rhadamanthys | hxxps://winiumdriver[.]com/update

Analysis

max time kernel
359s
max time network
357s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
18-09-2024 18:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://winiumdriver.com/update

Score

10^/10

rhadamanthys discovery stealer

Malware Config

Signatures

Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

msiexec.exe

description pid process target process

PID 5556 created 2552 5556 msiexec.exe sihost.exe
Downloads MZ/PE file
Executes dropped EXE 6 IoCs

Processes:

MSI42A6.tmpGUP.exeMSI63BF.tmpGUP.exeMSIB54F.tmpGUP.exe

pid process

5888 MSI42A6.tmp
5984 GUP.exe
5368 MSI63BF.tmp
216 GUP.exe
5232 MSIB54F.tmp
2064 GUP.exe

description	pid	process	target process
PID 5556 created 2552	5556	msiexec.exe	sihost.exe

pid	process
5888	MSI42A6.tmp
5984	GUP.exe
5368	MSI63BF.tmp
216	GUP.exe
5232	MSIB54F.tmp
2064	GUP.exe

Loads dropped DLL 44 IoCs

Processes:

MsiExec.exeMsiExec.exeMsiExec.exeGUP.exeMsiExec.exeGUP.exeMsiExec.exeMsiExec.exeGUP.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exe

pid	process
4712	MsiExec.exe
4712	MsiExec.exe
4712	MsiExec.exe
4712	MsiExec.exe
4712	MsiExec.exe
4712	MsiExec.exe
4712	MsiExec.exe
4712	MsiExec.exe
4712	MsiExec.exe
5192	MsiExec.exe
5192	MsiExec.exe
5192	MsiExec.exe
5192	MsiExec.exe
5192	MsiExec.exe
5192	MsiExec.exe
5192	MsiExec.exe
5192	MsiExec.exe
5192	MsiExec.exe
5740	MsiExec.exe
5740	MsiExec.exe
5740	MsiExec.exe
5984	GUP.exe
5180	MsiExec.exe
5180	MsiExec.exe
5180	MsiExec.exe
216	GUP.exe
5756	MsiExec.exe
5756	MsiExec.exe
5756	MsiExec.exe
5756	MsiExec.exe
5756	MsiExec.exe
5756	MsiExec.exe
5756	MsiExec.exe
5756	MsiExec.exe
5756	MsiExec.exe
5544	MsiExec.exe
5544	MsiExec.exe
5544	MsiExec.exe
2064	GUP.exe
5412	regsvr32.exe
4040	regsvr32.exe
3280	regsvr32.exe
6116	regsvr32.exe
2188	regsvr32.exe

Blocklisted process makes network request 3 IoCs

Processes:

msiexec.exe

flow pid process

136 3836 msiexec.exe
138 3836 msiexec.exe
140 3836 msiexec.exe

flow	pid	process
136	3836	msiexec.exe
138	3836	msiexec.exe
140	3836	msiexec.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exemsiexec.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

GUP.exe

description pid process target process

PID 5984 set thread context of 5556 5984 GUP.exe msiexec.exe

description	pid	process	target process
PID 5984 set thread context of 5556	5984	GUP.exe	msiexec.exe

Drops file in Windows directory 25 IoCs

Processes:

msiexec.exe

description	ioc	process
File opened for modification	C:\Windows\Installer\MSI53A0.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI596E.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB54F.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB491.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5350.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\e5840d3.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB471.tmp	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5380.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB4A1.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB4F1.tmp	msiexec.exe
File created	C:\Windows\Installer\e5840cd.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI414A.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI63BF.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\e5840d3.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e5840cd.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4189.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI41AA.tmp	msiexec.exe
File created	C:\Windows\Installer\SourceHash{B0EFEB0C-B73C-452D-A9AA-2F60183AD374}	msiexec.exe
File created	C:\Windows\Installer\e5840cf.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e5840cf.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4247.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI42A6.tmp	msiexec.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

5252 5556 WerFault.exe msiexec.exe

pid	pid_target	process	target process
5252	5556	WerFault.exe	msiexec.exe

System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

MsiExec.exeMsiExec.exeregsvr32.exeregsvr32.exeregsvr32.exeGUP.exeMsiExec.exeMSI63BF.tmpMsiExec.exeregsvr32.exeopenwith.exeMsiExec.exeGUP.exeMSIB54F.tmpGUP.exeMSI42A6.tmpMsiExec.exeregsvr32.exemsiexec.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GUP.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSI63BF.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	openwith.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GUP.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSIB54F.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GUP.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSI42A6.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

vssvc.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000bf081c85bb6cd1e80000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000bf081c850000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900bf081c85000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1dbf081c85000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000bf081c8500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exefirefox.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Modifies registry class 1 IoCs

Processes:

firefox.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings firefox.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings	firefox.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

GUP.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\CBFE9EB43B3B37FE0DFBC4C2EB2D4E07D08BD8E8\Blob = 030000000100000014000000cbfe9eb43b3b37fe0dfbc4c2eb2d4e07d08bd8e81400000001000000140000000cdb6c82490f4a670ab814ee7ac4485288eb563804000000010000001000000098eb0b62c3fe53eac8caa8fdb58020ee0f0000000100000020000000b4e0a8c98b0aae43b7383037accd11a1c964971f6b74fcbc370cd030fb328ddd19000000010000001000000058f4c3aea49be319eaff0e54cef46cd35c00000001000000040000000008000018000000010000001000000014c3bd3549ee225aece13734ad8ca0b84b0000000100000044000000450032004300360043004200410046003000410046003000380043004600320030003300420041003700340042004600300044003000410042003600440035005f0000002000000001000000b7040000308204b33082039ba00302010202100b259422ced9812a15a04e99528a0efa300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3137313130323132323433335a170d3237313130323132323433335a3060310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d311f301d06035504031316526170696453534c20544c532052534120434120473130820122300d06092a864886f70d01010105000382010f003082010a0282010100bfb9592544123516e25d5049050ae0cbfc8dda25089a67a6a26d11e36a9fdaa7dcf2d5a60dae985eed871a3703283ec66f5c347e84d24ea3d81b80e6154cfabc81773ce08ef960a38789503836b249419ea9dac250caac7ad07904223cc837ed4b40b7d74e5a6ece74e839ad61c930f4cb28ad172398c1444cfbf088f05345329061c36da1a5e01090e38b9aca93e5064961e8a4eea96f9fc81f0fe5dd0e7937924baebb4786fafbb2ad21abe6e5f92d18455a5bf5cc5403721fc42a6775eb79bacffc9cc7fa8b6bdcf2bc82dcedc4296fe93b4cbadaf56135ed83d29fd00d8c6f840a8f4f0d6dcdf65c2129008dbf0d601a882ec8242eec713b0675bc7924850203010001a382016630820162301d0603551d0e041604140cdb6c82490f4a670ab814ee7ac4485288eb5638301f0603551d230418301680144e2254201895e6e36ee60ffafab912ed06178f39300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030106082b0601050507030230120603551d130101ff040830060101ff020100303406082b0601050507010104283026302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d30420603551d1f043b30393037a035a0338631687474703a2f2f63726c332e64696769636572742e636f6d2f4469676943657274476c6f62616c526f6f7447322e63726c30630603551d20045c305a303706096086480186fd6c0101302a302806082b06010505070201161c68747470733a2f2f7777772e64696769636572742e636f6d2f435053300b06096086480186fd6c01023008060667810c0102013008060667810c010202300d06092a864886f70d01010b050003820101001944a539be0add6b664a56e6139d146011d733448a5cfa8733393a5d05290a1785ff8a94f1a3a16a3b324501435758a1fee3c883b60746d162093ab81becdbe375f54fbee726048e23da6afd3a82c2dba467bbbd54b2f7240ab759dcb69a828bbef0bcb55991ce401ed314029112888db046f34312c835ff478b98823e9988d4ff660e8623a4687e0aa0a4376cb0b7345c8450128b7121970accfde9189f4509b30798c2cbcae05dfae096bd5705da881801ac2e7c2852fcf4fad43f6bab33d14b9236baa6b7b66213e382612605a106714c6fb006424bcdabd28d4bd75ddc659cd7b1ff7576b57a7a31cd68c4d2105d163c4f8546f45b7c22f28df8fe6f05c7	GUP.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\CBFE9EB43B3B37FE0DFBC4C2EB2D4E07D08BD8E8	GUP.exe

NTFS ADS 2 IoCs

Processes:

firefox.exe

description	ioc	process
File created	C:\Users\Admin\Downloads\WiniumDriver.msi:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\WiniumDriver(1).msi:Zone.Identifier	firefox.exe

Suspicious behavior: EnumeratesProcesses 30 IoCs

Processes:

msiexec.exemsiexec.exemsiexec.exeopenwith.exe

pid	process
2528	msiexec.exe
2528	msiexec.exe
2528	msiexec.exe
2528	msiexec.exe
2528	msiexec.exe
2528	msiexec.exe
2528	msiexec.exe
2528	msiexec.exe
2428	msiexec.exe
2428	msiexec.exe
2428	msiexec.exe
2428	msiexec.exe
2428	msiexec.exe
2428	msiexec.exe
2528	msiexec.exe
2528	msiexec.exe
2528	msiexec.exe
2528	msiexec.exe
2528	msiexec.exe
2528	msiexec.exe
2528	msiexec.exe
2528	msiexec.exe
2528	msiexec.exe
2528	msiexec.exe
5556	msiexec.exe
5556	msiexec.exe
2108	openwith.exe
2108	openwith.exe
2108	openwith.exe
2108	openwith.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

firefox.exemsiexec.exemsiexec.exe

description	pid	process
Token: SeDebugPrivilege	3876	firefox.exe
Token: SeDebugPrivilege	3876	firefox.exe
Token: SeDebugPrivilege	3876	firefox.exe
Token: SeShutdownPrivilege	3836	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3836	msiexec.exe
Token: SeSecurityPrivilege	2528	msiexec.exe
Token: SeCreateTokenPrivilege	3836	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3836	msiexec.exe
Token: SeLockMemoryPrivilege	3836	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3836	msiexec.exe
Token: SeMachineAccountPrivilege	3836	msiexec.exe
Token: SeTcbPrivilege	3836	msiexec.exe
Token: SeSecurityPrivilege	3836	msiexec.exe
Token: SeTakeOwnershipPrivilege	3836	msiexec.exe
Token: SeLoadDriverPrivilege	3836	msiexec.exe
Token: SeSystemProfilePrivilege	3836	msiexec.exe
Token: SeSystemtimePrivilege	3836	msiexec.exe
Token: SeProfSingleProcessPrivilege	3836	msiexec.exe
Token: SeIncBasePriorityPrivilege	3836	msiexec.exe
Token: SeCreatePagefilePrivilege	3836	msiexec.exe
Token: SeCreatePermanentPrivilege	3836	msiexec.exe
Token: SeBackupPrivilege	3836	msiexec.exe
Token: SeRestorePrivilege	3836	msiexec.exe
Token: SeShutdownPrivilege	3836	msiexec.exe
Token: SeDebugPrivilege	3836	msiexec.exe
Token: SeAuditPrivilege	3836	msiexec.exe
Token: SeSystemEnvironmentPrivilege	3836	msiexec.exe
Token: SeChangeNotifyPrivilege	3836	msiexec.exe
Token: SeRemoteShutdownPrivilege	3836	msiexec.exe
Token: SeUndockPrivilege	3836	msiexec.exe
Token: SeSyncAgentPrivilege	3836	msiexec.exe
Token: SeEnableDelegationPrivilege	3836	msiexec.exe
Token: SeManageVolumePrivilege	3836	msiexec.exe
Token: SeImpersonatePrivilege	3836	msiexec.exe
Token: SeCreateGlobalPrivilege	3836	msiexec.exe
Token: SeCreateTokenPrivilege	3836	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3836	msiexec.exe
Token: SeLockMemoryPrivilege	3836	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3836	msiexec.exe
Token: SeMachineAccountPrivilege	3836	msiexec.exe
Token: SeTcbPrivilege	3836	msiexec.exe
Token: SeSecurityPrivilege	3836	msiexec.exe
Token: SeTakeOwnershipPrivilege	3836	msiexec.exe
Token: SeLoadDriverPrivilege	3836	msiexec.exe
Token: SeSystemProfilePrivilege	3836	msiexec.exe
Token: SeSystemtimePrivilege	3836	msiexec.exe
Token: SeProfSingleProcessPrivilege	3836	msiexec.exe
Token: SeIncBasePriorityPrivilege	3836	msiexec.exe
Token: SeCreatePagefilePrivilege	3836	msiexec.exe
Token: SeCreatePermanentPrivilege	3836	msiexec.exe
Token: SeBackupPrivilege	3836	msiexec.exe
Token: SeRestorePrivilege	3836	msiexec.exe
Token: SeShutdownPrivilege	3836	msiexec.exe
Token: SeDebugPrivilege	3836	msiexec.exe
Token: SeAuditPrivilege	3836	msiexec.exe
Token: SeSystemEnvironmentPrivilege	3836	msiexec.exe
Token: SeChangeNotifyPrivilege	3836	msiexec.exe
Token: SeRemoteShutdownPrivilege	3836	msiexec.exe
Token: SeUndockPrivilege	3836	msiexec.exe
Token: SeSyncAgentPrivilege	3836	msiexec.exe
Token: SeEnableDelegationPrivilege	3836	msiexec.exe
Token: SeManageVolumePrivilege	3836	msiexec.exe
Token: SeImpersonatePrivilege	3836	msiexec.exe
Token: SeCreateGlobalPrivilege	3836	msiexec.exe

Suspicious use of FindShellTrayWindow 27 IoCs

Processes:

firefox.exemsiexec.exemsiexec.exemsiexec.exe

pid	process
3876	firefox.exe
3876	firefox.exe
3876	firefox.exe
3876	firefox.exe
3876	firefox.exe
3876	firefox.exe
3876	firefox.exe
3876	firefox.exe
3876	firefox.exe
3876	firefox.exe
3876	firefox.exe
3876	firefox.exe
3876	firefox.exe
3876	firefox.exe
3876	firefox.exe
3876	firefox.exe
3876	firefox.exe
3876	firefox.exe
3876	firefox.exe
3876	firefox.exe
3876	firefox.exe
3836	msiexec.exe
2428	msiexec.exe
3836	msiexec.exe
2428	msiexec.exe
5916	msiexec.exe
5916	msiexec.exe

Suspicious use of SendNotifyMessage 20 IoCs

Processes:

firefox.exe

pid	process
3876	firefox.exe
3876	firefox.exe
3876	firefox.exe
3876	firefox.exe
3876	firefox.exe
3876	firefox.exe
3876	firefox.exe
3876	firefox.exe
3876	firefox.exe
3876	firefox.exe
3876	firefox.exe
3876	firefox.exe
3876	firefox.exe
3876	firefox.exe
3876	firefox.exe
3876	firefox.exe
3876	firefox.exe
3876	firefox.exe
3876	firefox.exe
3876	firefox.exe

Suspicious use of SetWindowsHookEx 10 IoCs

Processes:

firefox.exeGUP.exeGUP.exeGUP.exe

pid process

3876 firefox.exe
3876 firefox.exe
3876 firefox.exe
3876 firefox.exe
5984 GUP.exe
216 GUP.exe
3876 firefox.exe
3876 firefox.exe
3876 firefox.exe
2064 GUP.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

firefox.exefirefox.exe

description	pid	process	target process
PID 3548 wrote to memory of 3876	3548	firefox.exe	firefox.exe
PID 3548 wrote to memory of 3876	3548	firefox.exe	firefox.exe
PID 3548 wrote to memory of 3876	3548	firefox.exe	firefox.exe
PID 3548 wrote to memory of 3876	3548	firefox.exe	firefox.exe
PID 3548 wrote to memory of 3876	3548	firefox.exe	firefox.exe
PID 3548 wrote to memory of 3876	3548	firefox.exe	firefox.exe
PID 3548 wrote to memory of 3876	3548	firefox.exe	firefox.exe
PID 3548 wrote to memory of 3876	3548	firefox.exe	firefox.exe
PID 3548 wrote to memory of 3876	3548	firefox.exe	firefox.exe
PID 3548 wrote to memory of 3876	3548	firefox.exe	firefox.exe
PID 3548 wrote to memory of 3876	3548	firefox.exe	firefox.exe
PID 3876 wrote to memory of 4444	3876	firefox.exe	firefox.exe
PID 3876 wrote to memory of 4444	3876	firefox.exe	firefox.exe
PID 3876 wrote to memory of 4444	3876	firefox.exe	firefox.exe
PID 3876 wrote to memory of 4444	3876	firefox.exe	firefox.exe
PID 3876 wrote to memory of 4444	3876	firefox.exe	firefox.exe
PID 3876 wrote to memory of 4444	3876	firefox.exe	firefox.exe
PID 3876 wrote to memory of 4444	3876	firefox.exe	firefox.exe
PID 3876 wrote to memory of 4444	3876	firefox.exe	firefox.exe
PID 3876 wrote to memory of 4444	3876	firefox.exe	firefox.exe
PID 3876 wrote to memory of 4444	3876	firefox.exe	firefox.exe
PID 3876 wrote to memory of 4444	3876	firefox.exe	firefox.exe
PID 3876 wrote to memory of 4444	3876	firefox.exe	firefox.exe
PID 3876 wrote to memory of 4444	3876	firefox.exe	firefox.exe
PID 3876 wrote to memory of 4444	3876	firefox.exe	firefox.exe
PID 3876 wrote to memory of 4444	3876	firefox.exe	firefox.exe
PID 3876 wrote to memory of 4444	3876	firefox.exe	firefox.exe
PID 3876 wrote to memory of 4444	3876	firefox.exe	firefox.exe
PID 3876 wrote to memory of 4444	3876	firefox.exe	firefox.exe
PID 3876 wrote to memory of 4444	3876	firefox.exe	firefox.exe
PID 3876 wrote to memory of 4444	3876	firefox.exe	firefox.exe
PID 3876 wrote to memory of 4444	3876	firefox.exe	firefox.exe
PID 3876 wrote to memory of 4444	3876	firefox.exe	firefox.exe
PID 3876 wrote to memory of 4444	3876	firefox.exe	firefox.exe
PID 3876 wrote to memory of 4444	3876	firefox.exe	firefox.exe
PID 3876 wrote to memory of 4444	3876	firefox.exe	firefox.exe
PID 3876 wrote to memory of 4444	3876	firefox.exe	firefox.exe
PID 3876 wrote to memory of 4444	3876	firefox.exe	firefox.exe
PID 3876 wrote to memory of 4444	3876	firefox.exe	firefox.exe
PID 3876 wrote to memory of 4444	3876	firefox.exe	firefox.exe
PID 3876 wrote to memory of 4444	3876	firefox.exe	firefox.exe
PID 3876 wrote to memory of 4444	3876	firefox.exe	firefox.exe
PID 3876 wrote to memory of 4444	3876	firefox.exe	firefox.exe
PID 3876 wrote to memory of 4444	3876	firefox.exe	firefox.exe
PID 3876 wrote to memory of 4444	3876	firefox.exe	firefox.exe
PID 3876 wrote to memory of 4444	3876	firefox.exe	firefox.exe
PID 3876 wrote to memory of 4444	3876	firefox.exe	firefox.exe
PID 3876 wrote to memory of 4444	3876	firefox.exe	firefox.exe
PID 3876 wrote to memory of 4444	3876	firefox.exe	firefox.exe
PID 3876 wrote to memory of 4444	3876	firefox.exe	firefox.exe
PID 3876 wrote to memory of 4444	3876	firefox.exe	firefox.exe
PID 3876 wrote to memory of 4444	3876	firefox.exe	firefox.exe
PID 3876 wrote to memory of 4444	3876	firefox.exe	firefox.exe
PID 3876 wrote to memory of 4444	3876	firefox.exe	firefox.exe
PID 3876 wrote to memory of 4444	3876	firefox.exe	firefox.exe
PID 3876 wrote to memory of 4444	3876	firefox.exe	firefox.exe
PID 3876 wrote to memory of 2244	3876	firefox.exe	firefox.exe
PID 3876 wrote to memory of 2244	3876	firefox.exe	firefox.exe
PID 3876 wrote to memory of 2244	3876	firefox.exe	firefox.exe
PID 3876 wrote to memory of 2244	3876	firefox.exe	firefox.exe
PID 3876 wrote to memory of 2244	3876	firefox.exe	firefox.exe
PID 3876 wrote to memory of 2244	3876	firefox.exe	firefox.exe
PID 3876 wrote to memory of 2244	3876	firefox.exe	firefox.exe
PID 3876 wrote to memory of 2244	3876	firefox.exe	firefox.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2552
- C:\Windows\SysWOW64\openwith.exe
  "C:\Windows\system32\openwith.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2108

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "https://winiumdriver.com/update"
1⤵
- Suspicious use of WriteProcessMemory
PID:3548
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url https://winiumdriver.com/update
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3876
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1992 -parentBuildID 20240401114208 -prefsHandle 1904 -prefMapHandle 1884 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e119664b-0e2d-4cdb-b1d8-8b2f8b2caa42} 3876 "\\.\pipe\gecko-crash-server-pipe.3876" gpu
    3⤵
    PID:4444
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2432 -parentBuildID 20240401114208 -prefsHandle 2408 -prefMapHandle 2396 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {daf3225a-0b75-4656-816d-4adef9445d06} 3876 "\\.\pipe\gecko-crash-server-pipe.3876" socket
    3⤵
    PID:2244
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3128 -childID 1 -isForBrowser -prefsHandle 3044 -prefMapHandle 3400 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1260 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {faf8db1d-23b3-4957-9333-8dbce47998fa} 3876 "\\.\pipe\gecko-crash-server-pipe.3876" tab
    3⤵
    PID:1608
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3724 -childID 2 -isForBrowser -prefsHandle 3100 -prefMapHandle 2936 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1260 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {856fcb30-b942-4b1b-9fa9-090d7b1bf3a2} 3876 "\\.\pipe\gecko-crash-server-pipe.3876" tab
    3⤵
    PID:1824
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4588 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4604 -prefMapHandle 4600 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fa264731-0899-43f2-a484-6a439a3079ce} 3876 "\\.\pipe\gecko-crash-server-pipe.3876" utility
    3⤵
    - Checks processor information in registry
    PID:3296
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5304 -childID 3 -isForBrowser -prefsHandle 5296 -prefMapHandle 5424 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1260 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cf78ad5d-6da5-4b4f-8408-95c138858feb} 3876 "\\.\pipe\gecko-crash-server-pipe.3876" tab
    3⤵
    PID:1764
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5580 -childID 4 -isForBrowser -prefsHandle 5432 -prefMapHandle 5444 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1260 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0c797842-0637-43f0-8a87-a0373f9b9232} 3876 "\\.\pipe\gecko-crash-server-pipe.3876" tab
    3⤵
    PID:408
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5748 -childID 5 -isForBrowser -prefsHandle 5752 -prefMapHandle 5756 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1260 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e4241ebc-7ebf-45fb-8468-a104730dfbf5} 3876 "\\.\pipe\gecko-crash-server-pipe.3876" tab
    3⤵
    PID:3104

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3536

C:\Windows\System32\msiexec.exe
"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\Downloads\WiniumDriver.msi"
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3836

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2528
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 9EEA925C9C83F73415628F2C0A094D41 C
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:4712
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 56475DDCA51A4D013E8F7AEF21A03FE4 C
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:5192
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:5640
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 63A12AB61F3C592B9002DC41424F7026
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:5740
- C:\Windows\Installer\MSI42A6.tmp
  "C:\Windows\Installer\MSI42A6.tmp" /DontWait "C:\Users\Admin\AppData\Roaming\op\\GUP.EXE"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5888
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding E9D8A85B870029E5370A891730B28099
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:5180
- C:\Windows\Installer\MSI63BF.tmp
  "C:\Windows\Installer\MSI63BF.tmp" /DontWait "C:\Users\Admin\AppData\Roaming\op\\GUP.EXE"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5368
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 5B1D10343AA65C09F8E3801827C71682 C
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:5756
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding D0AB502CB6B8E8C6FDF614D54EDF6B78
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:5544
- C:\Windows\Installer\MSIB54F.tmp
  "C:\Windows\Installer\MSIB54F.tmp" /DontWait "C:\Users\Admin\AppData\Roaming\op\\GUP.EXE"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5232

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
PID:4716

C:\Windows\System32\msiexec.exe
"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\Downloads\WiniumDriver.msi"
1⤵
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:2428

C:\Users\Admin\AppData\Roaming\op\GUP.exe
"C:\Users\Admin\AppData\Roaming\op\GUP.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious use of SetWindowsHookEx
PID:5984
- C:\Windows\SysWOW64\msiexec.exe
  "C:\Windows\System32\msiexec.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:5556
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5556 -s 600
    3⤵
    - Program crash
    PID:5252

C:\Users\Admin\AppData\Roaming\op\GUP.exe
"C:\Users\Admin\AppData\Roaming\op\GUP.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:216

C:\Windows\System32\msiexec.exe
"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\Downloads\WiniumDriver(1).msi"
1⤵
- Enumerates connected drives
- Suspicious use of FindShellTrayWindow
PID:5916

C:\Users\Admin\AppData\Roaming\op\GUP.exe
"C:\Users\Admin\AppData\Roaming\op\GUP.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2064

C:\Windows\System32\regsvr32.exe
C:\Windows\System32\regsvr32.exe -e -n -i:"C:\Users\Admin\0d02\HVDPCYGS\HVDPCYGS.ocx" "C:\Users\Admin\0d02\HVDPCYGS\HVDPCYGS.ocx"
1⤵
PID:5180
- C:\Windows\SysWOW64\regsvr32.exe
  -e -n -i:"C:\Users\Admin\0d02\HVDPCYGS\HVDPCYGS.ocx" "C:\Users\Admin\0d02\HVDPCYGS\HVDPCYGS.ocx"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:5412

C:\Windows\System32\regsvr32.exe
C:\Windows\System32\regsvr32.exe -e -n -i:"C:\Users\Admin\0d02\HVDPCYGS\HVDPCYGS.ocx" "C:\Users\Admin\0d02\HVDPCYGS\HVDPCYGS.ocx"
1⤵
PID:4400
- C:\Windows\SysWOW64\regsvr32.exe
  -e -n -i:"C:\Users\Admin\0d02\HVDPCYGS\HVDPCYGS.ocx" "C:\Users\Admin\0d02\HVDPCYGS\HVDPCYGS.ocx"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:4040

C:\Windows\System32\regsvr32.exe
C:\Windows\System32\regsvr32.exe -e -n -i:"C:\Users\Admin\0d02\HVDPCYGS\HVDPCYGS.ocx" "C:\Users\Admin\0d02\HVDPCYGS\HVDPCYGS.ocx"
1⤵
PID:5976
- C:\Windows\SysWOW64\regsvr32.exe
  -e -n -i:"C:\Users\Admin\0d02\HVDPCYGS\HVDPCYGS.ocx" "C:\Users\Admin\0d02\HVDPCYGS\HVDPCYGS.ocx"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:3280

C:\Windows\System32\regsvr32.exe
C:\Windows\System32\regsvr32.exe -e -n -i:"C:\Users\Admin\0d02\HVDPCYGS\HVDPCYGS.ocx" "C:\Users\Admin\0d02\HVDPCYGS\HVDPCYGS.ocx"
1⤵
PID:5352
- C:\Windows\SysWOW64\regsvr32.exe
  -e -n -i:"C:\Users\Admin\0d02\HVDPCYGS\HVDPCYGS.ocx" "C:\Users\Admin\0d02\HVDPCYGS\HVDPCYGS.ocx"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:6116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 5556 -ip 5556
1⤵
PID:5228

C:\Windows\System32\regsvr32.exe
C:\Windows\System32\regsvr32.exe -e -n -i:"C:\Users\Admin\0d02\HVDPCYGS\HVDPCYGS.ocx" "C:\Users\Admin\0d02\HVDPCYGS\HVDPCYGS.ocx"
1⤵
PID:5488
- C:\Windows\SysWOW64\regsvr32.exe
  -e -n -i:"C:\Users\Admin\0d02\HVDPCYGS\HVDPCYGS.ocx" "C:\Users\Admin\0d02\HVDPCYGS\HVDPCYGS.ocx"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2188

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e5840ce.rbs

Filesize
1KB

MD5
236fdd379f9035a6adf5309299eb1405

SHA1
4defc3c4633b57cc72a8c138ff1a84a4e2c1562a

SHA256
4fea77dc2c80fb964853a646957c55b71a75439503424576c1821fa6867baf81

SHA512
10f6e33f7c2e490d0b50cc71f01154f14e5ee354bb67581451f4facd7057d3976b6f6ea0f3e94c85d41a25f0d4502db2b71bddae266f5a33020a5f897f254405

Download Submit
C:\Config.Msi\e5840d0.rbs

Filesize
2KB

MD5
dfbe2ffa059c4e6183d84d49d24ef5a2

SHA1
fb6c6ab155c1a430f5e771cb2063e8da5d841936

SHA256
d5a3d9e36dd91de172b066141a0acd4dd90833eee13d16f6df3d431ec6ca555d

SHA512
3dc95410e659d40b13adefdfa3083eace9a10f298f2c54182131aee35f010bc5e1c99074edd2e487aca7692329503f89071a2d4eeb5ee36a79264536b47ac169

Download Submit
C:\Config.Msi\e5840d4.rbs

Filesize
2KB

MD5
2f0934559f14d01680d424fc72bad00f

SHA1
049fffe2690d834422beb031a0245d47afa6f95d

SHA256
f454d66570bab623c7f2fe4f871ae6c977554347908aef9a867cf8aa819b146a

SHA512
65fe75b87b9cd35d2b5caf342545ee053e5844e85ddd7615989f28d2a647c80fda30269164f27b176f043ca1a1d3a6cb7b93b2bf8096cc5360e939cfcad1fab3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\357F04AD41BCF5FE18FCB69F60C6680F_1F8F5C0F188BC014D5B60763F6F6FCF1

Filesize
1KB

MD5
ba22e6ff58052de94a3b21f05676dbf1

SHA1
1b7b40ebde6df15eb28463a5ab0b156261c38d66

SHA256
21a524a38d0fefe08c4e203e7f44a1673aa685908864d159d31b707387915bdd

SHA512
57c443b59c4b3ee0a7d3a58f691096721b8afbc540f81c090f30095659731c6906141962852f80183397ae3aedf331d91fdf2352beacee18c4ffa30e638eabf0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\9CB4373A4252DE8D2212929836304EC5_1AB74AA2E3A56E1B8AD8D3FEC287554E

Filesize
1KB

MD5
c1001285214565ff5f493f51eedfd826

SHA1
bef796ceb3a31b837acd601dd4860afe8f9950b7

SHA256
969273d5dafc8a3df073c72e3c9be850774a11da114fb76e2d99d9416592d41d

SHA512
8d933dc39bcfa9d89da7cb22a1031cbdfdeda3066ea1e5c911c28df0df5883352b095b2911dcbd22d84382b86bfd6e6b519ba0d0bb7f7284da23fa3caca55afe

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\357F04AD41BCF5FE18FCB69F60C6680F_1F8F5C0F188BC014D5B60763F6F6FCF1

Filesize
536B

MD5
9118d6756d0e728466e7c88e0648f6e5

SHA1
dce6614846e2a172a169c2e06fe31c83f97d0dbc

SHA256
11baa97fe93dd24aaf3eb39aa44e86b3fb21facb5b514ac10b75897437f9b38d

SHA512
84cc8d41f77326d5e106930ead7d67566a5256edb96e6d96c293cff7e99af4e4ecd219a9da93bb960e4759954a5519a48c4deaa4fb37e6c2e30ad130cb138b06

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\9CB4373A4252DE8D2212929836304EC5_1AB74AA2E3A56E1B8AD8D3FEC287554E

Filesize
536B

MD5
f5404f45013ffc3c5a7d00b0c9fc4526

SHA1
d19d92879b10e2bd093b1d95570736a65b494d5e

SHA256
e4e6c87d5d5bdcf9255e711254333534e691d5bb02a2a1f60e8b57099f6e72fc

SHA512
5f18e595941ef0acbe50d4316aea1b9d7893b1266acbc3fe5cc45cbb83e29b66eb2091ab8968317830d3fc50017cb98318e72bef09f1c66654115db6d641821b

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\activity-stream.discovery_stream.json

Filesize
28KB

MD5
7d388316920bf289449d5f4fd202e95c

SHA1
9c9ad52cb7eea8f9e0d480e6e22fa5f07e25dd0d

SHA256
cf4853ea071f97d283e1a6a08270e91f39a1af92bc9678c5030fdf5caa677013

SHA512
9df555aea0502c912d1959be41b2bbc35f7e6a75b20f238eb7bf0eda1e6fa938740b155b828aad7541634615e8faf92ca8e6cc2b7f089159c423f2b4f0710e70

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI80be2.LOG

Filesize
376B

MD5
3497fbaa936b2c866ee9f90ccbbcddac

SHA1
2bbb035b7aa1f17257474a2d68686c59baf8e4e0

SHA256
be34e18ab1a8f734a82ec4b60999935b70aaf4317f485b418c709ff7dcdd6bdb

SHA512
4efc3efe287d0863082f2cdd50d98deb558f67abe6f793906b71138b1baad25d1471f11f807e977cb2ae7946fa06c19156f4af67a18c230e29d111f10cae4061

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI824e8.LOG

Filesize
1KB

MD5
0f00d02d6482059d58ba0a3240d99593

SHA1
88ce44a091c682c68ae5e9267f4e55e10f560600

SHA256
f3d72eeec0831cdbd0a3d83e20f2359b93a4e7a1ee11598c4b2f3a624a761490

SHA512
fee327f148ff9c12ee3617090c18c445b64c2ec15a1711dc622b56172af9c0cc76b0f6cac38b5d6b3f7e2e69628086367a4fa75d114ef54839b3be3177289f81

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI9DE.tmp

Filesize
904KB

MD5
421643ee7bb89e6df092bc4b18a40ff8

SHA1
e801582a6dd358060a699c9c5cde31cd07ee49ab

SHA256
d6b89fd5a95071e7b144d8bedcb09b694e9cd14bfbfafb782b17cf8413eac6da

SHA512
d59c4ec7690e535da84f94bef2be7f94d6bfd0b2908fa9a67d0897abe8a2825fd52354c495ea1a7f133f727c2ee356869cc80bacf5557864d535a72d8c396023

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\2L3KUMJYMC4FWR1W1NYE.temp

Filesize
15KB

MD5
1e64dd9a982a43ec68f16e6a47c30615

SHA1
cf32aaa411b83c2de3ddab55ed2f29023ccbf882

SHA256
59bc5c408c19e24ee1731c5f8f447c66c98d6a640e38572ec2e0a74d3cfa4244

SHA512
54592ea5511c9f60a26d50d6fd607d1f0b247452d65a692477a41abc0d4d06e4318776f5420f44767592ac43d675f6ac3e7ff4c52544cc16dba5e04a98c706dc

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\AlternateServices.bin

Filesize
7KB

MD5
579c57c4d4d9a002c5a42d7e335e24d1

SHA1
2224e4aad6261156870d2e77ec94b7e35f634e1a

SHA256
f6c41f1a32f2f004ed731053775c86de56e5a3047dc2ddf3df8b2ce875831351

SHA512
2f94524b97e0e1fd8f40ec6242e74bc8f324f8f98d47d0b8fc989167d6c55da0dcd0eb557411469adbd899d73b942c43d09e8f8e38cccb35f1325a8b675fffd3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\AlternateServices.bin

Filesize
7KB

MD5
f6162fbca9b928222e65be3fb8a74d12

SHA1
b5207a5abf79e39732dbe8b734cbba9043e5ea00

SHA256
40fa0385b81f0600ff71b2f3d878527f35971d85a9129de1fcd89d5031914d0d

SHA512
26203363f341ffa942274538e97192b251bf64f3d79a56b825be5fe8be896a5b8f06a0c66b2ec6a99997ed1db84a25bd2fbaff046472bd15bf70d04e8dd9ee04

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\AlternateServices.bin

Filesize
8KB

MD5
81807dc6fd95269034196f3bd791446b

SHA1
8baee70a9b8c7a5b13592125364891bf9fa5bef3

SHA256
68cbdf258a9b29b7c9822ae5d1f0159d3f94d1c9c1c4ba69976dd48760e0efe6

SHA512
03b95713695e75d3416b9226d9f563d4119560afeb0c968ccda773f7aa6ee1934a79ef644a7e53a5be584678db64474570de000f7ad1a21664d10adf32fdf5f0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\AlternateServices.bin

Filesize
11KB

MD5
721ee257cd3a1397d0a3a13f5c4f3f45

SHA1
6667be1abb6c8085a85ed256fb733a0103f49345

SHA256
16f7bfcc696d99bf937f0a97c286a090d92f399142d8d399944536b3cac57555

SHA512
c85622d4806eface0ce73fbabedc25092ff17f41ebc697f277fb12adaa5fdc3a1f8e1c40f1c681863c4e112be177731ed514007306c03c3a04f2fae5539e5f3d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
374ce43c76751636beb1cdc9f45afebd

SHA1
cb991176ad536eb4b2917adf419d9d23788cf7f6

SHA256
21beb205cc927fc9ce2e53ad7f01dc54659a9f8fa74fc065ee91a64867dd4022

SHA512
fec17d19d86f758679838ea1a8aa0de38bbccbd6ceb12bc51fcf5ef7f9b84fca3d3f69ec7f9010d7dfff987d41c953fdda8aa8c5df98607b781e8a2a1c1b778c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\datareporting\glean\db\data.safe.tmp

Filesize
36KB

MD5
f2fcd15defc2c1f976314360d538da79

SHA1
b5e0e3fb578b3e1660bbc6b153f84109278b0210

SHA256
8ce02c072804c97a8b802fb6da148b44b0e07704aca3913d0f820f2822409c71

SHA512
ce0607c2f6501f455623be10db973fcaa5152dffe46997fe1f5ed93058d634fd6f09fd88308e3ce4b942e97f4fd6cc13a71ab5512e86d0a15137bf29dca1586f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\datareporting\glean\db\data.safe.tmp

Filesize
36KB

MD5
594656f6ad6a0a537e1a833e8d25bfca

SHA1
cec50713c4b3c46c07e4a7fb28337b9232f27a8e

SHA256
5fc1d324ce7da7d407f9304bc1b9b61fc6ab5884226d23dfa6af18bec7ad7284

SHA512
4f757c704ce2bf6007e9963d1e18983297647ab589d28721ab73d696625ec85086292f1a833f9633ed8175f8974293d5f3cf54bb5f2cd00905478b405488565d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
6c953239fcd458b0439535ab24dca10a

SHA1
70a312d5ca8284b80974430c83359394094fafed

SHA256
c604ac604d6a3a3f2b050b18556a7643d746c74aa47930ffa228a697e01fb582

SHA512
79df5bcedae3c816936938c955f77ad5d7a122fc8e4ef7c348b739eeb2077aa7ea700af563afe5151bcdf8d0a1a78764a54a9f67a5d3828f4e3d255fb61fc777

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\datareporting\glean\pending_pings\2c962544-26e3-4650-8424-1903e5537079

Filesize
671B

MD5
9daf2b5f44384ab639ac42b7e830b807

SHA1
fbba036ef2e05ac0904ff4bd1a7f22f9b49bbd0d

SHA256
d16875a71ac3b79ad9ac999d913f1ab728bb8009a834604775fd38978fa2af8d

SHA512
9febc66934584141299e665fb85e13adb10f0962da695ca007e7a80083c14a72226f6516feb38eca30e51b65545bf6a41e6023acf6e0f0ab733dd41cdcee653d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\datareporting\glean\pending_pings\82c57b42-0198-4d96-ad54-fe9013b46705

Filesize
982B

MD5
f592cdb98de13ec91793b03b564b12aa

SHA1
de8f0bc02f11e9fcd6d30c0e46eee551f13e3a38

SHA256
e4b715e7fe425993c8453811b06bbe44d0879738f8f4f6845ddc0364ff30a3bd

SHA512
c24047a899fd071cb266193e8444f1cc8c9b469a4a72851b0334b3a30fe98fcbe40d78f8677988550d449f8f7def02efc4857cd897400d0354e211a991427975

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\datareporting\glean\pending_pings\b2a7c81d-dce0-4bda-982a-6601a119d6a5

Filesize
27KB

MD5
4984e3e39bc536fa309ef8986ce877b2

SHA1
f715f7956dee675b5c45a731d3b92e1d000545be

SHA256
090994a21f76fbaaf2789dffa598fbeebaf201a74546327501aab2de93ea6ff4

SHA512
d60c1bb68d7963f99ca659a0d7455ea5f6b321bc21f8fee23a67771effe3efea917fcb9837347119c19f1188a1015196050e8ead78f23c09d1025224d50f833b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\prefs-1.js

Filesize
12KB

MD5
8cd4394125eab822a2d7aed804b78bdd

SHA1
366641f6298d7e852dd2c56214299ae5e100197c

SHA256
fb446f7d942530598f1944331344b0d7abcda9b7f81e7b38a685987759c1d753

SHA512
12657b397eb4faa570aa8600ea988fa3b6e85793e7dc031b5beee9267173285ef0f8ab50471c77fd5e708fc7a21ae7181b1dc6ae7c5c197d0c6fb0d2280bae7d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\prefs-1.js

Filesize
11KB

MD5
101d84a42f9d6af600228c3b6c3d1e9d

SHA1
28d1f2a6bcc7ab2d7ec6342212eda1eeb8e22b8d

SHA256
31c4e55f1535b52263107eec4c8c7336ba9630e24691f17ce335aa9b094aacfd

SHA512
6041a81b5e7f64cf09b9be965749ee0296fb4d67c36130db28920d023a3a300835c2237f0850ebae6f71be0f1187ccdd1026c44b383209940f7e9085e195f3cc

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\prefs.js

Filesize
11KB

MD5
572464b999014ad4f7a8b26612dd41ab

SHA1
bc231df36e4f2a22f72560e473d81b20e58afc86

SHA256
8d14088e541e763b41e724dacd2b9b13192b5e00e6cd582d6b7a5d4dc2adac3a

SHA512
ab3327976316504fff406eb643b6463bc9cf3043cfaf86bc07f0c0d69ec846905c2b1189b6bc4abe09f93f98b2f5f9ad389b6b57e0a8fd572673823b76e0113d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\sessionstore-backups\recovery.baklz4

Filesize
2KB

MD5
2415e21907ff210d5b73e83b63db3724

SHA1
c1a11a19b05f7bc5021107b5b83911cf85045581

SHA256
385b7c1d9b72d8283b0de7492792f9866c3ec2d8ea6f169a1630e4bf036e8f36

SHA512
f054c438ae6b23f6d2f756b25d352c912487de7b0d00b062d4e0514e027c4b6280589e6b6a61789ec77f0fbaff913b9bbc401b5e1d74557b90188a3cca87873e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\sessionstore-backups\recovery.baklz4

Filesize
3KB

MD5
834c3e57e1644b595cf51ec64f406267

SHA1
564a8acdec6d37d8b70a302558c6ec7442504d02

SHA256
7764d06e39dd8e2cd6eab8835aa136a0b3bf728bbd591c3b20174a30a3ad5014

SHA512
8e353b6a348f1ab6dfa16fe98922e6fc1e01a3e9806c57978136833b0eb8fab8f1e28dabc6fd994acfffb2a5cc5c5d1125592dc75c810794aa35a18b6d140e20

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\sessionstore-backups\recovery.baklz4

Filesize
3KB

MD5
a4b314e84c37bcaec0a568f8292d5d58

SHA1
23b2fac24354c6af7390d271ea0dcd2b876747da

SHA256
7e3256d75dec58094610dcc3f30bf45a4720f3c93b4daaea0842497a69029a67

SHA512
42e7e6eae3dfd3be462efc348ae1601586b5f4073980b803f86eb603c25648c2ca3247f435f6e6de76ba2df80e172fa55f9d6c1457194033975bd2e1130183fa

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
584KB

MD5
41f0da9c5cd3658bc04f65c7e2347e8d

SHA1
4cd4d62f1baf3b51df63a11b4d989a45a6b1dd12

SHA256
738d317bda543000b216ab0394a59797ab38b138d15e7add061290a80de3c835

SHA512
7250b20c573c73ecc4792c1abd57aa8651b659bbad87f077672f3c7af89c858a1c85dad59184dfb821972dc194f9cc2371684ecb6d47e8d2fc1df91952974f9a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
584KB

MD5
5fe09b26184f3e77cf394060cd3373ff

SHA1
47dff47223cf9e8485b70863e21f1c3eb801fe04

SHA256
24be145c3d7d8fe1531c800275bab507892563b9291fed5f35a86e217a9ffd7b

SHA512
ad2554e3f5ce2f697895a96cdc5ce640063f0c823c0c7c6462e79fa5fee0e2bd3bcfa86cb16ff54c3704bfc3dce665cbfec26a13464901987949bf73bf2956e2

Download Submit
C:\Users\Admin\AppData\Roaming\op\GUP.exe

Filesize
617KB

MD5
7be4b26502bb2a8ed4982805b590dec5

SHA1
afa1ee71fe23c4e7f8fc0195f5fb4a3d968500b6

SHA256
97e196b8aa0694ecf37bddab2ade90ffba78251af7e49f6a24adea0a6ee704b3

SHA512
013ce05ca4982b8bbafa33b4011b1a2731c605f581223557ef66cf75df96307d5b2444a9ccb28b3ff39e34ad989e2d5b931ab9bfcccd7dd5f63eabdb726ab749

Download Submit
C:\Users\Admin\AppData\Roaming\op\gup.xml

Filesize
4KB

MD5
30823e98edc86ac1c1b71ba49366bb86

SHA1
1fbaedf0850c6bb298d81843a174fe2ed0d09388

SHA256
f26e3a06fc46eefb24d2d412c5e5ed1bc97ec14e2b7d8670aea0736ce7fb15dd

SHA512
6a907ec6e57d4a7ee0eac473df439db48d4c3457d440417a0a1908e1e8fbc7a15955166dc5d4b2c2dc42e92caa73c74c12b7f9b477c9991ee677a93cd3aa45f5

Download Submit
C:\Users\Admin\AppData\Roaming\op\libcurl.dll

Filesize
416KB

MD5
e73d75e539b7e9acf48683fc6b2cb4ab

SHA1
64006f712a8358817cc546922a1c402eb50a88dc

SHA256
17c8ef5428940de7399b3165fb2f7bf2f247e7082ce14a2c611931ea29f11c40

SHA512
0971977cab1348a62ea646cd12544f5285670fbe2cf5039df3a5dd8b002d770f2a143f2656a6c5b9138d6da3282a2321cfc7ef5e4a2e32459b89f9bf96f6b956

Download Submit
C:\Users\Admin\Downloads\WiniumDriver.iNuVu18f.msi.part

Filesize
2.3MB

MD5
63b08411cf4b5a08280641dcd20b447f

SHA1
0ff5d5e38d82ab2d4fa7ffe2dd68fd933680799f

SHA256
0e7b85b621ff044fba0f965f21137f72a69cb96b75c02c47a64915eebae8bdc3

SHA512
09a4bdd960f4414619bf5a4bcf70938fcbb1aa6583242a7fe99a77a36cde3a9fd5cd3d1892b6129c3919bdf4aad8717cf6fdcdd1637f5ce8e5a51f621a4cd45d

Download Submit
C:\Windows\Installer\MSI42A6.tmp

Filesize
406KB

MD5
d2f8c062aba50ca096cbd5387a2d0b8b

SHA1
04f07790822954d02458d93fba83208ca5223a1a

SHA256
ea6094300c250528ffae4e7972d84eb5b45cfbd018133516c166e40e89ed65bf

SHA512
f51bf12be51832cd7190c255234c558094c0135e8bf05ffd67c2f4a8b0233161fa71c44e86b107956e4b75f5e2a28da58736da61a71f0c600ec1cf1b4e9e86fa

Download Submit
memory/2108-864-0x0000000000DB0000-0x0000000000DB9000-memory.dmp

Filesize
36KB

Download
memory/2108-869-0x0000000075CB0000-0x0000000075EC5000-memory.dmp

Filesize
2.1MB

Download
memory/2108-866-0x0000000002C40000-0x0000000003040000-memory.dmp

Filesize
4.0MB

Download
memory/2528-743-0x000001C9A0230000-0x000001C9A0CF1000-memory.dmp

Filesize
10.8MB

Download
memory/2528-637-0x000001C9A0230000-0x000001C9A0CF1000-memory.dmp

Filesize
10.8MB

Download
memory/5556-860-0x0000000002620000-0x0000000002A20000-memory.dmp

Filesize
4.0MB

Download
memory/5556-858-0x0000000000B80000-0x0000000000B89000-memory.dmp

Filesize
36KB

Download
memory/5556-861-0x00007FFB0D450000-0x00007FFB0D645000-memory.dmp

Filesize
2.0MB

Download
memory/5556-863-0x0000000075CB0000-0x0000000075EC5000-memory.dmp

Filesize
2.1MB

Download
memory/5556-859-0x0000000002620000-0x0000000002A20000-memory.dmp

Filesize
4.0MB

Download
memory/5984-666-0x0000000072F70000-0x00000000734A5000-memory.dmp

Filesize
5.2MB

Download
memory/5984-854-0x0000000072F70000-0x00000000734A5000-memory.dmp

Filesize
5.2MB

Download
memory/5984-621-0x000000007F080000-0x000000007F3E9000-memory.dmp

Filesize
3.4MB

Download
memory/5984-797-0x0000000072F70000-0x00000000734A5000-memory.dmp

Filesize
5.2MB

Download
memory/5984-772-0x0000000072F70000-0x00000000734A5000-memory.dmp

Filesize
5.2MB

Download
memory/5984-749-0x0000000072F70000-0x00000000734A5000-memory.dmp

Filesize
5.2MB

Download