warzonerat | hxxps://github[.]com/Da2dalus/The-MALWARE-Repo/blob/master/RAT/WarzoneRAT[.]exe

Analysis

max time kernel
54s
max time network
58s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
03/01/2025, 00:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/Da2dalus/The-MALWARE-Repo/blob/master/RAT/WarzoneRAT.exe

Score

10^/10

warzonerat defense_evasion discovery infostealer rat rezer0

Malware Config

Extracted

Family

warzonerat

168.61.222.215:5400

Signatures

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat
Warzonerat family
warzonerat

ReZer0 packer 1 IoCs

Detects ReZer0, a packer with multiple versions used in various campaigns.

rezer0

resource	yara_rule
behavioral1/memory/4640-482-0x00000000052B0000-0x00000000052D8000-memory.dmp	rezer0

Warzone RAT payload 4 IoCs

rat

resource	yara_rule
behavioral1/memory/4536-489-0x0000000000400000-0x0000000000553000-memory.dmp	warzonerat
behavioral1/memory/4536-492-0x0000000000400000-0x0000000000553000-memory.dmp	warzonerat
behavioral1/memory/4536-493-0x0000000000400000-0x0000000000553000-memory.dmp	warzonerat
behavioral1/memory/4536-503-0x0000000000400000-0x0000000000553000-memory.dmp	warzonerat

Downloads MZ/PE file

Executes dropped EXE 2 IoCs

pid	Process
4640	WarzoneRAT.exe
1292	WarzoneRAT.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
15	raw.githubusercontent.com
16	raw.githubusercontent.com
36	raw.githubusercontent.com
14	raw.githubusercontent.com

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4640 set thread context of 4536	4640	WarzoneRAT.exe	91
PID 1292 set thread context of 4736	1292	WarzoneRAT.exe	99

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File created	C:\Users\Admin\Downloads\WarzoneRAT.exe:Zone.Identifier	firefox.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WarzoneRAT.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WarzoneRAT.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings	firefox.exe

NTFS ADS 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\Downloads\WarzoneRAT.exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\AppData\Roaming\jFvfxe.exe\:Zone.Identifier:$DATA	WarzoneRAT.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3376	schtasks.exe
4256	schtasks.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
4640	WarzoneRAT.exe
4640	WarzoneRAT.exe
4640	WarzoneRAT.exe
1292	WarzoneRAT.exe
1292	WarzoneRAT.exe
1292	WarzoneRAT.exe
1292	WarzoneRAT.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeDebugPrivilege	1968	firefox.exe
Token: SeDebugPrivilege	1968	firefox.exe
Token: SeDebugPrivilege	4640	WarzoneRAT.exe
Token: SeDebugPrivilege	4536	MSBuild.exe
Token: SeDebugPrivilege	4536	MSBuild.exe
Token: SeBackupPrivilege	1364	svchost.exe
Token: SeRestorePrivilege	1364	svchost.exe
Token: SeSecurityPrivilege	1364	svchost.exe
Token: SeTakeOwnershipPrivilege	1364	svchost.exe
Token: 35	1364	svchost.exe
Token: SeDebugPrivilege	1292	WarzoneRAT.exe

Suspicious use of FindShellTrayWindow 33 IoCs

pid	Process
1968	firefox.exe
1968	firefox.exe
1968	firefox.exe
1968	firefox.exe
1968	firefox.exe
1968	firefox.exe
1968	firefox.exe
1968	firefox.exe
1968	firefox.exe
1968	firefox.exe
1968	firefox.exe
1968	firefox.exe
1968	firefox.exe
1968	firefox.exe
1968	firefox.exe
1968	firefox.exe
1968	firefox.exe
1968	firefox.exe
1968	firefox.exe
1968	firefox.exe
1968	firefox.exe
1968	firefox.exe
1968	firefox.exe
1968	firefox.exe
1968	firefox.exe
1968	firefox.exe
1968	firefox.exe
1968	firefox.exe
1968	firefox.exe
1968	firefox.exe
1968	firefox.exe
1968	firefox.exe
1968	firefox.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1968	firefox.exe
1968	firefox.exe
1968	firefox.exe
1968	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2120 wrote to memory of 1968	2120	firefox.exe	77
PID 2120 wrote to memory of 1968	2120	firefox.exe	77
PID 2120 wrote to memory of 1968	2120	firefox.exe	77
PID 2120 wrote to memory of 1968	2120	firefox.exe	77
PID 2120 wrote to memory of 1968	2120	firefox.exe	77
PID 2120 wrote to memory of 1968	2120	firefox.exe	77
PID 2120 wrote to memory of 1968	2120	firefox.exe	77
PID 2120 wrote to memory of 1968	2120	firefox.exe	77
PID 2120 wrote to memory of 1968	2120	firefox.exe	77
PID 2120 wrote to memory of 1968	2120	firefox.exe	77
PID 2120 wrote to memory of 1968	2120	firefox.exe	77
PID 1968 wrote to memory of 1004	1968	firefox.exe	78
PID 1968 wrote to memory of 1004	1968	firefox.exe	78
PID 1968 wrote to memory of 1004	1968	firefox.exe	78
PID 1968 wrote to memory of 1004	1968	firefox.exe	78
PID 1968 wrote to memory of 1004	1968	firefox.exe	78
PID 1968 wrote to memory of 1004	1968	firefox.exe	78
PID 1968 wrote to memory of 1004	1968	firefox.exe	78
PID 1968 wrote to memory of 1004	1968	firefox.exe	78
PID 1968 wrote to memory of 1004	1968	firefox.exe	78
PID 1968 wrote to memory of 1004	1968	firefox.exe	78
PID 1968 wrote to memory of 1004	1968	firefox.exe	78
PID 1968 wrote to memory of 1004	1968	firefox.exe	78
PID 1968 wrote to memory of 1004	1968	firefox.exe	78
PID 1968 wrote to memory of 1004	1968	firefox.exe	78
PID 1968 wrote to memory of 1004	1968	firefox.exe	78
PID 1968 wrote to memory of 1004	1968	firefox.exe	78
PID 1968 wrote to memory of 1004	1968	firefox.exe	78
PID 1968 wrote to memory of 1004	1968	firefox.exe	78
PID 1968 wrote to memory of 1004	1968	firefox.exe	78
PID 1968 wrote to memory of 1004	1968	firefox.exe	78
PID 1968 wrote to memory of 1004	1968	firefox.exe	78
PID 1968 wrote to memory of 1004	1968	firefox.exe	78
PID 1968 wrote to memory of 1004	1968	firefox.exe	78
PID 1968 wrote to memory of 1004	1968	firefox.exe	78
PID 1968 wrote to memory of 1004	1968	firefox.exe	78
PID 1968 wrote to memory of 1004	1968	firefox.exe	78
PID 1968 wrote to memory of 1004	1968	firefox.exe	78
PID 1968 wrote to memory of 1004	1968	firefox.exe	78
PID 1968 wrote to memory of 1004	1968	firefox.exe	78
PID 1968 wrote to memory of 1004	1968	firefox.exe	78
PID 1968 wrote to memory of 1004	1968	firefox.exe	78
PID 1968 wrote to memory of 1004	1968	firefox.exe	78
PID 1968 wrote to memory of 1004	1968	firefox.exe	78
PID 1968 wrote to memory of 1004	1968	firefox.exe	78
PID 1968 wrote to memory of 1004	1968	firefox.exe	78
PID 1968 wrote to memory of 1004	1968	firefox.exe	78
PID 1968 wrote to memory of 1004	1968	firefox.exe	78
PID 1968 wrote to memory of 1004	1968	firefox.exe	78
PID 1968 wrote to memory of 1004	1968	firefox.exe	78
PID 1968 wrote to memory of 1004	1968	firefox.exe	78
PID 1968 wrote to memory of 1004	1968	firefox.exe	78
PID 1968 wrote to memory of 1004	1968	firefox.exe	78
PID 1968 wrote to memory of 1004	1968	firefox.exe	78
PID 1968 wrote to memory of 1004	1968	firefox.exe	78
PID 1968 wrote to memory of 1004	1968	firefox.exe	78
PID 1968 wrote to memory of 3748	1968	firefox.exe	79
PID 1968 wrote to memory of 3748	1968	firefox.exe	79
PID 1968 wrote to memory of 3748	1968	firefox.exe	79
PID 1968 wrote to memory of 3748	1968	firefox.exe	79
PID 1968 wrote to memory of 3748	1968	firefox.exe	79
PID 1968 wrote to memory of 3748	1968	firefox.exe	79
PID 1968 wrote to memory of 3748	1968	firefox.exe	79
PID 1968 wrote to memory of 3748	1968	firefox.exe	79

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "https://github.com/Da2dalus/The-MALWARE-Repo/blob/master/RAT/WarzoneRAT.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2120
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url https://github.com/Da2dalus/The-MALWARE-Repo/blob/master/RAT/WarzoneRAT.exe
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - Checks processor information in registry
  - Modifies registry class
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1968
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1964 -parentBuildID 20240401114208 -prefsHandle 1904 -prefMapHandle 1896 -prefsLen 23678 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {abad9bd4-b837-4745-846d-ea3ee60b7d5b} 1968 "\\.\pipe\gecko-crash-server-pipe.1968" gpu
    3⤵
    PID:1004
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2396 -parentBuildID 20240401114208 -prefsHandle 2372 -prefMapHandle 2368 -prefsLen 24598 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {189fd499-8fc2-4148-bb21-554ad989de17} 1968 "\\.\pipe\gecko-crash-server-pipe.1968" socket
    3⤵
    PID:3748
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1644 -childID 1 -isForBrowser -prefsHandle 2596 -prefMapHandle 2592 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1400 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {95ae72d3-0a51-4265-9a7d-75d1f7dc11b9} 1968 "\\.\pipe\gecko-crash-server-pipe.1968" tab
    3⤵
    PID:3380
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3884 -childID 2 -isForBrowser -prefsHandle 3900 -prefMapHandle 3896 -prefsLen 29088 -prefMapSize 244658 -jsInitHandle 1400 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {94c9dd48-c7a4-42cb-a77c-667f2920e054} 1968 "\\.\pipe\gecko-crash-server-pipe.1968" tab
    3⤵
    PID:976
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4860 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4808 -prefMapHandle 4692 -prefsLen 29088 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d598e3db-03d0-405f-a0c6-f3e691a84eb8} 1968 "\\.\pipe\gecko-crash-server-pipe.1968" utility
    3⤵
    - Checks processor information in registry
    PID:5016
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5756 -childID 3 -isForBrowser -prefsHandle 5676 -prefMapHandle 5640 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1400 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ed35675a-8c70-4519-96ca-e2ac177a5a98} 1968 "\\.\pipe\gecko-crash-server-pipe.1968" tab
    3⤵
    PID:3668
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5900 -childID 4 -isForBrowser -prefsHandle 5736 -prefMapHandle 5748 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1400 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b7601bae-5f55-4c5b-ad44-bb21f8d84248} 1968 "\\.\pipe\gecko-crash-server-pipe.1968" tab
    3⤵
    PID:4288
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6080 -childID 5 -isForBrowser -prefsHandle 5980 -prefMapHandle 5988 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1400 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9ef6502c-5015-433a-9e90-95bc61677592} 1968 "\\.\pipe\gecko-crash-server-pipe.1968" tab
    3⤵
    PID:4996
- - C:\Users\Admin\Downloads\WarzoneRAT.exe
    "C:\Users\Admin\Downloads\WarzoneRAT.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - NTFS ADS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4640
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jFvfxe" /XML "C:\Users\Admin\AppData\Local\Temp\tmpC1E8.tmp"
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:3376
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:4536

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:832

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k SDRSVC
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1364

C:\Users\Admin\Downloads\WarzoneRAT.exe
"C:\Users\Admin\Downloads\WarzoneRAT.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1292
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jFvfxe" /XML "C:\Users\Admin\AppData\Local\Temp\tmp61C2.tmp"
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:4256
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\WarzoneRAT.exe.log

Filesize
507B

MD5
a0c3e1aca0335d2d3a6c16038a5e1feb

SHA1
865132ecfd8bc3781419e10a57ef33686d80f83f

SHA256
68e52b0dae9281848730d457702a3fbe0868a0209d2740c9b5435dcf872d1072

SHA512
6b5dc7bb61bebea323e806e4eeaac8383621c84be7545af744923445dc4545b9395abcd8f7b82f8b30fddc28872e3f47a010a271f588b5dd725cdd1be2ee4ed8

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\vo8scey3.default-release\activity-stream.discovery_stream.json

Filesize
19KB

MD5
6e896b6adaca63ca825e7b5276195df3

SHA1
8f02814aed9f0416d0749d5e665a0371c26ffad3

SHA256
f7ab1e36668c7a1277fd488397bdbebb219a9d63ee9dc22c85ca22e43b4dfa21

SHA512
5d6eca272d927ad804209714c735206f577a3f1712ece2ccef1d8513c38c040ef2820f4687e0fc104cdc449d83c840c7faa24fbb08bc5aa27a89255793c01b8f

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\vo8scey3.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl

Filesize
15KB

MD5
96c542dec016d9ec1ecc4dddfcbaac66

SHA1
6199f7648bb744efa58acf7b96fee85d938389e4

SHA256
7f32769d6bb4e875f58ceb9e2fbfdc9bd6b82397eca7a4c5230b0786e68f1798

SHA512
cda2f159c3565bc636e0523c893b293109de2717142871b1ec78f335c12bad96fc3f62bcf56a1a88abdeed2ac3f3e5e9a008b45e24d713e13c23103acc15e658

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpC1E8.tmp

Filesize
1KB

MD5
8df3e97a84cebe222a2c3da04ae22dbe

SHA1
d00c502113f1ed42a2a0b7b436eaba0158400433

SHA256
65546adef2a48667df8fece0c7ca3ad3c12f0b468ec92906ea00d2935932d25b

SHA512
bc11b90bbe09d6849cfddb776d92003cfdf8fb2274375b57e84fe49a07313af971d1c48686611cc3fe74a67a2e006847b3ac0cbb2c61387a9f3763a4d965b27f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vo8scey3.default-release\AlternateServices.bin

Filesize
6KB

MD5
148eff4b943e194a6229ec40efce611e

SHA1
aac8e0ca9cc0d5f55cae581df98ce9b414f617de

SHA256
00be97567659957b44b59185576bf7da7006c9ae60b041419bbc9a291ce0afb1

SHA512
06a9932b9f34d8999edd31d3594e8a466b93bb3ac32955124630a0b6759cd94c26ce79761518b854d9e7c86e588199221f76931d13f16555ed8a5add9add855b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vo8scey3.default-release\datareporting\glean\db\data.safe.bin

Filesize
22KB

MD5
2df19e5a98e45210b9cd56d6bcb649e1

SHA1
db9acf6c9d38a3e9b3461c44fa8f8683aad176e2

SHA256
9e69b6e765363e79fd8f378c6cc7496179a43b43a3db84291674ae1ab3d46678

SHA512
0c328d8ac742ea6df36db1cfe85ff86bde391ceaf597c642b3a32511f221308673c3489e279b5c708ae28f677f5a7c2b9fed91520cd7abc8edb1a2da68978d6c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vo8scey3.default-release\datareporting\glean\db\data.safe.tmp

Filesize
22KB

MD5
f0ceb74255727c92865873fc03c71f14

SHA1
1364feb639e560d7dfbcd60cc2b81fdcb325d02c

SHA256
7155d944fdb7d3b8f6fad2420899fd1d51221589c3b5a407ebe9a6dfff75adb9

SHA512
1e02bb847cda8726e54679e43c549cfe629859c5633f22455417ee8a32f5347fe9fcca15892f5f104fe32c8958d1ad30eaa64b46f915c4fad9d66bd583243cfa

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vo8scey3.default-release\datareporting\glean\db\data.safe.tmp

Filesize
22KB

MD5
f5bfc2e7cc645629100e1fc511328b68

SHA1
1ddf38b90d62797a1bd369d89e18503b51a01b2d

SHA256
8dc652ed2adeccb1604fdb53c8f303a6886edc0230dafdb38084c694dd10e1ef

SHA512
d13d9d3eab2b61ca9f3bd968a0661e88c43938dd31eb0f3a93195db5d1c5ec4e171c62c979832d4ede4414d7a92e4e6cac21f7dfe3982a2fd11f9eae6f8c73fa

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vo8scey3.default-release\datareporting\glean\pending_pings\0e134057-ec3b-43c5-ace8-21e61feefd33

Filesize
659B

MD5
483ef4e1ddf3303bda86d789bb655421

SHA1
86986085e95c64cd4a64cab15ced4bef90f4b4be

SHA256
0a8708b119cc5a00592fa5db6b295c58d2be233a06a926d3ad980101faa0e76f

SHA512
a50afbc6d825bfe809860162ec6e9c7f3c904670deaaa945fac5298436c96230295dddb12b0d7b87fcd98870175b7c31fa5952eedb5fd43c4123af3b31b5dbd5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vo8scey3.default-release\datareporting\glean\pending_pings\a8a221b2-c6ad-492b-8c0a-c57db097cb3f

Filesize
982B

MD5
55bda09ac4055d575e430e86a83f6b29

SHA1
a4143644b8c9bde3766886ff7ef913d37499f7be

SHA256
2c86330ff5b0b8e19538df063c327826b725efe847d98f51d49f0fb558620883

SHA512
672a6a0aa8e50895ae3541e97d4e398861ba41a942b5a3235d4105946e423b0b21022d80d9494d0773664607ea39c40768c9b92986cdf7874db6bb210582e64a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vo8scey3.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vo8scey3.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vo8scey3.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vo8scey3.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vo8scey3.default-release\prefs-1.js

Filesize
10KB

MD5
bd185a9940bf80076350e9a785999a0b

SHA1
1fa9b702d98e5746cea2b4c395968779e6213cdc

SHA256
11c3938106e4080618c05579f541d0bcd5c644ebf890bd0dd2369876e313c80a

SHA512
2fb60f7070e27cf3a815ba688f0b3b87ec2de47d6138e802cf0e9f0d085321003861ff74ac4488d1b89405838b96a6ec09c641afb85a38230cf0b6e540a13b95

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vo8scey3.default-release\prefs-1.js

Filesize
11KB

MD5
1a083401380bc15eb8830b92afc06edb

SHA1
a4eece95b3d3cea24ffc8aa44506986d54caeadd

SHA256
002caeac26423c340e9c4fe7bc60ba36ee9b742328b940b1b3ec9ac213c690aa

SHA512
957efa1da8411f9c30b98caad5b05f5f6c326ec327667d1e6295f3cc4f2a93360aff7fd127a134cba01a79dcac2bd70caa1ba19887b322d3d8c1851685ab5ac3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vo8scey3.default-release\prefs.js

Filesize
11KB

MD5
e79fdeefa3bef86068e4552ee4c9a6b6

SHA1
0e768b326b7f99d83c09e540f0b2a158e9a541e4

SHA256
f01fe1739050685c5732c29d001261bfc84f809e04ad125555ebb40db865b2c7

SHA512
981a2b9fd8b23eb799d0791875ee671883362d61e9c81f83658b48efd4fe87830128d8b86d5980be8482baddc1a206bfb881ba74fc8a1b4773c462dcf0dcf871

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vo8scey3.default-release\sessionstore-backups\recovery.baklz4

Filesize
3KB

MD5
10f2b3518750e9dc493ac4bebf4250fa

SHA1
a1494317b3c65d4794ca7f20d1fa85ba2aeb1d5e

SHA256
d44d390a348d8aaaa55394482d8a6ee8d2008515d7b99f2936ebde10065634aa

SHA512
1761484de552e566d7a2d41ce7cfd36191930d748b2d3b2df66a51730598b9aca0680fdcd8a55268d0cb73c4d47693c15e5b04aaa7aa3a2c99ae5adb7200ec67

Download Submit
C:\Users\Admin\Downloads\WarzoneRAT.exe

Filesize
321KB

MD5
600e0dbaefc03f7bf50abb0def3fb465

SHA1
1b5f0ac48e06edc4ed8243be61d71077f770f2b4

SHA256
61e6a93f43049712b5f2d949fd233fa8015fe4bef01b9e1285d3d87b12f894f2

SHA512
151eebac8f8f6e72d130114f030f048dff5bce0f99ff8d3a22e8fed7616155b3e87d29acf79f488d6b53ed2c5c9b05b57f76f1f91a568c21fe9bca228efb23d9

Download Submit
C:\Users\Admin\Downloads\WarzoneRAT.exe:Zone.Identifier

Filesize
50B

MD5
dce5191790621b5e424478ca69c47f55

SHA1
ae356a67d337afa5933e3e679e84854deeace048

SHA256
86a3e68762720abe870d1396794850220935115d3ccc8bb134ffa521244e3ef8

SHA512
a669e10b173fce667d5b369d230d5b1e89e366b05ba4e65919a7e67545dd0b1eca8bcb927f67b12fe47cbe22b0c54c54f1e03beed06379240b05b7b990c5a641

Download Submit
memory/4536-492-0x0000000000400000-0x0000000000553000-memory.dmp

Filesize
1.3MB

Download
memory/4536-493-0x0000000000400000-0x0000000000553000-memory.dmp

Filesize
1.3MB

Download
memory/4536-489-0x0000000000400000-0x0000000000553000-memory.dmp

Filesize
1.3MB

Download
memory/4536-503-0x0000000000400000-0x0000000000553000-memory.dmp

Filesize
1.3MB

Download
memory/4640-479-0x0000000005130000-0x00000000051C2000-memory.dmp

Filesize
584KB

Download
memory/4640-502-0x0000000074B20000-0x00000000752D1000-memory.dmp

Filesize
7.7MB

Download
memory/4640-482-0x00000000052B0000-0x00000000052D8000-memory.dmp

Filesize
160KB

Download
memory/4640-481-0x0000000005BB0000-0x0000000005C4C000-memory.dmp

Filesize
624KB

Download
memory/4640-480-0x0000000005110000-0x0000000005118000-memory.dmp

Filesize
32KB

Download
memory/4640-478-0x0000000074B20000-0x00000000752D1000-memory.dmp

Filesize
7.7MB

Download
memory/4640-477-0x0000000005600000-0x0000000005BA6000-memory.dmp

Filesize
5.6MB

Download
memory/4640-476-0x00000000003C0000-0x0000000000416000-memory.dmp

Filesize
344KB

Download
memory/4640-475-0x0000000074B2E000-0x0000000074B2F000-memory.dmp

Filesize
4KB

Download