revengerat | 1dbec87d810b6cd9423680b2f84433cb10f6640b72cc0171b5cd32a4639d980e

Analysis

max time kernel
101s
max time network
119s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
24/01/2025, 16:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1dbec87d810b6cd9423680b2f84433cb10f6640b72cc0171b5cd32a4639d980eN.exe
Size

578KB
MD5

859413c0ba0ab45d3d6e92cc75d7cdb0
SHA1

b538014b838377a3e5296287bb7a84dd02799a97
SHA256

1dbec87d810b6cd9423680b2f84433cb10f6640b72cc0171b5cd32a4639d980e
SHA512

964c3ddaae1d7cfd8b92d85dd4b85a2c1d7fd6c2d89435ddc46cdf05d58944591204b08cbf0f993edc809f92443a86692f30f43b2c63f6736d7df1f0e8b9e214
SSDEEP

6144:tKld3FcfCElJk125U8SpVUagDsvb6mgmw4sFfTysVufBn597NX2s:tkVcfXlJkE5YVUjuOjysgfBnnl2s

Score

10^/10

revengerat discovery stealer trojan

Malware Config

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat
Revengerat family
revengerat

RevengeRat Executable 1 IoCs

stealer

resource	yara_rule
behavioral2/files/0x0007000000023c82-6.dat	revengerat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	ocs_v6z.exe

Executes dropped EXE 1 IoCs

pid	Process
3140	ocs_v6z.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1dbec87d810b6cd9423680b2f84433cb10f6640b72cc0171b5cd32a4639d980eN.exe

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	firefox.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	3140	ocs_v6z.exe
Token: SeDebugPrivilege	2848	firefox.exe
Token: SeDebugPrivilege	2848	firefox.exe

Suspicious use of FindShellTrayWindow 21 IoCs

pid	Process
2848	firefox.exe
2848	firefox.exe
2848	firefox.exe
2848	firefox.exe
2848	firefox.exe
2848	firefox.exe
2848	firefox.exe
2848	firefox.exe
2848	firefox.exe
2848	firefox.exe
2848	firefox.exe
2848	firefox.exe
2848	firefox.exe
2848	firefox.exe
2848	firefox.exe
2848	firefox.exe
2848	firefox.exe
2848	firefox.exe
2848	firefox.exe
2848	firefox.exe
2848	firefox.exe

Suspicious use of SendNotifyMessage 20 IoCs

pid	Process
2848	firefox.exe
2848	firefox.exe
2848	firefox.exe
2848	firefox.exe
2848	firefox.exe
2848	firefox.exe
2848	firefox.exe
2848	firefox.exe
2848	firefox.exe
2848	firefox.exe
2848	firefox.exe
2848	firefox.exe
2848	firefox.exe
2848	firefox.exe
2848	firefox.exe
2848	firefox.exe
2848	firefox.exe
2848	firefox.exe
2848	firefox.exe
2848	firefox.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
4736	1dbec87d810b6cd9423680b2f84433cb10f6640b72cc0171b5cd32a4639d980eN.exe
3140	ocs_v6z.exe
3140	ocs_v6z.exe
2848	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4736 wrote to memory of 3140	4736	1dbec87d810b6cd9423680b2f84433cb10f6640b72cc0171b5cd32a4639d980eN.exe	83
PID 4736 wrote to memory of 3140	4736	1dbec87d810b6cd9423680b2f84433cb10f6640b72cc0171b5cd32a4639d980eN.exe	83
PID 3140 wrote to memory of 740	3140	ocs_v6z.exe	84
PID 3140 wrote to memory of 740	3140	ocs_v6z.exe	84
PID 740 wrote to memory of 2848	740	firefox.exe	85
PID 740 wrote to memory of 2848	740	firefox.exe	85
PID 740 wrote to memory of 2848	740	firefox.exe	85
PID 740 wrote to memory of 2848	740	firefox.exe	85
PID 740 wrote to memory of 2848	740	firefox.exe	85
PID 740 wrote to memory of 2848	740	firefox.exe	85
PID 740 wrote to memory of 2848	740	firefox.exe	85
PID 740 wrote to memory of 2848	740	firefox.exe	85
PID 740 wrote to memory of 2848	740	firefox.exe	85
PID 740 wrote to memory of 2848	740	firefox.exe	85
PID 740 wrote to memory of 2848	740	firefox.exe	85
PID 2848 wrote to memory of 1652	2848	firefox.exe	86
PID 2848 wrote to memory of 1652	2848	firefox.exe	86
PID 2848 wrote to memory of 1652	2848	firefox.exe	86
PID 2848 wrote to memory of 1652	2848	firefox.exe	86
PID 2848 wrote to memory of 1652	2848	firefox.exe	86
PID 2848 wrote to memory of 1652	2848	firefox.exe	86
PID 2848 wrote to memory of 1652	2848	firefox.exe	86
PID 2848 wrote to memory of 1652	2848	firefox.exe	86
PID 2848 wrote to memory of 1652	2848	firefox.exe	86
PID 2848 wrote to memory of 1652	2848	firefox.exe	86
PID 2848 wrote to memory of 1652	2848	firefox.exe	86
PID 2848 wrote to memory of 1652	2848	firefox.exe	86
PID 2848 wrote to memory of 1652	2848	firefox.exe	86
PID 2848 wrote to memory of 1652	2848	firefox.exe	86
PID 2848 wrote to memory of 1652	2848	firefox.exe	86
PID 2848 wrote to memory of 1652	2848	firefox.exe	86
PID 2848 wrote to memory of 1652	2848	firefox.exe	86
PID 2848 wrote to memory of 1652	2848	firefox.exe	86
PID 2848 wrote to memory of 1652	2848	firefox.exe	86
PID 2848 wrote to memory of 1652	2848	firefox.exe	86
PID 2848 wrote to memory of 1652	2848	firefox.exe	86
PID 2848 wrote to memory of 1652	2848	firefox.exe	86
PID 2848 wrote to memory of 1652	2848	firefox.exe	86
PID 2848 wrote to memory of 1652	2848	firefox.exe	86
PID 2848 wrote to memory of 1652	2848	firefox.exe	86
PID 2848 wrote to memory of 1652	2848	firefox.exe	86
PID 2848 wrote to memory of 1652	2848	firefox.exe	86
PID 2848 wrote to memory of 1652	2848	firefox.exe	86
PID 2848 wrote to memory of 1652	2848	firefox.exe	86
PID 2848 wrote to memory of 1652	2848	firefox.exe	86
PID 2848 wrote to memory of 1652	2848	firefox.exe	86
PID 2848 wrote to memory of 1652	2848	firefox.exe	86
PID 2848 wrote to memory of 1652	2848	firefox.exe	86
PID 2848 wrote to memory of 1652	2848	firefox.exe	86
PID 2848 wrote to memory of 1652	2848	firefox.exe	86
PID 2848 wrote to memory of 1652	2848	firefox.exe	86
PID 2848 wrote to memory of 1652	2848	firefox.exe	86
PID 2848 wrote to memory of 1652	2848	firefox.exe	86
PID 2848 wrote to memory of 1652	2848	firefox.exe	86
PID 2848 wrote to memory of 1652	2848	firefox.exe	86
PID 2848 wrote to memory of 1652	2848	firefox.exe	86
PID 2848 wrote to memory of 1652	2848	firefox.exe	86
PID 2848 wrote to memory of 1652	2848	firefox.exe	86
PID 2848 wrote to memory of 1652	2848	firefox.exe	86
PID 2848 wrote to memory of 1652	2848	firefox.exe	86
PID 2848 wrote to memory of 5084	2848	firefox.exe	87
PID 2848 wrote to memory of 5084	2848	firefox.exe	87
PID 2848 wrote to memory of 5084	2848	firefox.exe	87
PID 2848 wrote to memory of 5084	2848	firefox.exe	87

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\1dbec87d810b6cd9423680b2f84433cb10f6640b72cc0171b5cd32a4639d980eN.exe
"C:\Users\Admin\AppData\Local\Temp\1dbec87d810b6cd9423680b2f84433cb10f6640b72cc0171b5cd32a4639d980eN.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4736
- C:\Users\Admin\AppData\Local\Temp\OCS\ocs_v6z.exe
  C:\Users\Admin\AppData\Local\Temp\OCS\ocs_v6z.exe -install -555175 -dcude -6aa2c8fc392d4f159dd9827d875dc51d - -en -jokczfbjpjzylpkq
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3140
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" http://www.download-sponsor.de/exitdownload/thankyou.php?pid=dcude&cid=555175&appname=[APPNAME]&cbstate=&uid=7794fe68-45a6-42d2-9f92-ddd6a9cab802&sid=6aa2c8fc392d4f159dd9827d875dc51d&scid=&source=en&language=en-US&cdata=utyp-31.userid-373538386166383338366565616338323336306438336639.ua-66697265666f782e657865
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:740
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" http://www.download-sponsor.de/exitdownload/thankyou.php?pid=dcude&cid=555175&appname=[APPNAME]&cbstate=&uid=7794fe68-45a6-42d2-9f92-ddd6a9cab802&sid=6aa2c8fc392d4f159dd9827d875dc51d&scid=&source=en&language=en-US&cdata=utyp-31.userid-373538386166383338366565616338323336306438336639.ua-66697265666f782e657865
      4⤵
      Checks processor information in registry
      Modifies registry class
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2848
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1976 -parentBuildID 20240401114208 -prefsHandle 1892 -prefMapHandle 1884 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a64edf0c-016e-4217-8889-807ee2780420} 2848 "\\.\pipe\gecko-crash-server-pipe.2848" gpu
        5⤵
        
        PID:1652
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2452 -parentBuildID 20240401114208 -prefsHandle 2444 -prefMapHandle 2432 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0ef09a79-77b9-40e2-88e6-8aa39660313d} 2848 "\\.\pipe\gecko-crash-server-pipe.2848" socket
        5⤵
        
        PID:5084
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3296 -childID 1 -isForBrowser -prefsHandle 3288 -prefMapHandle 3284 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1188 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4be6efe9-d45b-4379-a416-5310df57ad6f} 2848 "\\.\pipe\gecko-crash-server-pipe.2848" tab
        5⤵
        
        PID:4292
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4028 -childID 2 -isForBrowser -prefsHandle 4016 -prefMapHandle 3872 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1188 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9d08c24b-9fcc-4bde-baaf-7406d0687ef0} 2848 "\\.\pipe\gecko-crash-server-pipe.2848" tab
        5⤵
        
        PID:2876
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4760 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4780 -prefMapHandle 4764 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {692a34a0-830d-44db-9460-b47b9ea25b59} 2848 "\\.\pipe\gecko-crash-server-pipe.2848" utility
        5⤵
        Checks processor information in registry
        
        PID:3636
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5280 -childID 3 -isForBrowser -prefsHandle 5292 -prefMapHandle 5288 -prefsLen 27097 -prefMapSize 244658 -jsInitHandle 1188 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {60efc307-9fb7-4bab-a1c4-84e2197db307} 2848 "\\.\pipe\gecko-crash-server-pipe.2848" tab
        5⤵
        
        PID:952
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5512 -childID 4 -isForBrowser -prefsHandle 5432 -prefMapHandle 5436 -prefsLen 27097 -prefMapSize 244658 -jsInitHandle 1188 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e4d35f99-a350-4a2e-8a69-16edf217ba3d} 2848 "\\.\pipe\gecko-crash-server-pipe.2848" tab
        5⤵
        
        PID:2024
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5704 -childID 5 -isForBrowser -prefsHandle 5624 -prefMapHandle 5628 -prefsLen 27097 -prefMapSize 244658 -jsInitHandle 1188 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a002a23d-e27f-48ce-97a8-08b6870a46a2} 2848 "\\.\pipe\gecko-crash-server-pipe.2848" tab
        5⤵
        
        PID:5108
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4432 -childID 6 -isForBrowser -prefsHandle 5892 -prefMapHandle 1584 -prefsLen 30948 -prefMapSize 244658 -jsInitHandle 1188 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4ab03124-9a7a-49be-b982-502eeb141b47} 2848 "\\.\pipe\gecko-crash-server-pipe.2848" tab
        5⤵
        
        PID:1196

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\lhmx4teg.default-release\activity-stream.discovery_stream.json

Filesize
22KB

MD5
b12c2640417c99f817c169c7e1a565ae

SHA1
0adcb777b1f7ad3b5cf61150664eae7a395c0a0b

SHA256
c7df3212840a3a40e6733e7ebaaddd8d347710c007157ba1fbc8389f7f9e47dc

SHA512
f70196b810922532caaddca84f9cb151dc35a7eaf4ae1605519728ad551f65bba0a770be3d2c80c24864eee9f798c231444e9cfe89a10f3a2638218fb06b3348

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\lhmx4teg.default-release\cache2\entries\D18FB7DA89F8DD4E7A2C97703A1647E8C981D05A

Filesize
13KB

MD5
c8ac348dfb17b1bc3bbadd718ccce6b7

SHA1
20d4f3540ea02e8660e18213de3fd0941faccf5f

SHA256
607b47bca8aa69899f867ebafa15ed43248de8cfdd261ff2812d154deee5b7a9

SHA512
df035da38cb059949b6763f06f7cba1f02b131e4ca91e43e1d7915e62ed80f655932b1adff0b2dc5d1acf09d175491afae7a426db5ebff1b11bcd186b9548522

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\lhmx4teg.default-release\cache2\entries\F8CBD54DDA10F4286A41EC6A537240712D6C2308

Filesize
9KB

MD5
4b6ec61250f1cdc3b2173f160bcc34a1

SHA1
7cadc95196483f7fa152cee087aeb18175e3758a

SHA256
2b78213546f164374242df2e33f3be2c7f06a9928db720551eb2f7f1a51cc921

SHA512
6d305a4acd3409c729440c59f67502607c78f68264a95bd4319b3ecc6e231e2559301a30d6a18d81523afb3c9203417bb2695b4fb29a8c5ec4db208a29ce9a9d

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\lhmx4teg.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl

Filesize
15KB

MD5
96c542dec016d9ec1ecc4dddfcbaac66

SHA1
6199f7648bb744efa58acf7b96fee85d938389e4

SHA256
7f32769d6bb4e875f58ceb9e2fbfdc9bd6b82397eca7a4c5230b0786e68f1798

SHA512
cda2f159c3565bc636e0523c893b293109de2717142871b1ec78f335c12bad96fc3f62bcf56a1a88abdeed2ac3f3e5e9a008b45e24d713e13c23103acc15e658

Download Submit
C:\Users\Admin\AppData\Local\Temp\OCS\jokczfbjpjzylpkq.dat

Filesize
91B

MD5
404a7679c5a70c38de354f87d537ca39

SHA1
5d33433a70b49f03a6fc448b778bbf7be41187b5

SHA256
96950de153a245f1aead7e2edcdc266236d7f0a6b5d0be4703565cef45f1f7df

SHA512
3502307cdc103755dab5dfc3f124e67323bde3b28bed6ca177eb8344030ace304329337a959eb4ada96d43a0482a7be7a99a0bb8aef322e0516c29e08d32aa0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\OCS\ocs_v6z.exe

Filesize
312KB

MD5
09f02c017e40a998537f26d0caee8d22

SHA1
7676d2f17068a9050bbbbe10908e75bc5d59b631

SHA256
fae6c9cfda16a9f4587b0041156a7284bf7cb1fc48e1e34f33b50ebc2d00e2d7

SHA512
0c7d4fad92bb7478e277f6c56e0e0dbd665171a7bea06a6668d9d0120c5f171cbcec37c60b6354a286192f2f0bbf104ccc5550159e863ee03cc2e23243eb93c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\AlternateServices.bin

Filesize
8KB

MD5
7ced0b2faccb32e8a2f4175a46fdaaf0

SHA1
f998ad3de73194f87d06f255b0b0848d419a8429

SHA256
de65f67463a1d59ab2d89618a3a8a487b47e71445b5d9a4146afa2672cfc4b2d

SHA512
02e21777252b65eb45277c1dee5ed076d745c15378f831cf807a736506729b9705cbb4fac3bd43398dea4f4975259daeaabc2abff77242bf030c7e3538bb2678

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\AlternateServices.bin

Filesize
6KB

MD5
45f24f22680b60a4018b81c0ee2356be

SHA1
60379e56fb21a87d3a1df0a31af8cd6ec73ba314

SHA256
084fbd5edc650107f3fe3eafed96fdd47fc495f7506038896f41efea700c2cc5

SHA512
5dc1067ecf807e1988e3693105466d487f62c9d9a75a66f9153e9cb60b206845b92449a8c07add493a5496c9a67eaa4dc3a5e06b32b9c0768cee64a9ffa1365d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
b4be4efb4e18b72061f5edd2e5bee331

SHA1
3eac72f77a33335939db3fd42572ab124af753cb

SHA256
9d4527cd02cc974f6b00d060f8c3aa156f5d8002d6c2dccb79abad1a50e0d7cf

SHA512
438c2b6804e857a94bb4ae7636b9122b54c815c97377e49580253ce6148d5f908afbb3c95a759b9f85ea71ab1b34d1e3daa2f352a382faf115322803f708c75c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
9676a4c9707c2f0afa63408f78406418

SHA1
90c865ab289f3ce876323d82d27df3d3bcad7f3d

SHA256
60336308a140428bd31d65afe3b5cb611cd6e085498420714b0ea51cc0cc73f1

SHA512
282057d827ddd99674110740c9f5e72d2e850d09a97abe5f4586d12794c9be5482284ddb05ad51069ad5e519f12cbdcd89c3585a789304de57fab7a5bff60031

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\datareporting\glean\db\data.safe.tmp

Filesize
14KB

MD5
4cfaea1de8df8a056addd4aba0bed356

SHA1
ac53d40dee714ef2491a327bf9c6b893bf931d94

SHA256
1dfa7940ba80bca3c59d9276efce7a77f380966d9fc3109be9fbe01f50793cf3

SHA512
597ded82b5170cbb5cea4a63e3560980a0ecd5556742a83767e6c355b441be384bb31c8b3d7eaee709a8fd2b958726ce9dd4a1554860a69a528fa47cde9d6b8f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\datareporting\glean\pending_pings\50585cd4-5648-4879-be84-0ef50cc2207c

Filesize
27KB

MD5
4cbd3bbae5e79bab80d6a26dd60dd2d4

SHA1
9bb1b4cc9dbd149d872594bcc840ec539d713312

SHA256
f383337344384244a4bd56e1d397d508a228d73c59140aef4316f54d758ae65a

SHA512
09d25629616c98c839b0f00d36a0de3d432ce7973172c5484082d5d919075362aec1d768a864b7716f3452995a8c9e83f06c848122be1692b2490c3685cec920

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\datareporting\glean\pending_pings\5263d9e7-6eb1-4f6a-acca-ecab56ce565e

Filesize
671B

MD5
bb4cd7846316936511210283e15047fa

SHA1
01b3f92dcbcd5ccdf5429ddddf2c5df56cf5b755

SHA256
3b2ab6341baa517c738cd7b408a3da9dd713f91b5a637768908f5eee84b1c34f

SHA512
5dfcc36a835758e599cd0bfb09cdff656d152d61021e60dd7d53566316bd9e895b075efa5f6bc010b0768bdff4cf150a0b18069c8aeaf8e72a49909e25de8f8f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\datareporting\glean\pending_pings\5ec34161-268d-4844-a6bb-238fb27e31c1

Filesize
982B

MD5
4e6dc5d8f394467b3469804e429170c7

SHA1
a8b820209e97f061af7a32778e6d21767318493f

SHA256
a77a117c17880124c0c2ce74db12e27935dd433c4b9545b850b8a5fd6dcf1eaf

SHA512
8286fdeaba50ed9bfab792f3dc903ce13384a2f503eb9e9fe8f0d1ffa169597ab60d91b3918fb13ab6d4055e65d31bee256f20e33d546676de644a18d26ba516

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\prefs-1.js

Filesize
10KB

MD5
ef2d29c023426d37f839da53336eb48f

SHA1
efb79a24d092149f3f7fba93a2e801c6d1b4d882

SHA256
9cc50767bea38352734a01d235a52fe4a51712e3352c2416e91e43166addaabe

SHA512
8f189f81d6ecefa06270e3011e99adbb3740bc89b66e0786a0273ec0a8ca7b9176e88ac32e3909f5dda85620fa3c8cf9906017223ec9879e8f5da0c33d5c1eb3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\prefs-1.js

Filesize
14KB

MD5
4cc6bdef6f786f6ae644dfa74255333f

SHA1
67bd4109c60bda4976cef38628e60efa6331bbfa

SHA256
acdf985c93cd2520ab0a4fb9b2d2d43a5c3e68da7530bb4e53cbe29e756e45a3

SHA512
2485d0a0a4d50e9aac8a37f38701686ebf90d9ee3a75d21f450912cc35c28480f7a9b783f97216a2eff6104551879af6584be7ccc98a1a3caf35ce08b11e0636

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\prefs.js

Filesize
10KB

MD5
7bdc18ae922760a25798be030a73efee

SHA1
1ccfbc797a075220af64640c2361d90245a29f86

SHA256
8200486b742113e6e2428aac88ab87d397ae1fa3927a127a3669242683e4b12f

SHA512
5dcf8c0c9e8f8223fa0281d52940eddb547de02575e966c508ef5b858d993ae0011929398830d0178f78c93267b5deee14c0a7906dc71a424299e895fc1e0a90

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\sessionstore-backups\recovery.baklz4

Filesize
1KB

MD5
660325869e77c5727d4a190be807879b

SHA1
7a1d0f467f9b51c3c82d18e954af1dfb8ca38c19

SHA256
2d032d88183bb2ab2828d747177fffc64666c59d2999c68df69d5d81743ef5c2

SHA512
f9b8ccd06f5b924f0b10034a3279ced9ef8b8c5ad7ab3b66498b713c00abdb95e548d1452b20744d4d813f84dfff7432da1969590be9fbbcbfd8bbfa2fe0d612

Download Submit
memory/3140-14-0x0000000001300000-0x0000000001308000-memory.dmp

Filesize
32KB

Download
memory/3140-22-0x00007FFB76660000-0x00007FFB77001000-memory.dmp

Filesize
9.6MB

Download
memory/3140-17-0x00007FFB76660000-0x00007FFB77001000-memory.dmp

Filesize
9.6MB

Download
memory/3140-13-0x00007FFB76660000-0x00007FFB77001000-memory.dmp

Filesize
9.6MB

Download
memory/3140-27-0x00007FFB76660000-0x00007FFB77001000-memory.dmp

Filesize
9.6MB

Download
memory/3140-25-0x00007FFB76660000-0x00007FFB77001000-memory.dmp

Filesize
9.6MB

Download
memory/3140-12-0x000000001C3E0000-0x000000001C47C000-memory.dmp

Filesize
624KB

Download
memory/3140-24-0x00007FFB76660000-0x00007FFB77001000-memory.dmp

Filesize
9.6MB

Download
memory/3140-23-0x00007FFB76915000-0x00007FFB76916000-memory.dmp

Filesize
4KB

Download
memory/3140-16-0x00007FFB76660000-0x00007FFB77001000-memory.dmp

Filesize
9.6MB

Download
memory/3140-11-0x00007FFB76660000-0x00007FFB77001000-memory.dmp

Filesize
9.6MB

Download
memory/3140-10-0x000000001B8A0000-0x000000001B946000-memory.dmp

Filesize
664KB

Download
memory/3140-9-0x000000001BE60000-0x000000001C32E000-memory.dmp

Filesize
4.8MB

Download
memory/3140-8-0x00007FFB76915000-0x00007FFB76916000-memory.dmp

Filesize
4KB

Download
memory/3140-21-0x00007FFB76660000-0x00007FFB77001000-memory.dmp

Filesize
9.6MB

Download
memory/3140-20-0x00007FFB76660000-0x00007FFB77001000-memory.dmp

Filesize
9.6MB

Download
memory/3140-19-0x00007FFB76660000-0x00007FFB77001000-memory.dmp

Filesize
9.6MB

Download
memory/3140-18-0x00007FFB76660000-0x00007FFB77001000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads