trickbot | 4e988f47cc21b69536d5f7d6b824a0e9890a2d65eeafc139d3f980555bdc5e4f

Resubmissions

21/03/2025, 18:21

250321-wy97gayqw7 10

20/01/2025, 21:36

250120-1f8m5szrey 10

Analysis

max time kernel
115s
max time network
133s
platform
windows10-ltsc_2021_x64
resource
win10ltsc2021-20250314-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250314-enlocale:en-usos:windows10-ltsc_2021-x64system
submitted
21/03/2025, 18:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

attendees.xlsm
Size

535KB
MD5

b556307e1e6462a9aea5dc1f76667d10
SHA1

e3525ffd85d51a0a502012492ed1ef54d22eec88
SHA256

804e3a6cde4114e76fa911b699891535c8ed8b637ee9eaad373619e3ce36ee19
SHA512

51666a80ae3ae2ba69954f47e36521ce08cece8dd258498a7cf88e6c2586fa9a66776c78d68538bca5568965ebca87e9d04ce79db2c2388716ab73182af7164b
SSDEEP

12288:E9ijex0VbLbGeH+59SjrPImbT4XXO8RGNQpRtL8PZY4krmStNpc:E9fKVbLte52rPImbCjGWpj8BYVmSt/c

Score

10^/10

trickbot banker discovery packer trojan

Malware Config

Signatures

Process spawned unexpected child process 2 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	5280	892	tar.exe	80
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	4776	892	rundll32.exe	80

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot
Trickbot family
trickbot

Templ.dll packer 2 IoCs

Detects Templ.dll packer which usually loads Trickbot.

packer

resource	yara_rule
behavioral1/memory/712-59-0x00000000024E0000-0x0000000002519000-memory.dmp	templ_dll
behavioral1/memory/712-63-0x0000000002F30000-0x0000000002F67000-memory.dmp	templ_dll

Loads dropped DLL 1 IoCs

pid	Process
712	rundll32.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe

Checks processor information in registry 2 TTPs 31 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	taskmgr.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000_Classes\Local Settings	firefox.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
892	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 25 IoCs

pid	Process
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	5064	wermgr.exe
Token: SeDebugPrivilege	4620	taskmgr.exe
Token: SeSystemProfilePrivilege	4620	taskmgr.exe
Token: SeCreateGlobalPrivilege	4620	taskmgr.exe
Token: 33	4620	taskmgr.exe
Token: SeIncBasePriorityPrivilege	4620	taskmgr.exe
Token: SeDebugPrivilege	3232	firefox.exe
Token: SeDebugPrivilege	3232	firefox.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
892	EXCEL.EXE
892	EXCEL.EXE
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
3232	firefox.exe
3232	firefox.exe
3232	firefox.exe
3232	firefox.exe
3232	firefox.exe
3232	firefox.exe
3232	firefox.exe
3232	firefox.exe
3232	firefox.exe
3232	firefox.exe
3232	firefox.exe
3232	firefox.exe

Suspicious use of SendNotifyMessage 62 IoCs

pid	Process
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
3232	firefox.exe
3232	firefox.exe
3232	firefox.exe
3232	firefox.exe
3232	firefox.exe
3232	firefox.exe
3232	firefox.exe
3232	firefox.exe
3232	firefox.exe
3232	firefox.exe
3232	firefox.exe
3232	firefox.exe

Suspicious use of SetWindowsHookEx 24 IoCs

pid	Process
892	EXCEL.EXE
892	EXCEL.EXE
892	EXCEL.EXE
892	EXCEL.EXE
892	EXCEL.EXE
892	EXCEL.EXE
892	EXCEL.EXE
892	EXCEL.EXE
892	EXCEL.EXE
892	EXCEL.EXE
892	EXCEL.EXE
892	EXCEL.EXE
892	EXCEL.EXE
892	EXCEL.EXE
3232	firefox.exe
3232	firefox.exe
3232	firefox.exe
3232	firefox.exe
3232	firefox.exe
3232	firefox.exe
3232	firefox.exe
3232	firefox.exe
3232	firefox.exe
3232	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 892 wrote to memory of 5280	892	EXCEL.EXE	84
PID 892 wrote to memory of 5280	892	EXCEL.EXE	84
PID 892 wrote to memory of 4776	892	EXCEL.EXE	87
PID 892 wrote to memory of 4776	892	EXCEL.EXE	87
PID 4776 wrote to memory of 712	4776	rundll32.exe	88
PID 4776 wrote to memory of 712	4776	rundll32.exe	88
PID 4776 wrote to memory of 712	4776	rundll32.exe	88
PID 712 wrote to memory of 5064	712	rundll32.exe	89
PID 712 wrote to memory of 5064	712	rundll32.exe	89
PID 712 wrote to memory of 5064	712	rundll32.exe	89
PID 712 wrote to memory of 5064	712	rundll32.exe	89
PID 5892 wrote to memory of 3232	5892	firefox.exe	99
PID 5892 wrote to memory of 3232	5892	firefox.exe	99
PID 5892 wrote to memory of 3232	5892	firefox.exe	99
PID 5892 wrote to memory of 3232	5892	firefox.exe	99
PID 5892 wrote to memory of 3232	5892	firefox.exe	99
PID 5892 wrote to memory of 3232	5892	firefox.exe	99
PID 5892 wrote to memory of 3232	5892	firefox.exe	99
PID 5892 wrote to memory of 3232	5892	firefox.exe	99
PID 5892 wrote to memory of 3232	5892	firefox.exe	99
PID 5892 wrote to memory of 3232	5892	firefox.exe	99
PID 5892 wrote to memory of 3232	5892	firefox.exe	99
PID 3232 wrote to memory of 5484	3232	firefox.exe	100
PID 3232 wrote to memory of 5484	3232	firefox.exe	100
PID 3232 wrote to memory of 5484	3232	firefox.exe	100
PID 3232 wrote to memory of 5484	3232	firefox.exe	100
PID 3232 wrote to memory of 5484	3232	firefox.exe	100
PID 3232 wrote to memory of 5484	3232	firefox.exe	100
PID 3232 wrote to memory of 5484	3232	firefox.exe	100
PID 3232 wrote to memory of 5484	3232	firefox.exe	100
PID 3232 wrote to memory of 5484	3232	firefox.exe	100
PID 3232 wrote to memory of 5484	3232	firefox.exe	100
PID 3232 wrote to memory of 5484	3232	firefox.exe	100
PID 3232 wrote to memory of 5484	3232	firefox.exe	100
PID 3232 wrote to memory of 5484	3232	firefox.exe	100
PID 3232 wrote to memory of 5484	3232	firefox.exe	100
PID 3232 wrote to memory of 5484	3232	firefox.exe	100
PID 3232 wrote to memory of 5484	3232	firefox.exe	100
PID 3232 wrote to memory of 5484	3232	firefox.exe	100
PID 3232 wrote to memory of 5484	3232	firefox.exe	100
PID 3232 wrote to memory of 5484	3232	firefox.exe	100
PID 3232 wrote to memory of 5484	3232	firefox.exe	100
PID 3232 wrote to memory of 5484	3232	firefox.exe	100
PID 3232 wrote to memory of 5484	3232	firefox.exe	100
PID 3232 wrote to memory of 5484	3232	firefox.exe	100
PID 3232 wrote to memory of 5484	3232	firefox.exe	100
PID 3232 wrote to memory of 5484	3232	firefox.exe	100
PID 3232 wrote to memory of 5484	3232	firefox.exe	100
PID 3232 wrote to memory of 5484	3232	firefox.exe	100
PID 3232 wrote to memory of 5484	3232	firefox.exe	100
PID 3232 wrote to memory of 5484	3232	firefox.exe	100
PID 3232 wrote to memory of 5484	3232	firefox.exe	100
PID 3232 wrote to memory of 5484	3232	firefox.exe	100
PID 3232 wrote to memory of 5484	3232	firefox.exe	100
PID 3232 wrote to memory of 5484	3232	firefox.exe	100
PID 3232 wrote to memory of 5484	3232	firefox.exe	100
PID 3232 wrote to memory of 5484	3232	firefox.exe	100
PID 3232 wrote to memory of 5484	3232	firefox.exe	100
PID 3232 wrote to memory of 5484	3232	firefox.exe	100
PID 3232 wrote to memory of 5484	3232	firefox.exe	100
PID 3232 wrote to memory of 5484	3232	firefox.exe	100
PID 3232 wrote to memory of 5484	3232	firefox.exe	100
PID 3232 wrote to memory of 5484	3232	firefox.exe	100
PID 3232 wrote to memory of 5484	3232	firefox.exe	100

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\attendees.xlsm"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:892
- C:\Windows\SYSTEM32\tar.exe
  tar -xf ..\Nioka.meposv -C ..\
  2⤵
  - Process spawned unexpected child process
  PID:5280
- C:\Windows\SYSTEM32\rundll32.exe
  rundll32 ..\xl\media\image2.bmp,StartW
  2⤵
  - Process spawned unexpected child process
  - Suspicious use of WriteProcessMemory
  PID:4776
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32 ..\xl\media\image2.bmp,StartW
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:712
  - - C:\Windows\system32\wermgr.exe
      C:\Windows\system32\wermgr.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:5064

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4620

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:5892
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3232
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 1992 -prefsLen 27100 -prefMapHandle 1996 -prefMapSize 270279 -ipcHandle 2072 -initialChannelId {d5b927b7-c4c5-4052-a23b-a0d477d5453a} -parentPid 3232 -crashReporter "\\.\pipe\gecko-crash-server-pipe.3232" -appDir "C:\Program Files\Mozilla Firefox\browser" - 1 gpu
    3⤵
    PID:5484
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 2432 -prefsLen 27136 -prefMapHandle 2436 -prefMapSize 270279 -ipcHandle 2456 -initialChannelId {37a63102-7075-4e81-bc8b-17d9d7fd1fb3} -parentPid 3232 -crashReporter "\\.\pipe\gecko-crash-server-pipe.3232" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 2 socket
    3⤵
    - Checks processor information in registry
    PID:4716
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 3884 -prefsLen 27277 -prefMapHandle 3888 -prefMapSize 270279 -jsInitHandle 3892 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 3900 -initialChannelId {93d90485-32ee-4e30-bf2c-c325dcae17fb} -parentPid 3232 -crashReporter "\\.\pipe\gecko-crash-server-pipe.3232" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 3 tab
    3⤵
    - Checks processor information in registry
    PID:3768
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 4048 -prefsLen 27277 -prefMapHandle 4052 -prefMapSize 270279 -ipcHandle 4152 -initialChannelId {c070bdee-1975-488b-881b-4967d62552f3} -parentPid 3232 -crashReporter "\\.\pipe\gecko-crash-server-pipe.3232" -appDir "C:\Program Files\Mozilla Firefox\browser" - 4 rdd
    3⤵
    PID:4504
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 2852 -prefsLen 34776 -prefMapHandle 1628 -prefMapSize 270279 -jsInitHandle 1644 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 2904 -initialChannelId {d41493ce-90a4-43a8-805c-7588c08f241d} -parentPid 3232 -crashReporter "\\.\pipe\gecko-crash-server-pipe.3232" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 5 tab
    3⤵
    - Checks processor information in registry
    PID:4576
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -sandboxingKind 0 -prefsHandle 4976 -prefsLen 35013 -prefMapHandle 4988 -prefMapSize 270279 -ipcHandle 1240 -initialChannelId {46d81aba-9349-410c-bfb0-78f59f4ba7cb} -parentPid 3232 -crashReporter "\\.\pipe\gecko-crash-server-pipe.3232" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 6 utility
    3⤵
    - Checks processor information in registry
    PID:3612
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5484 -prefsLen 32952 -prefMapHandle 5488 -prefMapSize 270279 -jsInitHandle 5492 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 5500 -initialChannelId {fad58997-f927-4b6c-a095-f9bd9b7a6476} -parentPid 3232 -crashReporter "\\.\pipe\gecko-crash-server-pipe.3232" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 7 tab
    3⤵
    - Checks processor information in registry
    PID:2600
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5664 -prefsLen 32952 -prefMapHandle 5668 -prefMapSize 270279 -jsInitHandle 5672 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 5680 -initialChannelId {ba569df5-5f99-4656-b0d1-5bd627d9a1d3} -parentPid 3232 -crashReporter "\\.\pipe\gecko-crash-server-pipe.3232" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 8 tab
    3⤵
    - Checks processor information in registry
    PID:544
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5856 -prefsLen 32952 -prefMapHandle 5860 -prefMapSize 270279 -jsInitHandle 5864 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 5868 -initialChannelId {985c6893-91d1-4ab6-ae61-c31d47ac486b} -parentPid 3232 -crashReporter "\\.\pipe\gecko-crash-server-pipe.3232" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 9 tab
    3⤵
    - Checks processor information in registry
    PID:3088
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5244 -prefsLen 33071 -prefMapHandle 5272 -prefMapSize 270279 -jsInitHandle 5276 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 6348 -initialChannelId {9faf3454-8933-46db-b41a-a2ffbcd8c644} -parentPid 3232 -crashReporter "\\.\pipe\gecko-crash-server-pipe.3232" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 10 tab
    3⤵
    - Checks processor information in registry
    PID:5524
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 6740 -prefsLen 33071 -prefMapHandle 2956 -prefMapSize 270279 -jsInitHandle 6356 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 3208 -initialChannelId {c6ba01c9-7d9c-4f3c-ae88-d5879afbe79a} -parentPid 3232 -crashReporter "\\.\pipe\gecko-crash-server-pipe.3232" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 11 tab
    3⤵
    - Checks processor information in registry
    PID:5072

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\50jftte4.default-release\activity-stream.discovery_stream.json

Filesize
23KB

MD5
6ea62b745f262478c28948714f850b84

SHA1
ba2a40de8685f25968e7796b9ea303d0ffd7c6c2

SHA256
94737581d8f54bd83b8c7200b08643ed7619c32fd6f4c6116fb76aaee22cacf5

SHA512
6dba4eddaf94eccff6892747907dab65e687b478309a855f88788af75f9136afa303dfc66d156bc3998798f7ab208d7e1d4269a379460b35a61924b3ec1deef1

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\50jftte4.default-release\cache2\entries\E19316B1CDA62317F9DA2551F9B56E711FCC77AD

Filesize
13KB

MD5
cadac280725d40b5322caf889b18860e

SHA1
74a6388fe33101d06fa3e6a02f7aa57ef754c108

SHA256
3221ec51a2dc6258122ea8efb7bbf5acc62205c904669f7d2bb125dae174dd95

SHA512
86dce91faeac68a152f855fa52a95a6c2089538c30831988973b404a99beffbeb9ff334968ec40f5db2491e19aba9b3bb4c20d4c9a2a80423cad1a2710061cdd

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
11KB

MD5
25e8156b7f7ca8dad999ee2b93a32b71

SHA1
db587e9e9559b433cee57435cb97a83963659430

SHA256
ddf3ba4e25a622276755133e0cce5605b83719c7cab3546e09acbfed00d6a986

SHA512
1211b2fa997ba13ff926aec58b6b35a81d7fe108b0caa8f4d6369d0a37f8481373b78a4b201651243adde9e2b2699ce929482a46226ff6299b0a0e40fe2ddc56

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
14.0MB

MD5
bcceccab13375513a6e8ab48e7b63496

SHA1
63d8a68cf562424d3fc3be1297d83f8247e24142

SHA256
a6af95a209b2e652ed6766804b9b8ad6b6a68f2c610b8f14713cd40df0d62bf9

SHA512
d94483deaae98bf9212699f1ab0bd913f6151a63e65ebc1ea644ab98d5e3ebd74ecaa08f70aca31e11a5d2c64d1504b723817af35bbe9d7b05c758dd6945d484

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
502KB

MD5
e690f995973164fe425f76589b1be2d9

SHA1
e947c4dad203aab37a003194dddc7980c74fa712

SHA256
87862f4bc8559fbe578389a9501dc01c4c585edb4bb03b238493327296d60171

SHA512
77991110c1d195616e936d27151d02e4d957be6c20a4f3b3511567868b5ddffc6abbfdc668d17672f5d681f12b20237c7905f9b0daaa6d71dcdac4b38f2448b2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\50jftte4.default-release\AlternateServices.bin

Filesize
7KB

MD5
902dcf7d7452928508f4554224786737

SHA1
c4fe29c82c154fc01a1a96cbe8ce98a3021a53e5

SHA256
a1e346e5484fe5a8acfefee48d16377808708879bba82d552dbae72108f4282b

SHA512
fd5be2c4d4eac774d2405a787fc8578de6d1cb9409877392035de833ebb72ea6be6138b611ae7c79c35b8adb746cc96df626b89ea3f41ef5ab651cca07815b05

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\50jftte4.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
a64fab3f95696e84bdb9d3b9ff7b6fb6

SHA1
d355652cfc73023fa4445eb2cb4e7a2c6bdfc8b7

SHA256
f31043034bf94d4f6264ace22b2770b6deee8136be3a593f72010526e7867627

SHA512
00948f1e320c1d6e0de9f657f491efdbdda2483884643c5e674441dae023fe8d3cc80d2335b39f5a03c9c97e0b183ffbfebd44e9e95aaafe6649b8cc7acece24

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\50jftte4.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
59e145a3da2ad8596a50eecdf0f8472a

SHA1
836e2045cfd0cb8be8e64127b4361061885a2975

SHA256
af3236315b2bb799b5e72659a71a470c241223db94ea2ad6d5e821dd17026607

SHA512
27cb1fa6043b15294eb45920a524d35b9b67bf7d111fed74c07c31cbfcaecff023ba65e58e29f3a9ed316100de7d4cd6f3448b6bdfacfe3fce797fb90f02d224

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\50jftte4.default-release\datareporting\glean\db\data.safe.tmp

Filesize
7KB

MD5
c51494ec31eb751dfcbf09a4870d4f8e

SHA1
a19a0488e75b5fdc4cef7cf0b0eee35508f64353

SHA256
6efea49cd6faca5c7922e2959e36d01016b1faa9f6592e0168038bb76290cac8

SHA512
7eb7a6705ad4e2ccfa7547140e9bdff8174d1bccf65b14cd75c991387a984c379f4d2d2f4850a660295dc8d32e9e3b048da770f6d87ec22c32d77f99cb25927a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\50jftte4.default-release\datareporting\glean\db\data.safe.tmp

Filesize
7KB

MD5
50774709b2bf58c90f3e238f18e59f2a

SHA1
b339a51e981259db2bb7995d7a116d6aad1ab0f0

SHA256
b97461145246ee4d0b0d8223ebc905a8a555e2a0c9c2e8b3f3ec5285f133253c

SHA512
4cab096386bcbb6bc0728221b18813d37b700fe2d49b4da4b5a83c79ce2cb855dd04b555a458fa860e568bc78a9b6587acb6daf999cf2fca543638ca60a9fcec

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\50jftte4.default-release\datareporting\glean\db\data.safe.tmp

Filesize
3KB

MD5
54014531d9101c7f54e89d9f09907132

SHA1
26053345360386eba8c2ce58cce7ada42b1c58e4

SHA256
214f7301e7738b27377211fe23f10290c395132cdda5628c542ac3876be6f555

SHA512
60051080017d9d5dffd478cdbd8aa8151c896667a51ac3d0f0dc3f31834f5772ade355886b20b8a03157c603faca73c67f7ac1fee69e7c2180b6154f6536e49f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\50jftte4.default-release\datareporting\glean\events\events

Filesize
5KB

MD5
dfa306635fe33da81d168f620087a251

SHA1
0d319fbddf08beb7372b3242af5336b391c7a984

SHA256
71969f913d7cb567310c5ce301ff0fec7cac4bf9fd7b283cc0a587e4e07b90cb

SHA512
3e3ea9b4bdf4a0d203baea5967764db149ad77176d5713d3ba541819534be7722c36f505bdc2855f7461261396a9bd800ef50bfbb6e93c07dfe0769a03b25bc6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\50jftte4.default-release\datareporting\glean\events\events

Filesize
1KB

MD5
3a9261fa7e880746075f4f6185db8d2e

SHA1
e5d9e15bbadd0623ada4d9f67c963f4b704a35fb

SHA256
2267991c26cbeeca1e988187f197216b8a0397b6cbdca9742c846d557a4ec25f

SHA512
2eed627e5056aaf58a52afd77d82f4121b26a50c6f195f76039ac1da64436bacac675ff2425f04ceadfe80f1b381b72351028602b178c0a3e20f570020b76f93

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\50jftte4.default-release\datareporting\glean\pending_pings\023ad781-15d4-4625-a1bf-93d4194e82b1

Filesize
2KB

MD5
050dac8f4d9a646e6b266d8e926b345b

SHA1
5720c698fbbc4b32434422e30d2f1669cd169298

SHA256
2169742059402c760a945a842dd131ca849ea7a377442e5a22f6c53528ba5134

SHA512
49f29e657ddda790ac6d7b177b9e5848e54ba533e0e40224ec70e975b5b642d28b94552b4a036b75e96d0925574230fbcbc43b3bd5ad1ed2cfa2c6a15b0bdaa5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\50jftte4.default-release\datareporting\glean\pending_pings\103d2eca-8c39-4397-95da-1af258193413

Filesize
886B

MD5
d01cecbd89717a81c80dba67c3ae2a38

SHA1
8f4656a8d49329a6e223a083bca4478012f0fd60

SHA256
a225da6dd708d424eb4113d4e30fdfd394411c0e8fee573b6706c50d6891dd3a

SHA512
099931e402dc24898f112d316d378f49eba500c444e75ee368e4a505a0bf0bd28e63249eac3e05872161a406609ac924616e1aa6216cad9c1bbe0483b9d3b9e8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\50jftte4.default-release\datareporting\glean\pending_pings\47e71db1-5173-4c1c-b68a-dc4cf4f210d1

Filesize
883B

MD5
139a921eacc3b6333251e1ef7fbb3ead

SHA1
13ea8e87f413adcc6c224c01db0d802ca0643eb1

SHA256
e42d1d4b62d3a2b957f6181981b51aab0ead6eee692d779e7edd4042b4dbbd8c

SHA512
5f75d99b9265aebb74d82ccb739295334b42182738d6e5b5fd5b7caf181514cc9efcbea3857705ad545ef9f2f66f6c090e6cb2f97bff773a6f2b73b298f58b88

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\50jftte4.default-release\datareporting\glean\pending_pings\609ffdf9-3019-42d2-bc50-547bb51938e0

Filesize
235B

MD5
25840ea11cab26f509f70ca536567b3e

SHA1
94390af166113698fb13582c2539aaf020cb30e1

SHA256
548a843326a051040d4a34b6c25c3754e58f547d8169662780ecfc78f4a5fc66

SHA512
72395230bb1b67d3b2d706a3ff7fe95292d85d0341fb99410dce3853c436c56c59cb12b3dae82461c4190ab346bb647770a949588335f42c473c359e07a5a6b1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\50jftte4.default-release\datareporting\glean\pending_pings\9312183c-3aa0-4320-a366-1b5f23d7435c

Filesize
235B

MD5
463d7876ae8bd51342c08a022035f7d8

SHA1
4f1c980bb00208132b954c22ec0343640e1a0d9f

SHA256
78a723007f40555c3fe6ed988ea13fd8a39d070ea417931e9dd92adee06a092f

SHA512
65e958be3f912a357969829a36c3c60a6419896823ff415a34fa353dd41a70141f839ef42bbd11b974d2bd6fd46153916bec3209c5ff36ad63bfbbfdb9d06373

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\50jftte4.default-release\datareporting\glean\pending_pings\a7db51d9-a42f-492e-938a-e2ee88ff7b3d

Filesize
8KB

MD5
eeb9592df135538910ff0b983fd8a2b8

SHA1
a876b04900d7a1e9a2b9a8ccb1f0c409e922b34f

SHA256
1c3af2ed204fafa627959a0d12e2c10fe4348fef4370778c790eeb184cd89771

SHA512
ba510ca29185c36b79065a8c9f6e8ecf84ca7456faf1b4d5d9dedeb55145971a68ce1e2ebe18a0016eafe8457a8fe1531d679d090a63c45b1ef86163cd1dc080

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\50jftte4.default-release\datareporting\glean\pending_pings\d3b8374f-adf3-4df1-a5cc-2560743fa705

Filesize
16KB

MD5
bbc16b0742b7fc15cea2e6a999732dd6

SHA1
44322b0bcfd41f14c36f517b5ed020ac6f531fe1

SHA256
6eed4f082699dc182ad3c359d1ed0daaeceae0a6158f96b3b3e518f805599d0c

SHA512
037c3beaa36c209805b1ba924c8e42fef1f78de3d2fe7ef1eb4c4ff2201edcf7cf14bdb23f42e3fff72b80749d651723055551910c0b9c6074aec80255ca3ea4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\50jftte4.default-release\extensions.json

Filesize
16KB

MD5
7f1a65a084de7f80da59e90123d1ec3e

SHA1
45a2452de5f925cf9373deaa2914ea4f8b9d3ca6

SHA256
9eed66651a4e11921b9f2d9e4afbc2d97847db221ceebe4f7b8f5759746f92b3

SHA512
55acaeb68cfb88b35b90b65c9b6988e0da49478b23825ae787fe332a6fb63bc45c7a620bda5b29af566b79ceb7d9a36db8d96fb9ff5684559cd30fcb7874d2a9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\50jftte4.default-release\gmp-gmpopenh264\2.6.0\gmpopenh264.dll

Filesize
1.1MB

MD5
626073e8dcf656ac4130e3283c51cbba

SHA1
7e3197e5792e34a67bfef9727ce1dd7dc151284c

SHA256
37c005a7789747b412d6c0a6a4c30d15732da3d857b4f94b744be1a67231b651

SHA512
eebdeef5e47aeadfeebdbab8625f4ec91e15c4c4e4db4be91ea41be4a3da1e1afeed305f6470e5d6b2a31c41cbfb5548b35a15fccd7896d3fde7cdf402d7a339

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\50jftte4.default-release\gmp-gmpopenh264\2.6.0\gmpopenh264.info

Filesize
116B

MD5
ae29912407dfadf0d683982d4fb57293

SHA1
0542053f5a6ce07dc206f69230109be4a5e25775

SHA256
fe7686a6281f0ab519c32c788ce0da0d01640425018dcffcfcb81105757f6fe6

SHA512
6f9083152c02f93a900cb69b1ce879e0c0d69453f1046280ca549a0301ae7925facdda6329f7ccb61726addee78ba2fffc5ba3491a185f139f3155716caf0a8d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\50jftte4.default-release\gmp-widevinecdm\4.10.2891.0\manifest.json

Filesize
1001B

MD5
32aeacedce82bafbcba8d1ade9e88d5a

SHA1
a9b4858d2ae0b6595705634fd024f7e076426a24

SHA256
4ed3c6389f6f7cd94db5cd0f870c34a296fc0de3b1e707fccf01645b455790ce

SHA512
67dfe5632188714ec87f3c79dbe217a0ae4dfb784f3fac63affd20fef8b8ef1978c28b3bf7955f3daaf3004ac5316b1ffa964683b0676841bab4274c325c6e2b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\50jftte4.default-release\gmp-widevinecdm\4.10.2891.0\widevinecdm.dll

Filesize
18.5MB

MD5
1b32d1ec35a7ead1671efc0782b7edf0

SHA1
8e3274b9f2938ff2252ed74779dd6322c601a0c8

SHA256
3ed0dec36754402707c2ae4fbfa887fe3089945f6f7c1a8a3e6c1e64ad1c2648

SHA512
ab452caa2a529b5bf3874c291f1ffb2a30d9ea43dae5df6a6995dde4bc3506648c749317f0d8e94c31214e62f18f855d933b6d0b6b44634b01e058d3c5fcb499

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\50jftte4.default-release\prefs-1.js

Filesize
6KB

MD5
ff85566a22ed48857608c8ae8fb2c9b2

SHA1
8395713f3e7319ee1e8fe665c15de8c0cf5a0b61

SHA256
c26ef3f0b82d127db65fe44a31c6d4e96ae937a0efc71b85ed8018b892c32cda

SHA512
6d78a630e4ff85577ff386cbcb97cf0d36cf7d7c8ad2713b520c4a940d4cbd8722761be1f11d2a90a8c520a42d45b31704858458b9c6b12691e500a234ba6f63

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\50jftte4.default-release\prefs.js

Filesize
6KB

MD5
6ccf1657a34a20c01deb0cecf05eb2df

SHA1
74de66dbbbf37e12fc8713e561ca46a093becfc9

SHA256
d7d21c13cdf209bdf5220c10747cb8703b7507050ebf2ddc57d3530d3fbf8ec6

SHA512
e0793ef86835cd40fed282f6e73f54cd24ae766e02882abe7585a67be301d25a93d606431f6cc41166e3e9b1ce8d4b6a509ba45be7e6eceed65d4e3662fa702e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\50jftte4.default-release\prefs.js

Filesize
9KB

MD5
0e9a0623dc6a0dc784df94f3de172ed7

SHA1
03b4fb334442bb3b23f3d35e6e9e43b8cabc8cc1

SHA256
de74163d5c2b60eda5bd3bcf4cb76ae5129a47ddbd4da465dd5bcbfd5ce24cf0

SHA512
fb5afb72860a3d238d7bc65768e604b86e0222b2abfd60237f6463a38eb6343dd393a16a43667339a8b7de26e6a8d1d17c6096dfa56bbe833b0addd8cc1555ca

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\50jftte4.default-release\prefs.js

Filesize
7KB

MD5
16b50a1e188762ba5b154c2916abe8e7

SHA1
f3a237954f8d172eb82cbddcbd7a5b8b0afde18c

SHA256
305c385186a4619d5871f1377d3a00d45f5f13b513f6d3f11a771c146ef3993f

SHA512
95b7179489121db9045ee85a213e31999694f5d9875a690e5129ce156f4307d01e0217b2f71e957f5db500ba04f282c9114b1f2165537a5ff5803abb30d13334

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\50jftte4.default-release\sessionstore-backups\recovery.baklz4

Filesize
3KB

MD5
db34593485f6e5b945f458e32e38987f

SHA1
feeff417b87ef352bad23ce4975a8d639f99df74

SHA256
7026ef1b0c9aa33f8a841c96d12396bc2e7ac772ceeafa4ab7f62feb6f3b5329

SHA512
4625322cc9830feb2a4fd51acd623418417caf4f3df035149639893d362899bec17d4ffe32400e44f2579075898ee1e463e9fdde1d643ac2a6ebf669c66af23d

Download Submit
C:\Users\Admin\Nioka.meposv

Filesize
535KB

MD5
b8e197842819dbcd801d2e93f0183159

SHA1
19c93df3c3e24624c0e741ad52b8b011fb2ca396

SHA256
7607a7e114141ba2f0e8edbf52383ff1fcfbe55e41a8a39d6b987ab679658de3

SHA512
33785359cb8f64e069f21887e37f1b73ff5bab133da439d15d49ae87576d3987b0a849a474771e4ef764fdc374e800dffe8950cea4614f43ae68a90d552fc02d

Download Submit
C:\Users\Admin\xl\media\image2.bmp

Filesize
496KB

MD5
814071ec92b0429d274082e3993aa5af

SHA1
0f191570dcbecda0c18c48eac960c0def6779e2f

SHA256
e283651e374533499d1552b94005f00360fda4f267f46d719bb6b02e8764243b

SHA512
a6b4013630655a6754b59e0cdb76d85a3a165bc8506ce55fd4aef99bf1790e7abc9dfa071dcd7ce0fcf528a9a483ff91f14fa7f8d80048a4e41c4c9f2d38cf68

Download Submit
memory/712-70-0x0000000002F70000-0x0000000002FB3000-memory.dmp

Filesize
268KB

Download
memory/712-68-0x0000000002F70000-0x0000000002FB3000-memory.dmp

Filesize
268KB

Download
memory/712-63-0x0000000002F30000-0x0000000002F67000-memory.dmp

Filesize
220KB

Download
memory/712-59-0x00000000024E0000-0x0000000002519000-memory.dmp

Filesize
228KB

Download
memory/892-18-0x00007FFA108D0000-0x00007FFA10AC8000-memory.dmp

Filesize
2.0MB

Download
memory/892-13-0x00007FFA108D0000-0x00007FFA10AC8000-memory.dmp

Filesize
2.0MB

Download
memory/892-0-0x00007FF9D0950000-0x00007FF9D0960000-memory.dmp

Filesize
64KB

Download
memory/892-3-0x00007FF9D0950000-0x00007FF9D0960000-memory.dmp

Filesize
64KB

Download
memory/892-2-0x00007FF9D0950000-0x00007FF9D0960000-memory.dmp

Filesize
64KB

Download
memory/892-5-0x00007FFA108D0000-0x00007FFA10AC8000-memory.dmp

Filesize
2.0MB

Download
memory/892-6-0x00007FFA108D0000-0x00007FFA10AC8000-memory.dmp

Filesize
2.0MB

Download
memory/892-4-0x00007FF9D0950000-0x00007FF9D0960000-memory.dmp

Filesize
64KB

Download
memory/892-7-0x00007FF9D0950000-0x00007FF9D0960000-memory.dmp

Filesize
64KB

Download
memory/892-8-0x00007FFA108D0000-0x00007FFA10AC8000-memory.dmp

Filesize
2.0MB

Download
memory/892-11-0x00007FFA108D0000-0x00007FFA10AC8000-memory.dmp

Filesize
2.0MB

Download
memory/892-14-0x00007FFA108D0000-0x00007FFA10AC8000-memory.dmp

Filesize
2.0MB

Download
memory/892-90-0x00007FF9D0950000-0x00007FF9D0960000-memory.dmp

Filesize
64KB

Download
memory/892-91-0x00007FF9D0950000-0x00007FF9D0960000-memory.dmp

Filesize
64KB

Download
memory/892-93-0x00007FF9D0950000-0x00007FF9D0960000-memory.dmp

Filesize
64KB

Download
memory/892-92-0x00007FF9D0950000-0x00007FF9D0960000-memory.dmp

Filesize
64KB

Download
memory/892-73-0x00007FFA108D0000-0x00007FFA10AC8000-memory.dmp

Filesize
2.0MB

Download
memory/892-72-0x00007FFA108D0000-0x00007FFA10AC8000-memory.dmp

Filesize
2.0MB

Download
memory/892-71-0x00007FFA108D0000-0x00007FFA10AC8000-memory.dmp

Filesize
2.0MB

Download
memory/892-94-0x00007FFA108D0000-0x00007FFA10AC8000-memory.dmp

Filesize
2.0MB

Download
memory/892-67-0x00007FFA108D0000-0x00007FFA10AC8000-memory.dmp

Filesize
2.0MB

Download
memory/892-66-0x00007FFA1096D000-0x00007FFA1096E000-memory.dmp

Filesize
4KB

Download
memory/892-9-0x00007FFA108D0000-0x00007FFA10AC8000-memory.dmp

Filesize
2.0MB

Download
memory/892-1-0x00007FFA1096D000-0x00007FFA1096E000-memory.dmp

Filesize
4KB

Download
memory/892-19-0x00007FFA108D0000-0x00007FFA10AC8000-memory.dmp

Filesize
2.0MB

Download
memory/892-20-0x00007FFA108D0000-0x00007FFA10AC8000-memory.dmp

Filesize
2.0MB

Download
memory/892-17-0x00007FFA108D0000-0x00007FFA10AC8000-memory.dmp

Filesize
2.0MB

Download
memory/892-10-0x00007FFA108D0000-0x00007FFA10AC8000-memory.dmp

Filesize
2.0MB

Download
memory/892-16-0x00007FF9CE530000-0x00007FF9CE540000-memory.dmp

Filesize
64KB

Download
memory/892-12-0x00007FFA108D0000-0x00007FFA10AC8000-memory.dmp

Filesize
2.0MB

Download
memory/892-15-0x00007FF9CE530000-0x00007FF9CE540000-memory.dmp

Filesize
64KB

Download
memory/4620-102-0x0000026F122B0000-0x0000026F122B1000-memory.dmp

Filesize
4KB

Download
memory/4620-104-0x0000026F122B0000-0x0000026F122B1000-memory.dmp

Filesize
4KB

Download
memory/4620-105-0x0000026F122B0000-0x0000026F122B1000-memory.dmp

Filesize
4KB

Download
memory/4620-106-0x0000026F122B0000-0x0000026F122B1000-memory.dmp

Filesize
4KB

Download
memory/4620-107-0x0000026F122B0000-0x0000026F122B1000-memory.dmp

Filesize
4KB

Download
memory/4620-108-0x0000026F122B0000-0x0000026F122B1000-memory.dmp

Filesize
4KB

Download
memory/4620-103-0x0000026F122B0000-0x0000026F122B1000-memory.dmp

Filesize
4KB

Download
memory/4620-96-0x0000026F122B0000-0x0000026F122B1000-memory.dmp

Filesize
4KB

Download
memory/4620-97-0x0000026F122B0000-0x0000026F122B1000-memory.dmp

Filesize
4KB

Download
memory/4620-98-0x0000026F122B0000-0x0000026F122B1000-memory.dmp

Filesize
4KB

Download
memory/5064-69-0x00000255A8AC0000-0x00000255A8AC1000-memory.dmp

Filesize
4KB

Download