe474ce5f186a730ea60a0ecf2623a88ab64bdeeb6N.exe C:\Users\Admin\AppData\Local\Temp\OCS\ocs_v6z.exe
PID 2744 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\a7076691e7f7c664382465fe474ce5f186a730ea60a0ecf2623a88ab64bdeeb6N.exe C:\Users\Admin\AppData\Local\Temp\OCS\ocs_v6z.exe
PID 2740 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\OCS\ocs_v6z.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2740 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\OCS\ocs_v6z.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2740 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\OCS\ocs_v6z.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2596 wrote to memory of 2656 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2596 wrote to memory of 2656 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2596 wrote to memory of 2656 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2596 wrote to memory of 2656 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2596 wrote to memory of 2656 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2596 wrote to memory of 2656 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2596 wrote to memory of 2656 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2596 wrote to memory of 2656 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2596 wrote to memory of 2656 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2596 wrote to memory of 2656 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2596 wrote to memory of 2656 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2596 wrote to memory of 2656 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2656 wrote to memory of 3032 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2656 wrote to memory of 3032 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2656 wrote to memory of 3032 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2656 wrote to memory of 2400 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2656 wrote to memory of 2400 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2656 wrote to memory of 2400 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2656 wrote to memory of 2400 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2656 wrote to memory of 2400 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2656 wrote to memory of 2400 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2656 wrote to memory of 2400 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2656 wrote to memory of 2400 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2656 wrote to memory of 2400 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2656 wrote to memory of 2400 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2656 wrote to memory of 2400 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2656 wrote to memory of 2400 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2656 wrote to memory of 2400 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2656 wrote to memory of 2400 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2656 wrote to memory of 2400 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2656 wrote to memory of 2400 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2656 wrote to memory of 2400 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2656 wrote to memory of 2400 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2656 wrote to memory of 2400 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2656 wrote to memory of 2400 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2656 wrote to memory of 2400 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2656 wrote to memory of 2400 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2656 wrote to memory of 2400 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2656 wrote to memory of 2400 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2656 wrote to memory of 2400 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2656 wrote to memory of 2400 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2656 wrote to memory of 2400 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2656 wrote to memory of 2400 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2656 wrote to memory of 2400 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2656 wrote to memory of 2400 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2656 wrote to memory of 2400 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2656 wrote to memory of 2400 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2656 wrote to memory of 2400 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2656 wrote to memory of 2400 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2656 wrote to memory of 2400 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2656 wrote to memory of 2400 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2656 wrote to memory of 2400 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2656 wrote to memory of 2400 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2656 wrote to memory of 2400 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2656 wrote to memory of 2400 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2656 wrote to memory of 2400 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2656 wrote to memory of 2400 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\a7076691e7f7c664382465fe474ce5f186a730ea60a0ecf2623a88ab64bdeeb6N.exe

"C:\Users\Admin\AppData\Local\Temp\a7076691e7f7c664382465fe474ce5f186a730ea60a0ecf2623a88ab64bdeeb6N.exe"

C:\Users\Admin\AppData\Local\Temp\OCS\ocs_v6z.exe

C:\Users\Admin\AppData\Local\Temp\OCS\ocs_v6z.exe -install -3742138 -dcude -87b0d7bb8b0f4880b0848e394944b143 - -de -givogrerdrgkecwi

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" http://www.download-sponsor.de/exitdownload/thankyou.php?pid=dcude&cid=3742138&appname=[APPNAME]&cbstate=&uid=01f499ff-df9b-49b5-baeb-dd1896ce8af3&sid=87b0d7bb8b0f4880b0848e394944b143&scid=&source=de&language=en-US&cdata=utyp-31.userid-363863333161646138303136643863336661626136613565.ua-66697265666f782e657865

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" http://www.download-sponsor.de/exitdownload/thankyou.php?pid=dcude&cid=3742138&appname=[APPNAME]&cbstate=&uid=01f499ff-df9b-49b5-baeb-dd1896ce8af3&sid=87b0d7bb8b0f4880b0848e394944b143&scid=&source=de&language=en-US&cdata=utyp-31.userid-363863333161646138303136643863336661626136613565.ua-66697265666f782e657865

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2656.0.1057432802\1744199841" -parentBuildID 20221007134813 -prefsHandle 1220 -prefMapHandle 1180 -prefsLen 20847 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {94787a8e-ef27-4e5a-8725-199f6daf5803} 2656 "\\.\pipe\gecko-crash-server-pipe.2656" 1296 4107a58 gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2656.1.1043120391\322913509" -parentBuildID 20221007134813 -prefsHandle 1500 -prefMapHandle 1496 -prefsLen 21708 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b3c2970e-fc74-4156-88c7-5cc0575493a6} 2656 "\\.\pipe\gecko-crash-server-pipe.2656" 1512 41cb458 socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2656.2.1419486636\2097456915" -childID 1 -isForBrowser -prefsHandle 2044 -prefMapHandle 2040 -prefsLen 21811 -prefMapSize 233444 -jsInitHandle 572 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {694337c2-0898-4c58-a9fe-e76ef7fa2abf} 2656 "\\.\pipe\gecko-crash-server-pipe.2656" 2060 19ea1e58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2656.3.1470495688\2078478031" -childID 2 -isForBrowser -prefsHandle 2900 -prefMapHandle 2896 -prefsLen 26216 -prefMapSize 233444 -jsInitHandle 572 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {2bb685ba-6ef9-4d49-9243-b55cdc9be235} 2656 "\\.\pipe\gecko-crash-server-pipe.2656" 2912 1d103858 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2656.4.798126055\632141931" -childID 3 -isForBrowser -prefsHandle 3772 -prefMapHandle 3768 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 572 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c0356065-1416-48c5-9d8f-de0c7d229f60} 2656 "\\.\pipe\gecko-crash-server-pipe.2656" 3784 2134dc58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2656.5.1373225042\1851973907" -childID 4 -isForBrowser -prefsHandle 3892 -prefMapHandle 3896 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 572 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e7446b40-e85f-442c-aff7-8e9bc3a7767e} 2656 "\\.\pipe\gecko-crash-server-pipe.2656" 3880 2134e558 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2656.6.681627963\872680916" -childID 5 -isForBrowser -prefsHandle 4056 -prefMapHandle 4060 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 572 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ebd91e69-9656-49b8-ab0f-4b50d9f58360} 2656 "\\.\pipe\gecko-crash-server-pipe.2656" 4044 213dbf58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2656.7.1830935109\763514459" -childID 6 -isForBrowser -prefsHandle 1756 -prefMapHandle 4300 -prefsLen 27487 -prefMapSize 233444 -jsInitHandle 572 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1bd53d80-b978-4d43-a4ea-0353e9561016} 2656 "\\.\pipe\gecko-crash-server-pipe.2656" 2348 19e44b58 tab

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.download-sponsor.de udp
DE 176.9.175.237:80 www.download-sponsor.de tcp
US 8.8.8.8:53 bin.download-sponsor.de udp
DE 176.9.175.234:80 bin.download-sponsor.de tcp
N/A 127.0.0.1:49235 tcp
N/A 127.0.0.1:49243 tcp
DE 176.9.175.237:80 www.download-sponsor.de tcp
US 8.8.8.8:53 www.download-sponsor.de udp
DE 176.9.175.237:80 www.download-sponsor.de tcp
US 8.8.8.8:53 getpocket.cdn.mozilla.net udp
US 8.8.8.8:53 spocs.getpocket.com udp
US 8.8.8.8:53 www.download-sponsor.de udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 34.120.5.221:443 getpocket.cdn.mozilla.net tcp
US 8.8.8.8:53 prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 dcude.download-sponsor.de udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
DE 176.9.175.237:80 dcude.download-sponsor.de tcp
US 8.8.8.8:53 dcude.download-sponsor.de udp
US 8.8.8.8:53 dcude.download-sponsor.de udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 survey.download-sponsor.de udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
DE 176.9.175.237:80 survey.download-sponsor.de tcp
US 8.8.8.8:53 survey.download-sponsor.de udp
US 8.8.8.8:53 survey.download-sponsor.de udp
US 8.8.8.8:53 firefox-settings-attachments.cdn.mozilla.net udp
US 8.8.8.8:53 d.addelive.com udp
US 8.8.8.8:53 download-sponsor.de udp
US 8.8.8.8:53 files.download-sponsor.de udp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 66.216.109.248:80 d.addelive.com tcp
US 8.8.8.8:53 d.addelive.com udp
DE 176.9.175.237:80 files.download-sponsor.de tcp
US 8.8.8.8:53 download-sponsor.de udp
DE 176.9.175.237:80 download-sponsor.de tcp
US 8.8.8.8:53 files.download-sponsor.de udp
US 8.8.8.8:53 d.addelive.com udp
US 8.8.8.8:53 download-sponsor.de udp
US 8.8.8.8:53 files.download-sponsor.de udp
US 66.216.109.248:80 d.addelive.com tcp
US 8.8.8.8:53 download.chip.eu udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 ciscobinary.openh264.org udp
GB 88.221.134.209:80 ciscobinary.openh264.org tcp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 redirector.gvt1.com udp
GB 142.250.187.206:443 redirector.gvt1.com tcp
US 8.8.8.8:53 redirector.gvt1.com udp
US 8.8.8.8:53 redirector.gvt1.com udp
GB 142.250.187.206:443 redirector.gvt1.com udp
US 8.8.8.8:53 r4---sn-aigzrnsz.gvt1.com udp
GB 74.125.175.169:443 r4---sn-aigzrnsz.gvt1.com tcp
US 8.8.8.8:53 r4.sn-aigzrnsz.gvt1.com udp
US 8.8.8.8:53 r4.sn-aigzrnsz.gvt1.com udp
GB 74.125.175.169:443 r4.sn-aigzrnsz.gvt1.com udp
US 66.216.109.248:80 d.addelive.com tcp
US 66.216.109.248:80 d.addelive.com tcp
US 8.8.8.8:53 impressum.thinklabs-ltd.de udp
US 8.8.8.8:53 impressum.thinklabs-ltd.de udp
US 8.8.8.8:53 impressum.thinklabs-ltd.de udp
US 8.8.8.8:53 support.mozilla.org udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 us-west1.prod.sumo.prod.webservices.mozgcp.net udp

Files

\Users\Admin\AppData\Local\Temp\OCS\ocs_v6z.exe

MD5 09f02c017e40a998537f26d0caee8d22
SHA1 7676d2f17068a9050bbbbe10908e75bc5d59b631
SHA256 fae6c9cfda16a9f4587b0041156a7284bf7cb1fc48e1e34f33b50ebc2d00e2d7
SHA512 0c7d4fad92bb7478e277f6c56e0e0dbd665171a7bea06a6668d9d0120c5f171cbcec37c60b6354a286192f2f0bbf104ccc5550159e863ee03cc2e23243eb93c7

memory/2740-12-0x000007FEF692E000-0x000007FEF692F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\OCS\givogrerdrgkecwi.dat

MD5 29931ac60ae442addd2a0830e9ad803d
SHA1 3c840088ad911f95f43c71c02bcf2bb9828ab218
SHA256 28d786ed1eac91eee25869406704cd49da519ce4ab82a1959555e7fc556fcbca
SHA512 4e076872b44999ec3aa08b48b038b1dce1776c4f0a69c48fe4a0f376e3278417a4edce94b00589ca64d4415f13300beefbc26412894c52417892dd713feaabe5

memory/2740-14-0x000007FEF6670000-0x000007FEF700D000-memory.dmp

memory/2740-15-0x000007FEF6670000-0x000007FEF700D000-memory.dmp

memory/2740-16-0x000007FEF6670000-0x000007FEF700D000-memory.dmp

memory/2740-17-0x000007FEF6670000-0x000007FEF700D000-memory.dmp

memory/2740-18-0x000007FEF6670000-0x000007FEF700D000-memory.dmp

memory/2740-19-0x000007FEF6670000-0x000007FEF700D000-memory.dmp

memory/2740-20-0x000007FEF6670000-0x000007FEF700D000-memory.dmp

memory/2740-21-0x000007FEF6670000-0x000007FEF700D000-memory.dmp

memory/2740-22-0x000007FEF6670000-0x000007FEF700D000-memory.dmp

memory/2740-23-0x000007FEF6670000-0x000007FEF700D000-memory.dmp

memory/2740-24-0x000007FEF692E000-0x000007FEF692F000-memory.dmp

memory/2740-25-0x000007FEF6670000-0x000007FEF700D000-memory.dmp

memory/2740-26-0x000007FEF6670000-0x000007FEF700D000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1bogwdvw.default-release\datareporting\glean\db\data.safe.bin

MD5 f1f5d754c7bcd7928cf950d384cf9706
SHA1 40cc757708512f8858218dec127744a72c0a20e7
SHA256 5aa5a85ab344be34b81b9233099d6944be5c3872af8e75c18e77e067c8331800
SHA512 1be43ba22d77ac9d388dfa43d08e2cdb80f2384b7f90125ff5831fb75a9839074b4ce4dc3133de2023c883e919aaf95e4ed42db7ab7bdcc3d2a746826edf4db4

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1bogwdvw.default-release\datareporting\glean\pending_pings\dd2dcfc9-4c4d-41b8-a874-95f597f71984

MD5 41074153b4ece9c56ced2d3789081d46
SHA1 8d82549938189a3944c947962e5f2e877b4b7c39
SHA256 e7f45bc541aca405152059ef40b4f9850b13575c6408648fd787cedf7bccfb10
SHA512 974c12566dc783d86dae1c61ee1a4d39505ccdbf6922739a84a2ed85b3bf4e5e1484d6a16b79be9ce2156efbb7b61d186b3b8ed4382d63d55160f73c0867d3bd

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\1bogwdvw.default-release\activity-stream.discovery_stream.json.tmp

MD5 2d0c77e30a96aca5b06b96a58d39243f
SHA1 8acd21dec72785e7af64fdec4b92661b99d4ba22
SHA256 9a7a7c2b7deb463ed9b15b441b81a4428e6de10c323114a9d65dc10aa29d38df
SHA512 f2626c6385528250e4b9668a9fd64d863a287236e201872c470eb67ddc32d0061415e37f8828305ec0f7f2ae60b64d960caf005455874f0114a54995af376184

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1bogwdvw.default-release\prefs.js

MD5 5cea4d62f3e75447dc68b6093b7874b9
SHA1 74798624a3d43c94a7de86956b49d7fa47df2d7d
SHA256 f07a86ffecbfa1d0f85277a103d9e435ffa4daa03269030ea540656777820a28
SHA512 71796f13698155acdae5818636ed09b6600454fde21763a1e2c28416b949ee96f1a504e2ab389e582412447bacccd0da089e9c1a71796bccae4c69e2e17d950a

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\1bogwdvw.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl

MD5 96c542dec016d9ec1ecc4dddfcbaac66
SHA1 6199f7648bb744efa58acf7b96fee85d938389e4
SHA256 7f32769d6bb4e875f58ceb9e2fbfdc9bd6b82397eca7a4c5230b0786e68f1798
SHA512 cda2f159c3565bc636e0523c893b293109de2717142871b1ec78f335c12bad96fc3f62bcf56a1a88abdeed2ac3f3e5e9a008b45e24d713e13c23103acc15e658

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1bogwdvw.default-release\sessionstore-backups\recovery.jsonlz4

MD5 d2b5d49d2d96a003a3f670664b7358f4
SHA1 50f0e9ea7afeb8c31fddebf3df827be0e0702cec
SHA256 05f98aa6ec80782ab7837e20420653e9e71f79cd5164758d1619781d5c4f8899
SHA512 9cafb245411c0f0c4ea8562f88678e681bc5c7d523e26ce54e0f089919d14eddcb9e027dedf0ca97d878aff345e895d68a78b5b8b7113248a0e4914b586052c3

C:\Users\Admin\AppData\Local\Temp\tmpaddon

MD5 85430baed3398695717b0263807cf97c
SHA1 fffbee923cea216f50fce5d54219a188a5100f41
SHA256 a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e
SHA512 06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1bogwdvw.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll

MD5 fe3355639648c417e8307c6d051e3e37
SHA1 f54602d4b4778da21bc97c7238fc66aa68c8ee34
SHA256 1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e
SHA512 8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1bogwdvw.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info

MD5 3d33cdc0b3d281e67dd52e14435dd04f
SHA1 4db88689282fd4f9e9e6ab95fcbb23df6e6485db
SHA256 f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b
SHA512 a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1bogwdvw.default-release\prefs-1.js

MD5 9e6679b877a914f5731f1a5324536753
SHA1 f5cc2b4263aaad8159bce6ab4bb58b301f54762d
SHA256 5b128e4fa1a49b718dfd5d30b639fe90fa1bf7d660efbb0b1d93899910f33b30
SHA512 7fd0a3663f3bcd95cee495ea9a584242f7f7d2647dcdbc9ce2ec89e8c2c124423992121f991a8bb148e724417e2b59ea41ad1f162799ed5b55d27e03b4901895

C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

MD5 a01c5ecd6108350ae23d2cddf0e77c17
SHA1 c6ac28a2cd979f1f9a75d56271821d5ff665e2b6
SHA256 345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42
SHA512 b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1bogwdvw.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt

MD5 49ddb419d96dceb9069018535fb2e2fc
SHA1 62aa6fea895a8b68d468a015f6e6ab400d7a7ca6
SHA256 2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539
SHA512 48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1bogwdvw.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json

MD5 8be33af717bb1b67fbd61c3f4b807e9e
SHA1 7cf17656d174d951957ff36810e874a134dd49e0
SHA256 e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd
SHA512 6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1bogwdvw.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll

MD5 33bf7b0439480effb9fb212efce87b13
SHA1 cee50f2745edc6dc291887b6075ca64d716f495a
SHA256 8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e
SHA512 d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1bogwdvw.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib

MD5 688bed3676d2104e7f17ae1cd2c59404
SHA1 952b2cdf783ac72fcb98338723e9afd38d47ad8e
SHA256 33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237
SHA512 7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1bogwdvw.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig

MD5 937326fead5fd401f6cca9118bd9ade9
SHA1 4526a57d4ae14ed29b37632c72aef3c408189d91
SHA256 68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81
SHA512 b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1bogwdvw.default-release\prefs-1.js

MD5 6b7d463c186512bb54e33c2ea7940265
SHA1 9ced1f9605a14a2696864c316bb74aa49114fe90
SHA256 767bf2a8d8a6e7b938ca21d0d583a9d893451d59cc231e5e719f672774e2c1e5
SHA512 7404b964208575c1de519ca8c43e7c6ea0da00b6575488e3faacc7adc19d8db794dc19d92ac32d4de10aee708cc060e16c70aa03abab077c47b544e656bf5749

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1bogwdvw.default-release\sessionstore-backups\recovery.jsonlz4

MD5 4347dfaf20de50549266b6a454f74093
SHA1 f88b2e96ef407e312dd42d854e2cb0cf598d3e0f
SHA256 e40a4143fdc3f05e69a319f052390830b8dfa91393b2abd888e8fca0bd337db3
SHA512 07f79ab7402f5f4f610d9767a0be632d66cdbad1383695e3e18f44c656624241206e55a90d26aaaac36e8ec3ae4d7b469049c3bb601ca3e5b1ebf02d752cb9ea

Analysis: behavioral2

Detonation Overview

Submitted

2025-01-08 02:07

Reported

2025-01-08 02:10

Platform

win10v2004-20241007-en

Max time kernel

94s

Max time network

115s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a7076691e7f7c664382465fe474ce5f186a730ea60a0ecf2623a88ab64bdeeb6N.exe"

Signatures

RevengeRAT

trojan revengerat

Revengerat family

revengerat

RevengeRat Executable

stealer
Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\OCS\ocs_v6z.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\OCS\ocs_v6z.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a7076691e7f7c664382465fe474ce5f186a730ea60a0ecf2623a88ab64bdeeb6N.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\OCS\ocs_v6z.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2436 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Local\Temp\a7076691e7f7c664382465fe474ce5f186a730ea60a0ecf2623a88ab64bdeeb6N.exe C:\Users\Admin\AppData\Local\Temp\OCS\ocs_v6z.exe
PID 2436 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Local\Temp\a7076691e7f7c664382465fe474ce5f186a730ea60a0ecf2623a88ab64bdeeb6N.exe C:\Users\Admin\AppData\Local\Temp\OCS\ocs_v6z.exe
PID 1760 wrote to memory of 4868 N/A C:\Users\Admin\AppData\Local\Temp\OCS\ocs_v6z.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1760 wrote to memory of 4868 N/A C:\Users\Admin\AppData\Local\Temp\OCS\ocs_v6z.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4868 wrote to memory of 3060 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4868 wrote to memory of 3060 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4868 wrote to memory of 3060 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4868 wrote to memory of 3060 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4868 wrote to memory of 3060 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4868 wrote to memory of 3060 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4868 wrote to memory of 3060 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4868 wrote to memory of 3060 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4868 wrote to memory of 3060 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4868 wrote to memory of 3060 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4868 wrote to memory of 3060 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3060 wrote to memory of 4012 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3060 wrote to memory of 4012 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3060 wrote to memory of 4012 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3060 wrote to memory of 4012 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3060 wrote to memory of 4012 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3060 wrote to memory of 4012 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3060 wrote to memory of 4012 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3060 wrote to memory of 4012 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3060 wrote to memory of 4012 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3060 wrote to memory of 4012 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3060 wrote to memory of 4012 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3060 wrote to memory of 4012 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3060 wrote to memory of 4012 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3060 wrote to memory of 4012 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3060 wrote to memory of 4012 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3060 wrote to memory of 4012 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3060 wrote to memory of 4012 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3060 wrote to memory of 4012 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3060 wrote to memory of 4012 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3060 wrote to memory of 4012 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3060 wrote to memory of 4012 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3060 wrote to memory of 4012 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3060 wrote to memory of 4012 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3060 wrote to memory of 4012 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3060 wrote to memory of 4012 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3060 wrote to memory of 4012 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3060 wrote to memory of 4012 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3060 wrote to memory of 4012 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3060 wrote to memory of 4012 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3060 wrote to memory of 4012 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3060 wrote to memory of 4012 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3060 wrote to memory of 4012 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3060 wrote to memory of 4012 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3060 wrote to memory of 4012 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3060 wrote to memory of 4012 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3060 wrote to memory of 4012 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3060 wrote to memory of 4012 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3060 wrote to memory of 4012 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3060 wrote to memory of 4012 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3060 wrote to memory of 4012 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3060 wrote to memory of 4012 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3060 wrote to memory of 4012 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3060 wrote to memory of 4012 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3060 wrote to memory of 4012 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3060 wrote to memory of 4012 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3060 wrote to memory of 3884 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3060 wrote to memory of 3884 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3060 wrote to memory of 3884 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3060 wrote to memory of 3884 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\a7076691e7f7c664382465fe474ce5f186a730ea60a0ecf2623a88ab64bdeeb6N.exe

"C:\Users\Admin\AppData\Local\Temp\a7076691e7f7c664382465fe474ce5f186a730ea60a0ecf2623a88ab64bdeeb6N.exe"

C:\Users\Admin\AppData\Local\Temp\OCS\ocs_v6z.exe

C:\Users\Admin\AppData\Local\Temp\OCS\ocs_v6z.exe -install -3742138 -dcude -87b0d7bb8b0f4880b0848e394944b143 - -de -tnnwinkueebijodi

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" http://www.download-sponsor.de/exitdownload/thankyou.php?pid=dcude&cid=3742138&appname=[APPNAME]&cbstate=&uid=66a3fd4a-55cf-4eff-8f1b-9c420fc418a6&sid=87b0d7bb8b0f4880b0848e394944b143&scid=&source=de&language=en-US&cdata=utyp-31.userid-363863333161646138303136643863336661626136613565.ua-66697265666f782e657865

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" http://www.download-sponsor.de/exitdownload/thankyou.php?pid=dcude&cid=3742138&appname=[APPNAME]&cbstate=&uid=66a3fd4a-55cf-4eff-8f1b-9c420fc418a6&sid=87b0d7bb8b0f4880b0848e394944b143&scid=&source=de&language=en-US&cdata=utyp-31.userid-363863333161646138303136643863336661626136613565.ua-66697265666f782e657865

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1980 -parentBuildID 20240401114208 -prefsHandle 1896 -prefMapHandle 1888 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {40f16dcb-de3f-4f50-829a-a57576170ceb} 3060 "\\.\pipe\gecko-crash-server-pipe.3060" gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2464 -parentBuildID 20240401114208 -prefsHandle 2456 -prefMapHandle 2444 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d5aac60b-ab78-4b81-9c47-63736d710195} 3060 "\\.\pipe\gecko-crash-server-pipe.3060" socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2712 -childID 1 -isForBrowser -prefsHandle 3020 -prefMapHandle 3036 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 956 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {983297bb-6ecc-403c-8344-f03afdfb671f} 3060 "\\.\pipe\gecko-crash-server-pipe.3060" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3756 -childID 2 -isForBrowser -prefsHandle 3640 -prefMapHandle 3108 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 956 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {565d537a-7c03-4311-971f-79b9314d6ca6} 3060 "\\.\pipe\gecko-crash-server-pipe.3060" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4356 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4504 -prefMapHandle 4500 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {96d84362-b386-46e5-8f67-21f4e4677c2c} 3060 "\\.\pipe\gecko-crash-server-pipe.3060" utility

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5340 -childID 3 -isForBrowser -prefsHandle 5364 -prefMapHandle 5360 -prefsLen 27097 -prefMapSize 244658 -jsInitHandle 956 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {29453c96-c14e-4459-8b0b-4f2b38536f73} 3060 "\\.\pipe\gecko-crash-server-pipe.3060" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5468 -childID 4 -isForBrowser -prefsHandle 5548 -prefMapHandle 5544 -prefsLen 27097 -prefMapSize 244658 -jsInitHandle 956 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {669afcfa-a5f4-4b11-8869-b353475906fb} 3060 "\\.\pipe\gecko-crash-server-pipe.3060" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5744 -childID 5 -isForBrowser -prefsHandle 5668 -prefMapHandle 5644 -prefsLen 27097 -prefMapSize 244658 -jsInitHandle 956 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0298df49-f8c3-4318-9d89-654cee3fd671} 3060 "\\.\pipe\gecko-crash-server-pipe.3060" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3600 -childID 6 -isForBrowser -prefsHandle 3720 -prefMapHandle 3688 -prefsLen 30948 -prefMapSize 244658 -jsInitHandle 956 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5b41665d-0b94-4c64-8f21-ab44048035c9} 3060 "\\.\pipe\gecko-crash-server-pipe.3060" tab

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 8.153.16.2.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 www.download-sponsor.de udp
DE 176.9.175.237:80 www.download-sponsor.de tcp
US 8.8.8.8:53 bin.download-sponsor.de udp
DE 176.9.175.234:80 bin.download-sponsor.de tcp
US 8.8.8.8:53 237.175.9.176.in-addr.arpa udp
US 8.8.8.8:53 234.175.9.176.in-addr.arpa udp
US 8.8.8.8:53 spocs.getpocket.com udp
US 8.8.8.8:53 firefox-api-proxy.cdn.mozilla.net udp
DE 176.9.175.237:80 www.download-sponsor.de tcp
DE 176.9.175.237:80 www.download-sponsor.de tcp
US 8.8.8.8:53 www.download-sponsor.de udp
US 34.149.97.1:443 firefox-api-proxy.cdn.mozilla.net tcp
US 8.8.8.8:53 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 www.download-sponsor.de udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 34.149.97.1:443 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 dcude.download-sponsor.de udp
DE 176.9.175.237:80 dcude.download-sponsor.de tcp
US 8.8.8.8:53 dcude.download-sponsor.de udp
US 8.8.8.8:53 firefox-settings-attachments.cdn.mozilla.net udp
US 8.8.8.8:53 dcude.download-sponsor.de udp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 survey.download-sponsor.de udp
DE 176.9.175.237:80 survey.download-sponsor.de tcp
US 8.8.8.8:53 survey.download-sponsor.de udp
US 8.8.8.8:53 1.97.149.34.in-addr.arpa udp
US 8.8.8.8:53 64.50.235.44.in-addr.arpa udp
US 8.8.8.8:53 survey.download-sponsor.de udp
US 8.8.8.8:53 download-sponsor.de udp
DE 176.9.175.237:80 download-sponsor.de tcp
US 8.8.8.8:53 download-sponsor.de udp
US 8.8.8.8:53 download-sponsor.de udp
US 8.8.8.8:53 d.addelive.com udp
US 66.216.109.248:80 d.addelive.com tcp
US 8.8.8.8:53 d.addelive.com udp
US 8.8.8.8:53 d.addelive.com udp
US 8.8.8.8:53 files.download-sponsor.de udp
DE 176.9.175.237:80 files.download-sponsor.de tcp
US 8.8.8.8:53 files.download-sponsor.de udp
US 8.8.8.8:53 files.download-sponsor.de udp
US 66.216.109.248:80 d.addelive.com tcp
US 8.8.8.8:53 download.chip.eu udp
N/A 127.0.0.1:52027 tcp
N/A 127.0.0.1:52038 tcp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 201.181.244.35.in-addr.arpa udp
US 8.8.8.8:53 ciscobinary.openh264.org udp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
GB 88.221.134.209:80 a19.dscg10.akamai.net tcp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 redirector.gvt1.com udp
GB 142.250.187.206:443 redirector.gvt1.com tcp
US 8.8.8.8:53 redirector.gvt1.com udp
US 8.8.8.8:53 redirector.gvt1.com udp
GB 142.250.187.206:443 redirector.gvt1.com udp
US 8.8.8.8:53 r4---sn-aigzrnsz.gvt1.com udp
GB 74.125.175.169:443 r4---sn-aigzrnsz.gvt1.com tcp
US 8.8.8.8:53 r4.sn-aigzrnsz.gvt1.com udp
US 8.8.8.8:53 r4.sn-aigzrnsz.gvt1.com udp
GB 74.125.175.169:443 r4.sn-aigzrnsz.gvt1.com udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 209.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 206.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 169.175.125.74.in-addr.arpa udp
US 66.216.109.248:80 d.addelive.com tcp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 66.216.109.248:80 d.addelive.com tcp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 location.services.mozilla.com udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 35.190.72.216:443 location.services.mozilla.com tcp
US 8.8.8.8:53 prod.classify-client.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.classify-client.prod.webservices.mozgcp.net udp
US 35.190.72.216:443 prod.classify-client.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 216.72.190.35.in-addr.arpa udp
US 8.8.8.8:53 impressum.thinklabs-ltd.de udp
US 8.8.8.8:53 impressum.thinklabs-ltd.de udp
US 8.8.8.8:53 impressum.thinklabs-ltd.de udp
US 8.8.8.8:53 support.mozilla.org udp
US 8.8.8.8:53 us-west1.prod.sumo.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 60.153.16.2.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\OCS\ocs_v6z.exe

MD5 09f02c017e40a998537f26d0caee8d22
SHA1 7676d2f17068a9050bbbbe10908e75bc5d59b631
SHA256 fae6c9cfda16a9f4587b0041156a7284bf7cb1fc48e1e34f33b50ebc2d00e2d7
SHA512 0c7d4fad92bb7478e277f6c56e0e0dbd665171a7bea06a6668d9d0120c5f171cbcec37c60b6354a286192f2f0bbf104ccc5550159e863ee03cc2e23243eb93c7

memory/1760-8-0x00007FFA04015000-0x00007FFA04016000-memory.dmp

memory/1760-9-0x000000001C050000-0x000000001C51E000-memory.dmp

memory/1760-10-0x00007FFA03D60000-0x00007FFA04701000-memory.dmp

memory/1760-11-0x000000001C5D0000-0x000000001C676000-memory.dmp

memory/1760-12-0x000000001C720000-0x000000001C7BC000-memory.dmp

memory/1760-13-0x00007FFA03D60000-0x00007FFA04701000-memory.dmp

memory/1760-14-0x0000000001620000-0x0000000001628000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\OCS\tnnwinkueebijodi.dat

MD5 29931ac60ae442addd2a0830e9ad803d
SHA1 3c840088ad911f95f43c71c02bcf2bb9828ab218
SHA256 28d786ed1eac91eee25869406704cd49da519ce4ab82a1959555e7fc556fcbca
SHA512 4e076872b44999ec3aa08b48b038b1dce1776c4f0a69c48fe4a0f376e3278417a4edce94b00589ca64d4415f13300beefbc26412894c52417892dd713feaabe5

memory/1760-16-0x00007FFA03D60000-0x00007FFA04701000-memory.dmp

memory/1760-17-0x00007FFA03D60000-0x00007FFA04701000-memory.dmp

memory/1760-18-0x00007FFA03D60000-0x00007FFA04701000-memory.dmp

memory/1760-19-0x00007FFA03D60000-0x00007FFA04701000-memory.dmp

memory/1760-20-0x00007FFA03D60000-0x00007FFA04701000-memory.dmp

memory/1760-21-0x00007FFA03D60000-0x00007FFA04701000-memory.dmp

memory/1760-22-0x00007FFA03D60000-0x00007FFA04701000-memory.dmp

memory/1760-23-0x00007FFA04015000-0x00007FFA04016000-memory.dmp

memory/1760-24-0x00007FFA03D60000-0x00007FFA04701000-memory.dmp

memory/1760-25-0x00007FFA03D60000-0x00007FFA04701000-memory.dmp

memory/1760-26-0x00007FFA03D60000-0x00007FFA04701000-memory.dmp

memory/1760-28-0x00007FFA03D60000-0x00007FFA04701000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\datareporting\glean\pending_pings\b4e12750-6c0e-4a03-b7ad-0cceca1e05a4

MD5 dc4c7eb26d24aa3f9f2ba4dba5fc847f
SHA1 25b2945664901bfb7fa7926d884259637aa63360
SHA256 501920b3db429d80fff2d6942657ca8c1da8a94249fde1515e4a8fade4d72178
SHA512 1daa76cddb44c9cae83aebb948905e1ffcb444732746bbe515d05074d4813a3581e6a6046896b3517dd4b307dc15c06ac8aa112ca787f256396b564f00243521

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\datareporting\glean\pending_pings\016500b5-e0c7-4563-8f09-f08d760412d9

MD5 dfbfca8b17c59e8d91f26bcec166a4d1
SHA1 04ff2b1350d07d42ebe2ddefdf9cb9979b46f20a
SHA256 ef89e25829641929bc44b1742bd8cb63dc8999e14039297557c69f72d5fec72f
SHA512 48234d983fd1041e9b6f8e485c28df51e653549010b5cc952e91eab1993da4cec9f7dbb62603fda31aaee20293a0c138a9ae73497d303514a369487faaf89287

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\datareporting\glean\db\data.safe.tmp

MD5 62151b924c462f1c7a9bf38b2cdb9c23
SHA1 f2e4d6201f148422a3f203bc68efffac953b1475
SHA256 c27d122384dd23c59863f80c085de2c50df940afd8724df26dcd6116d2ee8d63
SHA512 ab48015b26ff1c85958cc4b6a257a602e488cbb484150cd997bf3b68f920029e5d828898b62f3b62d83e6b01e8e8a95d7e3b8a29cbdaefd22b160d0690a10e87

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\AlternateServices.bin

MD5 c0d2831bebcdd3e970ffaa1698aaeabd
SHA1 367d0865afe75910dc10c5ddb867b881d92febf8
SHA256 2a02c72f3b5a1668a8879de9e147683a0a2507a6a0b07a910fdb538d3ff4bc5e
SHA512 f324ddf5f51a9cf9adc1e61930493969c47b3f4e5e92250f44c7a097b1a7c01852985671740488999b87b3e86b205f23d07b87e71f7166c5efdacc092c31294d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\datareporting\glean\db\data.safe.tmp

MD5 bd3f67deb212c3626099f7380a4683cd
SHA1 c761f8adb764a62954749c4a5677f15dfc797b3b
SHA256 28f255a2d1d2e95d159ee3e4e73c2ee14acd04aa97366015dfd0c729c7c7b46a
SHA512 a43399697b4d30c335385b0aa4d84e4be036dbc2213f926ae527b547cc5b14c2f34dbe3f55a7d7ffd4eee607119f165eb457c22f4d4c8c2720627e3172095765

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\activity-stream.discovery_stream.json

MD5 2d0a9682a34256ab143d47e73aa2a1e0
SHA1 9a32fec75b016c24af5727e6170c2922eb42f17a
SHA256 1db4fb424d40a086154f91ec30ddc9d873ccab02179e3b3cc068c488e76ffe70
SHA512 6d83af56455d4a63eb3987d6f09807c6592e2920e439ea7427937468c5ce704b138051e2e44dd092af941665457a10560cceb1986df5c203e129945799bd18f9

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl

MD5 96c542dec016d9ec1ecc4dddfcbaac66
SHA1 6199f7648bb744efa58acf7b96fee85d938389e4
SHA256 7f32769d6bb4e875f58ceb9e2fbfdc9bd6b82397eca7a4c5230b0786e68f1798
SHA512 cda2f159c3565bc636e0523c893b293109de2717142871b1ec78f335c12bad96fc3f62bcf56a1a88abdeed2ac3f3e5e9a008b45e24d713e13c23103acc15e658

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\AlternateServices.bin

MD5 221a90b950da314fafc5085d20dd5bc3
SHA1 788634fc4e27bcc7dc2e4eae33daa597f4adc76b
SHA256 ed30f30b5837599b3693ca89ac21cd614b4ff63c80ee7c740bdef5c26f999e8b
SHA512 2b1a3504e8a6e394ba0ef6382e918671f0f8e1c41eaf97aad47971e3634157102620dd55329f3193da4d7d8114116f18615139dde2b005792d91a6c54778986f

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\prefs.js

MD5 d6cf7c81a644dd57b682b2f512bb446a
SHA1 f537cf3003e75caea618e555986d8ded09fc3c6c
SHA256 2ab8c490b65f146af82fcbe1e8bd2ce94f2acf617ccaf8c5f45c74e855588ee9
SHA512 9f2825b1d06f3f5700633f13ff26d5a819fc8b2fa40c5d12996518b244396c1e97d54efa804564f20c010cfc4272041b8c41fd2700ddd7400002270a3d18d3f5

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\datareporting\glean\db\data.safe.tmp

MD5 c0cf85aded128b5c0ea6829cc1d2f663
SHA1 1d8bdb71189c5c5053d0dd0e7422973ad0e23862
SHA256 c1687403bddfec754f153dfcc93ba77f5cbdaaebefd418894742951a86ba488a
SHA512 23e91698ee7d9fcdca7a32c4660e53f28066e846431840838d57389982d9eda720e264a3578b41fad7fed86352bda6f95999ede83645cbfc1cc9846cbdbdd8ef

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\prefs.js

MD5 7024b724b2637f7036474159e133dbc8
SHA1 9d585a8df91293c1964dee02cedf8193c61987a8
SHA256 47debaa639d8a548e4b2c56f19bb7376a8aa0888461d1cbae4188d079b675cd3
SHA512 3ba973f10294aaa2c4e0e1f1af78952e026ad33aaa5fb0e9540c6ba9b6fe2d3a5729eeafa7ace0d5adb9449c955d937fea9ed3b0065570a21f9c6c31443805a3

C:\Users\Admin\AppData\Local\Temp\tmpaddon

MD5 09372174e83dbbf696ee732fd2e875bb
SHA1 ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256 c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512 b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

MD5 2a461e9eb87fd1955cea740a3444ee7a
SHA1 b10755914c713f5a4677494dbe8a686ed458c3c5
SHA256 4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA512 34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

MD5 842039753bf41fa5e11b3a1383061a87
SHA1 3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256 d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512 d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\cache2\entries\6653BC7BE242C21AA1988A4A42D1DEDA18231C31

MD5 eeaae87040f2c01b752dbaf4cd4ab961
SHA1 056a8a22d0ced52492073b9d2f299f4c40d4c840
SHA256 3e0efd9aca1ccc9ec5eaeb9a5c462c58dd6e159f20c617bdd19d2ecbf2a17ec3
SHA512 ed94b24b57ced926905e91b10303313af95435c8fa8ebbff84d2f7013e8358c81219c0934a606d877040e6ff3444c8baeb93ce724439d34727e8562ba255e238

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\prefs-1.js

MD5 e43c082cba1b9a9b275c776c8e7d4018
SHA1 2ae193a307ff1fd33dfaa7cdaf08495605b07c2a
SHA256 64ec6d25bf926801dc3f3b11a7bf3a51dac94f085904646e794eb910d7654266
SHA512 d1ebb3ad7cdc47655b92f1cb4b53fc64b2a7b53fecc6893649bece4bf5708e237f790fe27d47ce69d9146cfb63d13c19cf0ed59a681ae379ed174f3aba146d8e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\datareporting\glean\db\data.safe.tmp

MD5 4908f0b8cd91cbf39bd2e68540cacfcb
SHA1 a036215485f81266a2b892e6c78520bac3fbd07e
SHA256 2c0eb62fdcf797884c6fb74de147726c5f89a2bd27c854034fe4a979b246ca32
SHA512 5439c314b54f1c814cae9140ba79c00ab3415c504a7d54d4e604c07afcfd05f245d4faa7da5deedfb7c29e7e1e3f30d1f13da476b9eb1a6a17db67bf0fa2214a

C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

MD5 0a8747a2ac9ac08ae9508f36c6d75692
SHA1 b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA256 32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA512 59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

MD5 bf957ad58b55f64219ab3f793e374316
SHA1 a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256 bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA512 79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

MD5 daf7ef3acccab478aaa7d6dc1c60f865
SHA1 f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256 bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA512 5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\prefs-1.js

MD5 46d5514ad9b5d9e883eeebfc7a14ad69
SHA1 b9d845333276033d607a8872803e138a55c57477
SHA256 9b8cdeea9f975c32f0743a6c4650f8afad3b64085a0391a5dbfb0927a21001df
SHA512 969c34ef3801138291d200457ffe6217611d1b43fb8c9e7ae9ad72820ab14bfbfc757d3c447e6c9ef7bd89db4141e928e03716e40c223c2831985c7bbe3aad18

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\sessionstore-backups\recovery.baklz4

MD5 b1ae1c28d21194736cca78c3fbc5ac3e
SHA1 79cea1d9d5e19783ba6ff833cefceb64b28e4490
SHA256 e27e44bce96d4c6c1fa01467024d1e42d11b08fca41b28aba608b84b889a7a5e
SHA512 788d473285b90e8ce79a2c01806d43a35a1e6535063b35831dbfe12b423538a690543553ed62e8c5d42e3478f02d36f9e98e14530382ff350dc4bb057fb5582c