Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
54s -
max time network
58s -
platform
windows11-21h2_x64 -
resource
win11-20241007-en -
resource tags
arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system -
submitted
03/01/2025, 00:01
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://github.com/Da2dalus/The-MALWARE-Repo/blob/master/RAT/WarzoneRAT.exe
Resource
win11-20241007-en
General
-
Target
https://github.com/Da2dalus/The-MALWARE-Repo/blob/master/RAT/WarzoneRAT.exe
Malware Config
Extracted
warzonerat
168.61.222.215:5400
Signatures
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Warzonerat family
-
ReZer0 packer 1 IoCs
Detects ReZer0, a packer with multiple versions used in various campaigns.
resource yara_rule behavioral1/memory/4640-482-0x00000000052B0000-0x00000000052D8000-memory.dmp rezer0 -
Warzone RAT payload 4 IoCs
resource yara_rule behavioral1/memory/4536-489-0x0000000000400000-0x0000000000553000-memory.dmp warzonerat behavioral1/memory/4536-492-0x0000000000400000-0x0000000000553000-memory.dmp warzonerat behavioral1/memory/4536-493-0x0000000000400000-0x0000000000553000-memory.dmp warzonerat behavioral1/memory/4536-503-0x0000000000400000-0x0000000000553000-memory.dmp warzonerat -
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
pid Process 4640 WarzoneRAT.exe 1292 WarzoneRAT.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs
flow ioc 15 raw.githubusercontent.com 16 raw.githubusercontent.com 36 raw.githubusercontent.com 14 raw.githubusercontent.com -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 4640 set thread context of 4536 4640 WarzoneRAT.exe 91 PID 1292 set thread context of 4736 1292 WarzoneRAT.exe 99 -
Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs
When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.
description ioc Process File created C:\Users\Admin\Downloads\WarzoneRAT.exe:Zone.Identifier firefox.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MSBuild.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WarzoneRAT.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MSBuild.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WarzoneRAT.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe -
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings firefox.exe -
NTFS ADS 2 IoCs
description ioc Process File created C:\Users\Admin\Downloads\WarzoneRAT.exe:Zone.Identifier firefox.exe File created C:\Users\Admin\AppData\Roaming\jFvfxe.exe\:Zone.Identifier:$DATA WarzoneRAT.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3376 schtasks.exe 4256 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
pid Process 4640 WarzoneRAT.exe 4640 WarzoneRAT.exe 4640 WarzoneRAT.exe 1292 WarzoneRAT.exe 1292 WarzoneRAT.exe 1292 WarzoneRAT.exe 1292 WarzoneRAT.exe -
Suspicious use of AdjustPrivilegeToken 11 IoCs
description pid Process Token: SeDebugPrivilege 1968 firefox.exe Token: SeDebugPrivilege 1968 firefox.exe Token: SeDebugPrivilege 4640 WarzoneRAT.exe Token: SeDebugPrivilege 4536 MSBuild.exe Token: SeDebugPrivilege 4536 MSBuild.exe Token: SeBackupPrivilege 1364 svchost.exe Token: SeRestorePrivilege 1364 svchost.exe Token: SeSecurityPrivilege 1364 svchost.exe Token: SeTakeOwnershipPrivilege 1364 svchost.exe Token: 35 1364 svchost.exe Token: SeDebugPrivilege 1292 WarzoneRAT.exe -
Suspicious use of FindShellTrayWindow 33 IoCs
pid Process 1968 firefox.exe 1968 firefox.exe 1968 firefox.exe 1968 firefox.exe 1968 firefox.exe 1968 firefox.exe 1968 firefox.exe 1968 firefox.exe 1968 firefox.exe 1968 firefox.exe 1968 firefox.exe 1968 firefox.exe 1968 firefox.exe 1968 firefox.exe 1968 firefox.exe 1968 firefox.exe 1968 firefox.exe 1968 firefox.exe 1968 firefox.exe 1968 firefox.exe 1968 firefox.exe 1968 firefox.exe 1968 firefox.exe 1968 firefox.exe 1968 firefox.exe 1968 firefox.exe 1968 firefox.exe 1968 firefox.exe 1968 firefox.exe 1968 firefox.exe 1968 firefox.exe 1968 firefox.exe 1968 firefox.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 1968 firefox.exe 1968 firefox.exe 1968 firefox.exe 1968 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2120 wrote to memory of 1968 2120 firefox.exe 77 PID 2120 wrote to memory of 1968 2120 firefox.exe 77 PID 2120 wrote to memory of 1968 2120 firefox.exe 77 PID 2120 wrote to memory of 1968 2120 firefox.exe 77 PID 2120 wrote to memory of 1968 2120 firefox.exe 77 PID 2120 wrote to memory of 1968 2120 firefox.exe 77 PID 2120 wrote to memory of 1968 2120 firefox.exe 77 PID 2120 wrote to memory of 1968 2120 firefox.exe 77 PID 2120 wrote to memory of 1968 2120 firefox.exe 77 PID 2120 wrote to memory of 1968 2120 firefox.exe 77 PID 2120 wrote to memory of 1968 2120 firefox.exe 77 PID 1968 wrote to memory of 1004 1968 firefox.exe 78 PID 1968 wrote to memory of 1004 1968 firefox.exe 78 PID 1968 wrote to memory of 1004 1968 firefox.exe 78 PID 1968 wrote to memory of 1004 1968 firefox.exe 78 PID 1968 wrote to memory of 1004 1968 firefox.exe 78 PID 1968 wrote to memory of 1004 1968 firefox.exe 78 PID 1968 wrote to memory of 1004 1968 firefox.exe 78 PID 1968 wrote to memory of 1004 1968 firefox.exe 78 PID 1968 wrote to memory of 1004 1968 firefox.exe 78 PID 1968 wrote to memory of 1004 1968 firefox.exe 78 PID 1968 wrote to memory of 1004 1968 firefox.exe 78 PID 1968 wrote to memory of 1004 1968 firefox.exe 78 PID 1968 wrote to memory of 1004 1968 firefox.exe 78 PID 1968 wrote to memory of 1004 1968 firefox.exe 78 PID 1968 wrote to memory of 1004 1968 firefox.exe 78 PID 1968 wrote to memory of 1004 1968 firefox.exe 78 PID 1968 wrote to memory of 1004 1968 firefox.exe 78 PID 1968 wrote to memory of 1004 1968 firefox.exe 78 PID 1968 wrote to memory of 1004 1968 firefox.exe 78 PID 1968 wrote to memory of 1004 1968 firefox.exe 78 PID 1968 wrote to memory of 1004 1968 firefox.exe 78 PID 1968 wrote to memory of 1004 1968 firefox.exe 78 PID 1968 wrote to memory of 1004 1968 firefox.exe 78 PID 1968 wrote to memory of 1004 1968 firefox.exe 78 PID 1968 wrote to memory of 1004 1968 firefox.exe 78 PID 1968 wrote to memory of 1004 1968 firefox.exe 78 PID 1968 wrote to memory of 1004 1968 firefox.exe 78 PID 1968 wrote to memory of 1004 1968 firefox.exe 78 PID 1968 wrote to memory of 1004 1968 firefox.exe 78 PID 1968 wrote to memory of 1004 1968 firefox.exe 78 PID 1968 wrote to memory of 1004 1968 firefox.exe 78 PID 1968 wrote to memory of 1004 1968 firefox.exe 78 PID 1968 wrote to memory of 1004 1968 firefox.exe 78 PID 1968 wrote to memory of 1004 1968 firefox.exe 78 PID 1968 wrote to memory of 1004 1968 firefox.exe 78 PID 1968 wrote to memory of 1004 1968 firefox.exe 78 PID 1968 wrote to memory of 1004 1968 firefox.exe 78 PID 1968 wrote to memory of 1004 1968 firefox.exe 78 PID 1968 wrote to memory of 1004 1968 firefox.exe 78 PID 1968 wrote to memory of 1004 1968 firefox.exe 78 PID 1968 wrote to memory of 1004 1968 firefox.exe 78 PID 1968 wrote to memory of 1004 1968 firefox.exe 78 PID 1968 wrote to memory of 1004 1968 firefox.exe 78 PID 1968 wrote to memory of 1004 1968 firefox.exe 78 PID 1968 wrote to memory of 1004 1968 firefox.exe 78 PID 1968 wrote to memory of 3748 1968 firefox.exe 79 PID 1968 wrote to memory of 3748 1968 firefox.exe 79 PID 1968 wrote to memory of 3748 1968 firefox.exe 79 PID 1968 wrote to memory of 3748 1968 firefox.exe 79 PID 1968 wrote to memory of 3748 1968 firefox.exe 79 PID 1968 wrote to memory of 3748 1968 firefox.exe 79 PID 1968 wrote to memory of 3748 1968 firefox.exe 79 PID 1968 wrote to memory of 3748 1968 firefox.exe 79 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "https://github.com/Da2dalus/The-MALWARE-Repo/blob/master/RAT/WarzoneRAT.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2120 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url https://github.com/Da2dalus/The-MALWARE-Repo/blob/master/RAT/WarzoneRAT.exe2⤵
- Subvert Trust Controls: Mark-of-the-Web Bypass
- Checks processor information in registry
- Modifies registry class
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1968 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1964 -parentBuildID 20240401114208 -prefsHandle 1904 -prefMapHandle 1896 -prefsLen 23678 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {abad9bd4-b837-4745-846d-ea3ee60b7d5b} 1968 "\\.\pipe\gecko-crash-server-pipe.1968" gpu3⤵PID:1004
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2396 -parentBuildID 20240401114208 -prefsHandle 2372 -prefMapHandle 2368 -prefsLen 24598 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {189fd499-8fc2-4148-bb21-554ad989de17} 1968 "\\.\pipe\gecko-crash-server-pipe.1968" socket3⤵PID:3748
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1644 -childID 1 -isForBrowser -prefsHandle 2596 -prefMapHandle 2592 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1400 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {95ae72d3-0a51-4265-9a7d-75d1f7dc11b9} 1968 "\\.\pipe\gecko-crash-server-pipe.1968" tab3⤵PID:3380
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3884 -childID 2 -isForBrowser -prefsHandle 3900 -prefMapHandle 3896 -prefsLen 29088 -prefMapSize 244658 -jsInitHandle 1400 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {94c9dd48-c7a4-42cb-a77c-667f2920e054} 1968 "\\.\pipe\gecko-crash-server-pipe.1968" tab3⤵PID:976
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4860 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4808 -prefMapHandle 4692 -prefsLen 29088 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d598e3db-03d0-405f-a0c6-f3e691a84eb8} 1968 "\\.\pipe\gecko-crash-server-pipe.1968" utility3⤵
- Checks processor information in registry
PID:5016
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5756 -childID 3 -isForBrowser -prefsHandle 5676 -prefMapHandle 5640 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1400 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ed35675a-8c70-4519-96ca-e2ac177a5a98} 1968 "\\.\pipe\gecko-crash-server-pipe.1968" tab3⤵PID:3668
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5900 -childID 4 -isForBrowser -prefsHandle 5736 -prefMapHandle 5748 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1400 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b7601bae-5f55-4c5b-ad44-bb21f8d84248} 1968 "\\.\pipe\gecko-crash-server-pipe.1968" tab3⤵PID:4288
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6080 -childID 5 -isForBrowser -prefsHandle 5980 -prefMapHandle 5988 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1400 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9ef6502c-5015-433a-9e90-95bc61677592} 1968 "\\.\pipe\gecko-crash-server-pipe.1968" tab3⤵PID:4996
-
-
C:\Users\Admin\Downloads\WarzoneRAT.exe"C:\Users\Admin\Downloads\WarzoneRAT.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4640 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jFvfxe" /XML "C:\Users\Admin\AppData\Local\Temp\tmpC1E8.tmp"4⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:3376
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4536
-
-
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:832
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k SDRSVC1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1364
-
C:\Users\Admin\Downloads\WarzoneRAT.exe"C:\Users\Admin\Downloads\WarzoneRAT.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1292 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jFvfxe" /XML "C:\Users\Admin\AppData\Local\Temp\tmp61C2.tmp"2⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:4256
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"2⤵
- System Location Discovery: System Language Discovery
PID:4736
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
507B
MD5a0c3e1aca0335d2d3a6c16038a5e1feb
SHA1865132ecfd8bc3781419e10a57ef33686d80f83f
SHA25668e52b0dae9281848730d457702a3fbe0868a0209d2740c9b5435dcf872d1072
SHA5126b5dc7bb61bebea323e806e4eeaac8383621c84be7545af744923445dc4545b9395abcd8f7b82f8b30fddc28872e3f47a010a271f588b5dd725cdd1be2ee4ed8
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\vo8scey3.default-release\activity-stream.discovery_stream.json
Filesize19KB
MD56e896b6adaca63ca825e7b5276195df3
SHA18f02814aed9f0416d0749d5e665a0371c26ffad3
SHA256f7ab1e36668c7a1277fd488397bdbebb219a9d63ee9dc22c85ca22e43b4dfa21
SHA5125d6eca272d927ad804209714c735206f577a3f1712ece2ccef1d8513c38c040ef2820f4687e0fc104cdc449d83c840c7faa24fbb08bc5aa27a89255793c01b8f
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\vo8scey3.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl
Filesize15KB
MD596c542dec016d9ec1ecc4dddfcbaac66
SHA16199f7648bb744efa58acf7b96fee85d938389e4
SHA2567f32769d6bb4e875f58ceb9e2fbfdc9bd6b82397eca7a4c5230b0786e68f1798
SHA512cda2f159c3565bc636e0523c893b293109de2717142871b1ec78f335c12bad96fc3f62bcf56a1a88abdeed2ac3f3e5e9a008b45e24d713e13c23103acc15e658
-
Filesize
1KB
MD58df3e97a84cebe222a2c3da04ae22dbe
SHA1d00c502113f1ed42a2a0b7b436eaba0158400433
SHA25665546adef2a48667df8fece0c7ca3ad3c12f0b468ec92906ea00d2935932d25b
SHA512bc11b90bbe09d6849cfddb776d92003cfdf8fb2274375b57e84fe49a07313af971d1c48686611cc3fe74a67a2e006847b3ac0cbb2c61387a9f3763a4d965b27f
-
Filesize
479KB
MD509372174e83dbbf696ee732fd2e875bb
SHA1ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1
-
Filesize
13.8MB
MD50a8747a2ac9ac08ae9508f36c6d75692
SHA1b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA25632d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA51259521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vo8scey3.default-release\AlternateServices.bin
Filesize6KB
MD5148eff4b943e194a6229ec40efce611e
SHA1aac8e0ca9cc0d5f55cae581df98ce9b414f617de
SHA25600be97567659957b44b59185576bf7da7006c9ae60b041419bbc9a291ce0afb1
SHA51206a9932b9f34d8999edd31d3594e8a466b93bb3ac32955124630a0b6759cd94c26ce79761518b854d9e7c86e588199221f76931d13f16555ed8a5add9add855b
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vo8scey3.default-release\datareporting\glean\db\data.safe.bin
Filesize22KB
MD52df19e5a98e45210b9cd56d6bcb649e1
SHA1db9acf6c9d38a3e9b3461c44fa8f8683aad176e2
SHA2569e69b6e765363e79fd8f378c6cc7496179a43b43a3db84291674ae1ab3d46678
SHA5120c328d8ac742ea6df36db1cfe85ff86bde391ceaf597c642b3a32511f221308673c3489e279b5c708ae28f677f5a7c2b9fed91520cd7abc8edb1a2da68978d6c
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vo8scey3.default-release\datareporting\glean\db\data.safe.tmp
Filesize22KB
MD5f0ceb74255727c92865873fc03c71f14
SHA11364feb639e560d7dfbcd60cc2b81fdcb325d02c
SHA2567155d944fdb7d3b8f6fad2420899fd1d51221589c3b5a407ebe9a6dfff75adb9
SHA5121e02bb847cda8726e54679e43c549cfe629859c5633f22455417ee8a32f5347fe9fcca15892f5f104fe32c8958d1ad30eaa64b46f915c4fad9d66bd583243cfa
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vo8scey3.default-release\datareporting\glean\db\data.safe.tmp
Filesize22KB
MD5f5bfc2e7cc645629100e1fc511328b68
SHA11ddf38b90d62797a1bd369d89e18503b51a01b2d
SHA2568dc652ed2adeccb1604fdb53c8f303a6886edc0230dafdb38084c694dd10e1ef
SHA512d13d9d3eab2b61ca9f3bd968a0661e88c43938dd31eb0f3a93195db5d1c5ec4e171c62c979832d4ede4414d7a92e4e6cac21f7dfe3982a2fd11f9eae6f8c73fa
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vo8scey3.default-release\datareporting\glean\pending_pings\0e134057-ec3b-43c5-ace8-21e61feefd33
Filesize659B
MD5483ef4e1ddf3303bda86d789bb655421
SHA186986085e95c64cd4a64cab15ced4bef90f4b4be
SHA2560a8708b119cc5a00592fa5db6b295c58d2be233a06a926d3ad980101faa0e76f
SHA512a50afbc6d825bfe809860162ec6e9c7f3c904670deaaa945fac5298436c96230295dddb12b0d7b87fcd98870175b7c31fa5952eedb5fd43c4123af3b31b5dbd5
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vo8scey3.default-release\datareporting\glean\pending_pings\a8a221b2-c6ad-492b-8c0a-c57db097cb3f
Filesize982B
MD555bda09ac4055d575e430e86a83f6b29
SHA1a4143644b8c9bde3766886ff7ef913d37499f7be
SHA2562c86330ff5b0b8e19538df063c327826b725efe847d98f51d49f0fb558620883
SHA512672a6a0aa8e50895ae3541e97d4e398861ba41a942b5a3235d4105946e423b0b21022d80d9494d0773664607ea39c40768c9b92986cdf7874db6bb210582e64a
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vo8scey3.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll
Filesize1.1MB
MD5842039753bf41fa5e11b3a1383061a87
SHA13e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vo8scey3.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info
Filesize116B
MD52a461e9eb87fd1955cea740a3444ee7a
SHA1b10755914c713f5a4677494dbe8a686ed458c3c5
SHA2564107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA51234f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vo8scey3.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json
Filesize372B
MD5bf957ad58b55f64219ab3f793e374316
SHA1a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA51279c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vo8scey3.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll
Filesize17.8MB
MD5daf7ef3acccab478aaa7d6dc1c60f865
SHA1f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA5125840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75
-
Filesize
10KB
MD5bd185a9940bf80076350e9a785999a0b
SHA11fa9b702d98e5746cea2b4c395968779e6213cdc
SHA25611c3938106e4080618c05579f541d0bcd5c644ebf890bd0dd2369876e313c80a
SHA5122fb60f7070e27cf3a815ba688f0b3b87ec2de47d6138e802cf0e9f0d085321003861ff74ac4488d1b89405838b96a6ec09c641afb85a38230cf0b6e540a13b95
-
Filesize
11KB
MD51a083401380bc15eb8830b92afc06edb
SHA1a4eece95b3d3cea24ffc8aa44506986d54caeadd
SHA256002caeac26423c340e9c4fe7bc60ba36ee9b742328b940b1b3ec9ac213c690aa
SHA512957efa1da8411f9c30b98caad5b05f5f6c326ec327667d1e6295f3cc4f2a93360aff7fd127a134cba01a79dcac2bd70caa1ba19887b322d3d8c1851685ab5ac3
-
Filesize
11KB
MD5e79fdeefa3bef86068e4552ee4c9a6b6
SHA10e768b326b7f99d83c09e540f0b2a158e9a541e4
SHA256f01fe1739050685c5732c29d001261bfc84f809e04ad125555ebb40db865b2c7
SHA512981a2b9fd8b23eb799d0791875ee671883362d61e9c81f83658b48efd4fe87830128d8b86d5980be8482baddc1a206bfb881ba74fc8a1b4773c462dcf0dcf871
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vo8scey3.default-release\sessionstore-backups\recovery.baklz4
Filesize3KB
MD510f2b3518750e9dc493ac4bebf4250fa
SHA1a1494317b3c65d4794ca7f20d1fa85ba2aeb1d5e
SHA256d44d390a348d8aaaa55394482d8a6ee8d2008515d7b99f2936ebde10065634aa
SHA5121761484de552e566d7a2d41ce7cfd36191930d748b2d3b2df66a51730598b9aca0680fdcd8a55268d0cb73c4d47693c15e5b04aaa7aa3a2c99ae5adb7200ec67
-
Filesize
321KB
MD5600e0dbaefc03f7bf50abb0def3fb465
SHA11b5f0ac48e06edc4ed8243be61d71077f770f2b4
SHA25661e6a93f43049712b5f2d949fd233fa8015fe4bef01b9e1285d3d87b12f894f2
SHA512151eebac8f8f6e72d130114f030f048dff5bce0f99ff8d3a22e8fed7616155b3e87d29acf79f488d6b53ed2c5c9b05b57f76f1f91a568c21fe9bca228efb23d9
-
Filesize
50B
MD5dce5191790621b5e424478ca69c47f55
SHA1ae356a67d337afa5933e3e679e84854deeace048
SHA25686a3e68762720abe870d1396794850220935115d3ccc8bb134ffa521244e3ef8
SHA512a669e10b173fce667d5b369d230d5b1e89e366b05ba4e65919a7e67545dd0b1eca8bcb927f67b12fe47cbe22b0c54c54f1e03beed06379240b05b7b990c5a641