hxxp://google[.]com

Analysis

max time kernel
1777s
max time network
1557s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
07/08/2024, 16:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://google.com

Score

6^/10

discovery

Malware Config

Signatures

Drops desktop.ini file(s) 10 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Videos\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	ehshell.exe
File opened for modification	C:\Users\Public\desktop.ini	ehshell.exe
File opened for modification	C:\Users\Public\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	ehshell.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	wmplayer.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\N:	wmplayer.exe
File opened (read-only)	\??\P:	wmplayer.exe
File opened (read-only)	\??\S:	wmplayer.exe
File opened (read-only)	\??\Z:	wmplayer.exe
File opened (read-only)	\??\A:	wmplayer.exe
File opened (read-only)	\??\I:	wmplayer.exe
File opened (read-only)	\??\K:	wmplayer.exe
File opened (read-only)	\??\M:	wmplayer.exe
File opened (read-only)	\??\G:	wmplayer.exe
File opened (read-only)	\??\O:	wmplayer.exe
File opened (read-only)	\??\V:	wmplayer.exe
File opened (read-only)	\??\Y:	wmplayer.exe
File opened (read-only)	\??\B:	wmplayer.exe
File opened (read-only)	\??\E:	wmplayer.exe
File opened (read-only)	\??\R:	wmplayer.exe
File opened (read-only)	\??\X:	wmplayer.exe
File opened (read-only)	\??\T:	wmplayer.exe
File opened (read-only)	\??\U:	wmplayer.exe
File opened (read-only)	\??\W:	wmplayer.exe
File opened (read-only)	\??\H:	wmplayer.exe
File opened (read-only)	\??\J:	wmplayer.exe
File opened (read-only)	\??\L:	wmplayer.exe
File opened (read-only)	\??\Q:	wmplayer.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\WindowsUpdate.log	ehshell.exe
File opened for modification	C:\Windows\WindowsUpdate.log	ehshell.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmplayer.exe

Checks processor information in registry 2 TTPs 12 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	ehshell.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	ehshell.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	ehshell.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	ehshell.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	ehshell.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	ehshell.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	ehshell.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	ehshell.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies registry class 8 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	ehshell.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	ehshell.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	ehshell.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	ehshell.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-wmplayer	wmplayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-wmplayer\CLSID = "{cd3afa96-b84f-48f0-9393-7edc34128127}"	wmplayer.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_Classes\Local Settings	ehshell.exe

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\microsoft\ehome\ehthumbs_vista.db:encryptable	ehshell.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
3012	chrome.exe
3012	chrome.exe
2456	ehshell.exe
940	ehshell.exe
940	ehshell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
940	ehshell.exe

Suspicious use of AdjustPrivilegeToken 40 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3012	chrome.exe
Token: SeShutdownPrivilege	3012	chrome.exe
Token: SeShutdownPrivilege	3012	chrome.exe
Token: SeShutdownPrivilege	3012	chrome.exe
Token: SeShutdownPrivilege	3012	chrome.exe
Token: SeShutdownPrivilege	3012	chrome.exe
Token: SeShutdownPrivilege	3012	chrome.exe
Token: SeShutdownPrivilege	3012	chrome.exe
Token: SeShutdownPrivilege	3012	chrome.exe
Token: SeShutdownPrivilege	3012	chrome.exe
Token: SeShutdownPrivilege	3012	chrome.exe
Token: SeShutdownPrivilege	3012	chrome.exe
Token: SeShutdownPrivilege	3012	chrome.exe
Token: SeShutdownPrivilege	3012	chrome.exe
Token: SeShutdownPrivilege	3012	chrome.exe
Token: SeShutdownPrivilege	3012	chrome.exe
Token: SeShutdownPrivilege	3012	chrome.exe
Token: SeShutdownPrivilege	3012	chrome.exe
Token: SeShutdownPrivilege	3012	chrome.exe
Token: SeShutdownPrivilege	3012	chrome.exe
Token: SeShutdownPrivilege	3012	chrome.exe
Token: SeShutdownPrivilege	3012	chrome.exe
Token: SeShutdownPrivilege	3012	chrome.exe
Token: SeShutdownPrivilege	3012	chrome.exe
Token: SeShutdownPrivilege	3012	chrome.exe
Token: SeShutdownPrivilege	3012	chrome.exe
Token: SeShutdownPrivilege	3012	chrome.exe
Token: SeShutdownPrivilege	3012	chrome.exe
Token: SeShutdownPrivilege	3012	chrome.exe
Token: SeShutdownPrivilege	3012	chrome.exe
Token: SeDebugPrivilege	2456	ehshell.exe
Token: 33	1080	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1080	AUDIODG.EXE
Token: 33	1080	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1080	AUDIODG.EXE
Token: SeDebugPrivilege	1076	firefox.exe
Token: SeDebugPrivilege	1076	firefox.exe
Token: SeShutdownPrivilege	2456	ehshell.exe
Token: SeDebugPrivilege	940	ehshell.exe
Token: SeShutdownPrivilege	940	ehshell.exe

Suspicious use of FindShellTrayWindow 39 IoCs

pid	Process
3012	chrome.exe
3012	chrome.exe
3012	chrome.exe
3012	chrome.exe
3012	chrome.exe
3012	chrome.exe
3012	chrome.exe
3012	chrome.exe
3012	chrome.exe
3012	chrome.exe
3012	chrome.exe
3012	chrome.exe
3012	chrome.exe
3012	chrome.exe
3012	chrome.exe
3012	chrome.exe
3012	chrome.exe
3012	chrome.exe
3012	chrome.exe
3012	chrome.exe
3012	chrome.exe
3012	chrome.exe
3012	chrome.exe
3012	chrome.exe
3012	chrome.exe
3012	chrome.exe
3012	chrome.exe
3012	chrome.exe
3012	chrome.exe
3012	chrome.exe
3012	chrome.exe
3012	chrome.exe
3012	chrome.exe
3012	chrome.exe
3012	chrome.exe
1076	firefox.exe
1076	firefox.exe
1076	firefox.exe
1076	firefox.exe

Suspicious use of SendNotifyMessage 35 IoCs

pid	Process
3012	chrome.exe
3012	chrome.exe
3012	chrome.exe
3012	chrome.exe
3012	chrome.exe
3012	chrome.exe
3012	chrome.exe
3012	chrome.exe
3012	chrome.exe
3012	chrome.exe
3012	chrome.exe
3012	chrome.exe
3012	chrome.exe
3012	chrome.exe
3012	chrome.exe
3012	chrome.exe
3012	chrome.exe
3012	chrome.exe
3012	chrome.exe
3012	chrome.exe
3012	chrome.exe
3012	chrome.exe
3012	chrome.exe
3012	chrome.exe
3012	chrome.exe
3012	chrome.exe
3012	chrome.exe
3012	chrome.exe
3012	chrome.exe
3012	chrome.exe
3012	chrome.exe
3012	chrome.exe
1076	firefox.exe
1076	firefox.exe
1076	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3012 wrote to memory of 2140	3012	chrome.exe	29
PID 3012 wrote to memory of 2140	3012	chrome.exe	29
PID 3012 wrote to memory of 2140	3012	chrome.exe	29
PID 3012 wrote to memory of 2936	3012	chrome.exe	31
PID 3012 wrote to memory of 2936	3012	chrome.exe	31
PID 3012 wrote to memory of 2936	3012	chrome.exe	31
PID 3012 wrote to memory of 2936	3012	chrome.exe	31
PID 3012 wrote to memory of 2936	3012	chrome.exe	31
PID 3012 wrote to memory of 2936	3012	chrome.exe	31
PID 3012 wrote to memory of 2936	3012	chrome.exe	31
PID 3012 wrote to memory of 2936	3012	chrome.exe	31
PID 3012 wrote to memory of 2936	3012	chrome.exe	31
PID 3012 wrote to memory of 2936	3012	chrome.exe	31
PID 3012 wrote to memory of 2936	3012	chrome.exe	31
PID 3012 wrote to memory of 2936	3012	chrome.exe	31
PID 3012 wrote to memory of 2936	3012	chrome.exe	31
PID 3012 wrote to memory of 2936	3012	chrome.exe	31
PID 3012 wrote to memory of 2936	3012	chrome.exe	31
PID 3012 wrote to memory of 2936	3012	chrome.exe	31
PID 3012 wrote to memory of 2936	3012	chrome.exe	31
PID 3012 wrote to memory of 2936	3012	chrome.exe	31
PID 3012 wrote to memory of 2936	3012	chrome.exe	31
PID 3012 wrote to memory of 2936	3012	chrome.exe	31
PID 3012 wrote to memory of 2936	3012	chrome.exe	31
PID 3012 wrote to memory of 2936	3012	chrome.exe	31
PID 3012 wrote to memory of 2936	3012	chrome.exe	31
PID 3012 wrote to memory of 2936	3012	chrome.exe	31
PID 3012 wrote to memory of 2936	3012	chrome.exe	31
PID 3012 wrote to memory of 2936	3012	chrome.exe	31
PID 3012 wrote to memory of 2936	3012	chrome.exe	31
PID 3012 wrote to memory of 2936	3012	chrome.exe	31
PID 3012 wrote to memory of 2936	3012	chrome.exe	31
PID 3012 wrote to memory of 2936	3012	chrome.exe	31
PID 3012 wrote to memory of 2936	3012	chrome.exe	31
PID 3012 wrote to memory of 2936	3012	chrome.exe	31
PID 3012 wrote to memory of 2936	3012	chrome.exe	31
PID 3012 wrote to memory of 2936	3012	chrome.exe	31
PID 3012 wrote to memory of 2936	3012	chrome.exe	31
PID 3012 wrote to memory of 2936	3012	chrome.exe	31
PID 3012 wrote to memory of 2936	3012	chrome.exe	31
PID 3012 wrote to memory of 2936	3012	chrome.exe	31
PID 3012 wrote to memory of 2936	3012	chrome.exe	31
PID 3012 wrote to memory of 2636	3012	chrome.exe	32
PID 3012 wrote to memory of 2636	3012	chrome.exe	32
PID 3012 wrote to memory of 2636	3012	chrome.exe	32
PID 3012 wrote to memory of 2780	3012	chrome.exe	33
PID 3012 wrote to memory of 2780	3012	chrome.exe	33
PID 3012 wrote to memory of 2780	3012	chrome.exe	33
PID 3012 wrote to memory of 2780	3012	chrome.exe	33
PID 3012 wrote to memory of 2780	3012	chrome.exe	33
PID 3012 wrote to memory of 2780	3012	chrome.exe	33
PID 3012 wrote to memory of 2780	3012	chrome.exe	33
PID 3012 wrote to memory of 2780	3012	chrome.exe	33
PID 3012 wrote to memory of 2780	3012	chrome.exe	33
PID 3012 wrote to memory of 2780	3012	chrome.exe	33
PID 3012 wrote to memory of 2780	3012	chrome.exe	33
PID 3012 wrote to memory of 2780	3012	chrome.exe	33
PID 3012 wrote to memory of 2780	3012	chrome.exe	33
PID 3012 wrote to memory of 2780	3012	chrome.exe	33
PID 3012 wrote to memory of 2780	3012	chrome.exe	33
PID 3012 wrote to memory of 2780	3012	chrome.exe	33
PID 3012 wrote to memory of 2780	3012	chrome.exe	33
PID 3012 wrote to memory of 2780	3012	chrome.exe	33
PID 3012 wrote to memory of 2780	3012	chrome.exe	33

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://google.com
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3012
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fefaba9758,0x7fefaba9768,0x7fefaba9778
  2⤵
  PID:2140
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1160 --field-trial-handle=1236,i,15636542810493050120,5739055648901922763,131072 /prefetch:2
  2⤵
  PID:2936
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1512 --field-trial-handle=1236,i,15636542810493050120,5739055648901922763,131072 /prefetch:8
  2⤵
  PID:2636
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1608 --field-trial-handle=1236,i,15636542810493050120,5739055648901922763,131072 /prefetch:8
  2⤵
  PID:2780
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=1760 --field-trial-handle=1236,i,15636542810493050120,5739055648901922763,131072 /prefetch:1
  2⤵
  PID:2924
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=1600 --field-trial-handle=1236,i,15636542810493050120,5739055648901922763,131072 /prefetch:1
  2⤵
  PID:1616
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1392 --field-trial-handle=1236,i,15636542810493050120,5739055648901922763,131072 /prefetch:2
  2⤵
  PID:1968
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3172 --field-trial-handle=1236,i,15636542810493050120,5739055648901922763,131072 /prefetch:1
  2⤵
  PID:2200
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3468 --field-trial-handle=1236,i,15636542810493050120,5739055648901922763,131072 /prefetch:8
  2⤵
  PID:1864

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2452

C:\Windows\ehome\ehshell.exe
"C:\Windows\ehome\ehshell.exe"
1⤵
- Drops file in Windows directory
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2456

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x468
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1080

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:1388
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:1076
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1076.0.575479516\364593080" -parentBuildID 20221007134813 -prefsHandle 1276 -prefMapHandle 1084 -prefsLen 20847 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f2a3442d-e1a1-4dc6-8e24-b21bf96d04f7} 1076 "\\.\pipe\gecko-crash-server-pipe.1076" 1384 fad5758 gpu
    3⤵
    PID:1872
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1076.1.869501574\480867392" -parentBuildID 20221007134813 -prefsHandle 1524 -prefMapHandle 1520 -prefsLen 20928 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {249495e3-49fe-44e8-aa41-58e52304ba6f} 1076 "\\.\pipe\gecko-crash-server-pipe.1076" 1536 4030e58 socket
    3⤵
    PID:528
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1076.2.1868864886\1566487531" -childID 1 -isForBrowser -prefsHandle 1956 -prefMapHandle 1972 -prefsLen 20966 -prefMapSize 233444 -jsInitHandle 624 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8ef7ebf0-af64-4f7a-80b8-98526607df23} 1076 "\\.\pipe\gecko-crash-server-pipe.1076" 988 fa66258 tab
    3⤵
    PID:676
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1076.3.400647597\633812610" -childID 2 -isForBrowser -prefsHandle 2448 -prefMapHandle 2460 -prefsLen 26216 -prefMapSize 233444 -jsInitHandle 624 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {07f36c10-571d-437c-9325-96c91db48b4b} 1076 "\\.\pipe\gecko-crash-server-pipe.1076" 2476 e67858 tab
    3⤵
    PID:1628
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1076.4.2112336982\429019344" -childID 3 -isForBrowser -prefsHandle 2888 -prefMapHandle 2884 -prefsLen 26216 -prefMapSize 233444 -jsInitHandle 624 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a48e67d9-c5c4-4717-9c59-b4a126834fff} 1076 "\\.\pipe\gecko-crash-server-pipe.1076" 2900 1b77cd58 tab
    3⤵
    PID:2440
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1076.5.817051917\1300729501" -childID 4 -isForBrowser -prefsHandle 3908 -prefMapHandle 3888 -prefsLen 26356 -prefMapSize 233444 -jsInitHandle 624 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {35a4e888-8707-41b6-ae2e-93ee55b016b7} 1076 "\\.\pipe\gecko-crash-server-pipe.1076" 3900 1ea52758 tab
    3⤵
    PID:904
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1076.6.576759751\1566608583" -childID 5 -isForBrowser -prefsHandle 4024 -prefMapHandle 4028 -prefsLen 26356 -prefMapSize 233444 -jsInitHandle 624 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a52e6e7b-4631-4ea3-a2f9-0b14b2e1775c} 1076 "\\.\pipe\gecko-crash-server-pipe.1076" 4012 1ea5ce58 tab
    3⤵
    PID:3032
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1076.7.1239947060\45594474" -childID 6 -isForBrowser -prefsHandle 4204 -prefMapHandle 4208 -prefsLen 26356 -prefMapSize 233444 -jsInitHandle 624 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {98871381-ac46-4c84-b889-e70a0fa025c6} 1076 "\\.\pipe\gecko-crash-server-pipe.1076" 4192 1ea5c858 tab
    3⤵
    PID:732

C:\Windows\ehome\ehshell.exe
"C:\Windows\ehome\ehshell.exe"
1⤵
- Drops desktop.ini file(s)
- Drops file in Windows directory
- Checks processor information in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:940
- C:\Program Files (x86)\Windows Media Player\wmplayer.exe
  "C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /SkipFUE /RemoteOCXLaunch /SuppressDialogs
  2⤵
  - Drops desktop.ini file(s)
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  PID:2600

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:3292

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
1⤵
PID:3488
- C:\Windows\system32\tree.com
  tree
  2⤵
  PID:3632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\eHome\Logs\FirstRun.log

Filesize
1KB

MD5
914fef656252c51c441a354cc59df285

SHA1
9554e2fb8dad68afbf1e194d3961127dea66e43b

SHA256
3156160c95814453e854faf9060c72fa930a57a4336f2074514529bba0265ce5

SHA512
d37424b0b0912fcb2c3ada72a14e93e1ecc9d8906c52e45c26a04a93e87af4e637b3d9c09a9622a2695c84107d744cbd10187861eb61b4925ae59b94ebb3e9b9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000001

Filesize
210KB

MD5
48d2860dd3168b6f06a4f27c6791bcaa

SHA1
f5f803efed91cd45a36c3d6acdffaaf0e863bf8c

SHA256
04d7bf7a6586ef00516bdb3f7b96c65e0b9c6b940f4b145121ed00f6116bbb77

SHA512
172da615b5b97a0c17f80ddd8d7406e278cd26afd1eb45a052cde0cb55b92febe49773b1e02cf9e9adca2f34abbaa6d7b83eaad4e08c828ef4bf26f23b95584e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
48b3a7843b8397f7b0bdd7b7c67024fb

SHA1
30d2443c942882603d7009421cc02dc300ee7756

SHA256
b1cde0c0d10ac99bcb825b5307a402d5816aec09064f77bbc956e28f7bf35427

SHA512
d77573effb7547174ab5cdf44ac277fd056b6a8fb1dc07405cf486756f65ef057aace4a35abeeb89b8d3385b390286aae69f8d1dab2b600f499d16420842adaa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
155KB

MD5
fb3751ecbd6928ac8b7731be4e900fd4

SHA1
c96114d6bc610e5cff8b956f58535dc10110a1e0

SHA256
673ad071d02f3b3180e8205d25b6dd16f35cd532cc3e06f16723c02ba97dc785

SHA512
928263e66d5db3b3d73ee3b88d43b2ddcd95fbb56356703eeff8a94b5ba2567dd7d4e1c2c272e5fd66cf2e3bb569ecea2f0a4e5dcee163b3229766ceaff5070f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ecf350bf-badf-4c07-8b8f-309cadc408e9.tmp

Filesize
155KB

MD5
2b80798ebd4ce5828b86dbb443d58316

SHA1
f44b313e7ced668b1b721bfc8b73a548ac2afac1

SHA256
fc8230f87c5232a8c2fcea870bbdbd67af0ab5c4f7f97031280ccc36d71d5d21

SHA512
c27286c5c31729f31713f5ac8cbf7294144b299a5365d37dc9d8836cd5d096f2fa25c6da1f4c481ad2c739f87f86426c474744852af1cf5b6657f4e2a85d7709

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\pzuz3epu.default-release\activity-stream.discovery_stream.json.tmp

Filesize
26KB

MD5
1ef8a92d210ccce15b6a063ffa262807

SHA1
e451393ac9132d07cc3660d3f78ddc8e9b2bdc26

SHA256
61e21cd3fd52d2302e26abedf7889301cf2534e9e34c3480568e09053d4df6e6

SHA512
9b34beb74cf493c95211444a7752f40b20b896a6dd32f0c90a2210e8858493ae0ca980b1314298ed7c70ec36e275c6b08ccde34ebd06588628a97e9618c35c3a

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\pzuz3epu.default-release\cache2\doomed\26172

Filesize
15KB

MD5
4bb0597c33abee1c51c9565a57241da7

SHA1
ede52222e5cf1663545ccb9a9de1b383ac9db740

SHA256
4924d167e10a1f29bc41fe8329c3f117c1b84dbc241392f9c6aa3bb1fd4ae3b2

SHA512
d0bf0a7f4775deb1e3c350567c6297da02dda4394ddd1150d5bb77d8a4b6ff8953bc095ede13560fabdcbeca4116e5fec15b59ac35a6960013a11f5203e62f53

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\pzuz3epu.default-release\cache2\entries\E449899591A9BC91DFBA673EC0589B51E541A88B

Filesize
13KB

MD5
abf2c440fa702538412323ab7f58d9b5

SHA1
4c0a7b1e4838bcc69ea5086facccfd8086ffe85b

SHA256
fc45d11e43aa35f8979e76fd2e7f119190d3e401756ee4fe98efd289e000e55d

SHA512
1cec747ba46ecd84235f07339c9019d6f447acc524a3ae55e510eb9233a9a7a358ef31d3fdb794288f827e3db39126433a298755db735382c4efb40f57dd1d12

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
442KB

MD5
85430baed3398695717b0263807cf97c

SHA1
fffbee923cea216f50fce5d54219a188a5100f41

SHA256
a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e

SHA512
06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
8.0MB

MD5
a01c5ecd6108350ae23d2cddf0e77c17

SHA1
c6ac28a2cd979f1f9a75d56271821d5ff665e2b6

SHA256
345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42

SHA512
b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2212144002-1172735686-1556890956-1000\8f96978fc46d9f00d8780351026924d7_5349ca0f-aec5-405f-83e0-aa034653cb76

Filesize
59B

MD5
db733e033c397fec5917611957620271

SHA1
6f94d1daa0fc4ec1b2d4cbcb93730d8edb77a2b7

SHA256
1f3ffadd3b80c7f95be06e245410768e8302a24e573868da3c6fd91230025bdc

SHA512
9a9bb4cf6380bb0a73ea414ca2226a344c7da003e49610dc38bd10892dc17244e4c88bf8a466131027e3c064c693ad99014e6853fff51edb21cb690b926b962f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

Filesize
5KB

MD5
e4b2eba4cec95f6ab6329f87433ec5ac

SHA1
0dd436dfab4690cff410e7f797a61b3d6c403aba

SHA256
e551b50895336b7a30fe26eb33f4fd6c47f9ba73f0bc35ddecc037b9a02ec140

SHA512
4919d12524862261e843e4bf4cb670eedeef7cdf5d212822b98b0ca45f518853f46e4fef35b1f68dc315b60918628c6e6d707dc0e3069dde60b6f6d060ae9837

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzuz3epu.default-release\AlternateServices.txt

Filesize
755B

MD5
1065ded6d7c66969be64233e77f556ad

SHA1
10823f60482558aabb207df14930723ca6f3af81

SHA256
bb25766476beb063a757fffabce9647de92ed703d9f60f00bdfed7e5ae1acc24

SHA512
17e26e2370b389d00bd7437e5575029fe28e545ec0ed607e842394973e88d66df8cb7624eccab00c5dc3eb59e7ea3777b518d40b603d5eada92cef0a211f2a2d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzuz3epu.default-release\bookmarkbackups\bookmarks-2024-08-07_11_EejuE-rfbOdjQfRPO14-ew==.jsonlz4

Filesize
945B

MD5
067bcb44cde4efaf5434bcba139001a7

SHA1
fca9ab5c188f7ab7d9cc2558ac13f4b22b4a08c6

SHA256
19a88e6a2334c7a73ded85085bb404007dc641b7ca36eb99f54905621f9e621b

SHA512
e1928f47761af9a07703c5eb16e12d3c12b8cdff473712014ef062b85ecde4f6d1b6e5d9fc66a331ff38377d0bd8fcbae6cc99af50ff3af60853ca7bb19c4722

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzuz3epu.default-release\broadcast-listeners.json

Filesize
216B

MD5
0efb749164e31a68650c9c4d8703532c

SHA1
65ecae99ff9a42151aec3c510fb2dea21f8dfdcb

SHA256
8a0345849162649b9fd16f0a72e09d1d16ab4e8b80295bfa5f5314d12c32783d

SHA512
84e1902eb9853401d52950f1241f89f997b27f323e61cebfc6280a2cf9e75e4005dc2634de1eb16ba7fe4e935dcb0ccd9c08c73e3f9c69650e9cbfce115304c3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzuz3epu.default-release\datareporting\glean\db\data.safe.bin

Filesize
2KB

MD5
dd279ea70f6e8691916598fb45f67d5f

SHA1
845aa09638e5496f280800dbc7edc235ddcc5eb4

SHA256
e62c6e7d79395361014edd57d26ed57ff22397bf8212b69e2daa782dda6fff09

SHA512
235d3f09e5e7fa14095b2dfee4879a1841306715c7133007df3783f030f642f9a0a3dc0a758f9d2a491e354abc64ee7036392ceb0c6a6d7f6eecdc5add932bcd

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzuz3epu.default-release\datareporting\glean\pending_pings\c5eed60c-c1ee-4f65-9f97-440195a2780c

Filesize
745B

MD5
f4b7cecf9bfe24a0dbc54dfea2f54f04

SHA1
ab14f0230cc4020ee1eae59114953990de436e80

SHA256
d60e0b5715fb1955800bb2c061bd1a299e8b2019bd7cf9c7d9ee27f981a509e4

SHA512
faa3c8325cc7249d702fed9f309c6e58b720fc7a17e35d318d0c72e8d614d47a42dbb9fada843c9cb910d933abdce46a180283738ca79bf9e62f010b02096b1a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzuz3epu.default-release\datareporting\glean\pending_pings\ff49deb1-1652-4794-a16b-a74f43c0be7b

Filesize
12KB

MD5
ccec16b33fbd1b007975319f1ee39cf1

SHA1
6fb5a806cb24b8c1622f076a6cb60620b0a02853

SHA256
11d270cb373d92493ba3ac0eb0df19bc5f1aaebacc6e438615bafe33b9c6d4c3

SHA512
bb81ec030ad264bdd69d6927cbfa71a4e58b70414bc50acdec0cbc0c7684e725c14123b46cf357e96a7498db60e4b782cbe8a39c5c583cc75d546c8b5f5ddc99

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzuz3epu.default-release\extensions.json.tmp

Filesize
38KB

MD5
2d97be340700e2a73a916528b8c9a3b8

SHA1
6ab4713135f112ef48556c5ceef42205e990e141

SHA256
766a4db5a7fd30a5f094ea2fddab76143b7ec743d5e7e15d98719ad772746909

SHA512
5414dcca10a2ce6197ce24e77292d8f66b5e69af7640d5a3d70d2ad73ae8629518dc131662050a60ef88145a040f72f176e8aa2ffc44c002bb64964931a39da0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzuz3epu.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll

Filesize
997KB

MD5
fe3355639648c417e8307c6d051e3e37

SHA1
f54602d4b4778da21bc97c7238fc66aa68c8ee34

SHA256
1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e

SHA512
8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzuz3epu.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info

Filesize
116B

MD5
3d33cdc0b3d281e67dd52e14435dd04f

SHA1
4db88689282fd4f9e9e6ab95fcbb23df6e6485db

SHA256
f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b

SHA512
a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzuz3epu.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt

Filesize
479B

MD5
49ddb419d96dceb9069018535fb2e2fc

SHA1
62aa6fea895a8b68d468a015f6e6ab400d7a7ca6

SHA256
2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539

SHA512
48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzuz3epu.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json

Filesize
372B

MD5
8be33af717bb1b67fbd61c3f4b807e9e

SHA1
7cf17656d174d951957ff36810e874a134dd49e0

SHA256
e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd

SHA512
6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzuz3epu.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll

Filesize
11.8MB

MD5
33bf7b0439480effb9fb212efce87b13

SHA1
cee50f2745edc6dc291887b6075ca64d716f495a

SHA256
8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e

SHA512
d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzuz3epu.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib

Filesize
1KB

MD5
688bed3676d2104e7f17ae1cd2c59404

SHA1
952b2cdf783ac72fcb98338723e9afd38d47ad8e

SHA256
33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237

SHA512
7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzuz3epu.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig

Filesize
1KB

MD5
937326fead5fd401f6cca9118bd9ade9

SHA1
4526a57d4ae14ed29b37632c72aef3c408189d91

SHA256
68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81

SHA512
b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzuz3epu.default-release\prefs-1.js

Filesize
10KB

MD5
cfe0844d88b1578d5f5f2f93806e6a2a

SHA1
6495c28d987465dc160d0130c297d762253c2c25

SHA256
4f7d5ee86b8eecfbc1c245cdc1ea6af7b59c7d799e177b520d9e32b5b15f34c7

SHA512
d5a2ac01af6851c04c2132f6cb4055317d3cae880600411f22f48a4b7185de554e83f7a727647fea776de3b27f17b86b9bc7592c7f065d63e2752b81e5d925b2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzuz3epu.default-release\prefs-1.js

Filesize
10KB

MD5
a6039f5364c9e5017dc9b7240efb408c

SHA1
a5e8a9d89a63dda420e67d94da90e9059c3738dc

SHA256
154036676ec826fb36bfa3a5f086e702a4dd4d1a121a5cead3f0b6d42dbeaa16

SHA512
94c7c8b6d4a7df46a1f41fe1a51aa0bf5da62542889c3290a6a69ed52c49a6e345c6d7535b49ea91522642d3c16e95c2988d98fa99542ead2238873bf82b3a79

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzuz3epu.default-release\prefs-1.js

Filesize
7KB

MD5
aee99d6cdf75d8da47649e7890cacce0

SHA1
3ad353e74d10beb793ca241e0931bf7090d5cdc2

SHA256
f6f5aa8cc717dea6c02e7e569a5db2cdb2b9d0ccd25ede480404d27a479d5ba3

SHA512
f63eb278d7349a25f37bc4cd35eeab2514fbca05ca35094bcc5778eb2b38b879c738f83334f7a59077cfe8124e704643ae9465b7fcdb6a63a28ea45b6e546e4d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzuz3epu.default-release\prefs-1.js

Filesize
10KB

MD5
35750ea0309a4a82dd188cfd70c4ab07

SHA1
7b0972e1e069e7225a09b8497f2a50e1c83b250d

SHA256
fed5d681fb7babf0f27cf510b6a37ca3b6884452c8b6fe19d0d4b3f9d0653915

SHA512
8344e46fc540406c3f83dd82f975ab1209af9e62b79ee6ca0f876c4cd08594f4b35f3d344230cbe3e6420ba7ea59e6eb1de17e54c373557da977d06a996ffade

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzuz3epu.default-release\prefs-1.js

Filesize
6KB

MD5
bb0dea381140bf27728b077237478e16

SHA1
4441182623609be8e8963830422218c8dc38e3f2

SHA256
b0cfa7e091c33973d3c4e6c166a714abd6c937a104a4b3b958bbdae69161ad31

SHA512
5c50110096ed4015ba15fb4b83536aa09447c8a58bfddb03232b2d4f0d8adc3decdfcee588d376a3bd35c83fc09874618a590a99ef2825bc2a417747746e7c9f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzuz3epu.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
c7cd00d6b747bb3d88556a3762edc563

SHA1
142b241f078b71592ab048ee71778037cc57ba9b

SHA256
09fa9126f326ce59f77ab81db221443676f349a6fb69bbe40a529535a25b11c1

SHA512
ad62326d1b25b1d99984aeed4329f20c20cbbabf994c29a51b58c8399c4b4aff9e0a334839e794016437ae734d5fec4db600af86e13beeea6d33b79aa7e155f6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzuz3epu.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
f5561cb762a4e5026443dd8504343287

SHA1
bf18f162856c2d2bb8120a3aa3318c8d94053167

SHA256
c9d9e58733c077639437fa258c6092b58e7217785b285d6123ca433336b40b42

SHA512
70f65223a4c01ac0c29e549048355866ce2af8088e42c0050edec4bafb43d7ce4621578c50a163e8bb42f5fe1366bf806df5b0cbf885bca2bbe908f166dadc49

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzuz3epu.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
7.9MB

MD5
8fbd23a8c0bb8c9b88e5a36b65bf2f34

SHA1
6b2c3e5034e8c6d6efae7771173f8055669ffbea

SHA256
1c29db8bd8f681d38ac71ef6ff7e3c5f0691a8f88df5394bfb3448275fb69da8

SHA512
301a46eecd97eb430c472249697de816c90d25c3f370c05be014f9c807e9f00a38982d315a00dfc3d803773d291cc08bbfcfd5c3a90e52b22121a8833df1fdbe

Download Submit
\??\c:\programdata\microsoft\ehome\mcepg2-0.db

Filesize
1.6MB

MD5
e4525b78399ffd3afd3483bc266b4a7e

SHA1
c667768f711b9bc5499dcef485c0612c542b875e

SHA256
67578338ce9d8f5bd94f7ac34f73dc48fd7a99711ed8702de6ea8f6ade511239

SHA512
c533f9d70c60a0929d28a9c4362523457eb5b571b1318e3df324f164f76831fd3fbc301db195090b7562d8b10e05de27ccf2a6e96ee2f4c5cb9eece1c4c179fd

Download Submit
memory/2456-187-0x000000001D550000-0x000000001D5EE000-memory.dmp

Filesize
632KB

Download
memory/2456-320-0x000007FEF5690000-0x000007FEF602D000-memory.dmp

Filesize
9.6MB

Download
memory/2456-317-0x000000001F1A0000-0x000000001F1AA000-memory.dmp

Filesize
40KB

Download
memory/2456-318-0x000000001F1A0000-0x000000001F1AA000-memory.dmp

Filesize
40KB

Download
memory/2456-316-0x000000001F340000-0x000000001F377000-memory.dmp

Filesize
220KB

Download
memory/2456-289-0x000007FEF5690000-0x000007FEF602D000-memory.dmp

Filesize
9.6MB

Download
memory/2456-286-0x000007FEF5690000-0x000007FEF602D000-memory.dmp

Filesize
9.6MB

Download
memory/2456-285-0x000007FEF594E000-0x000007FEF594F000-memory.dmp

Filesize
4KB

Download
memory/2456-188-0x000000001D6A0000-0x000000001D758000-memory.dmp

Filesize
736KB

Download
memory/2456-186-0x000000001E2A0000-0x000000001E424000-memory.dmp

Filesize
1.5MB

Download
memory/2456-185-0x000000001DC90000-0x000000001E298000-memory.dmp

Filesize
6.0MB

Download
memory/2456-183-0x000007FEF5690000-0x000007FEF602D000-memory.dmp

Filesize
9.6MB

Download
memory/2456-182-0x000007FEF5690000-0x000007FEF602D000-memory.dmp

Filesize
9.6MB

Download
memory/2456-181-0x000007FEF594E000-0x000007FEF594F000-memory.dmp

Filesize
4KB

Download