Malware Analysis Report

2024-11-15 06:02

Sample ID 240918-w9j5eswhjf
Target https://winiumdriver.com/update
Tags
rhadamanthys discovery stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

Threat Level: Known bad

The file https://winiumdriver.com/update was found to be: Known bad.

Malicious Activity Summary

rhadamanthys discovery stealer

Suspicious use of NtCreateUserProcessOtherParentProcess

Rhadamanthys

Downloads MZ/PE file

Loads dropped DLL

Executes dropped EXE

Enumerates connected drives

Blocklisted process makes network request

Suspicious use of SetThreadContext

Drops file in Windows directory

System Location Discovery: System Language Discovery

Program crash

Uses Task Scheduler COM API

Uses Volume Shadow Copy service COM API

Suspicious use of SetWindowsHookEx

Modifies registry class

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Checks SCSI registry key(s)

Checks processor information in registry

NTFS ADS

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-09-18 18:37

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-09-18 18:37

Reported

2024-09-18 18:43

Platform

win10v2004-20240802-en

Max time kernel

359s

Max time network

357s

Command Line

sihost.exe

Signatures

Rhadamanthys

stealer rhadamanthys

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 5556 created 2552 N/A C:\Windows\SysWOW64\msiexec.exe C:\Windows\system32\sihost.exe

Downloads MZ/PE file

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\op\GUP.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\op\GUP.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\op\GUP.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\msiexec.exe N/A
N/A N/A C:\Windows\System32\msiexec.exe N/A
N/A N/A C:\Windows\System32\msiexec.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\H: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\System32\msiexec.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 5984 set thread context of 5556 N/A C:\Users\Admin\AppData\Roaming\op\GUP.exe C:\Windows\SysWOW64\msiexec.exe

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Installer\MSI53A0.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI596E.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIB54F.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIB491.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI5350.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e5840d3.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIB471.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\inprogressinstallinfo.ipi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI5380.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIB4A1.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIB4F1.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e5840cd.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI414A.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI63BF.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\e5840d3.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\e5840cd.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI4189.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI41AA.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\SourceHash{B0EFEB0C-B73C-452D-A9AA-2F60183AD374} C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e5840cf.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\e5840cf.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI4247.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI42A6.tmp C:\Windows\system32\msiexec.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\msiexec.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\syswow64\MsiExec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\syswow64\MsiExec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\op\GUP.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\syswow64\MsiExec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Installer\MSI63BF.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\syswow64\MsiExec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\openwith.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\syswow64\MsiExec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\op\GUP.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Installer\MSIB54F.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\op\GUP.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Installer\MSI42A6.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\syswow64\MsiExec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\msiexec.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters C:\Windows\system32\vssvc.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters C:\Windows\system32\vssvc.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr C:\Windows\system32\vssvc.exe N/A
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000bf081c85bb6cd1e80000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000bf081c850000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900bf081c85000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1dbf081c85000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000bf081c8500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\system32\vssvc.exe N/A
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\system32\vssvc.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\CBFE9EB43B3B37FE0DFBC4C2EB2D4E07D08BD8E8\Blob = 030000000100000014000000cbfe9eb43b3b37fe0dfbc4c2eb2d4e07d08bd8e81400000001000000140000000cdb6c82490f4a670ab814ee7ac4485288eb563804000000010000001000000098eb0b62c3fe53eac8caa8fdb58020ee0f0000000100000020000000b4e0a8c98b0aae43b7383037accd11a1c964971f6b74fcbc370cd030fb328ddd19000000010000001000000058f4c3aea49be319eaff0e54cef46cd35c00000001000000040000000008000018000000010000001000000014c3bd3549ee225aece13734ad8ca0b84b0000000100000044000000450032004300360043004200410046003000410046003000380043004600320030003300420041003700340042004600300044003000410042003600440035005f0000002000000001000000b7040000308204b33082039ba00302010202100b259422ced9812a15a04e99528a0efa300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3137313130323132323433335a170d3237313130323132323433335a3060310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d311f301d06035504031316526170696453534c20544c532052534120434120473130820122300d06092a864886f70d01010105000382010f003082010a0282010100bfb9592544123516e25d5049050ae0cbfc8dda25089a67a6a26d11e36a9fdaa7dcf2d5a60dae985eed871a3703283ec66f5c347e84d24ea3d81b80e6154cfabc81773ce08ef960a38789503836b249419ea9dac250caac7ad07904223cc837ed4b40b7d74e5a6ece74e839ad61c930f4cb28ad172398c1444cfbf088f05345329061c36da1a5e01090e38b9aca93e5064961e8a4eea96f9fc81f0fe5dd0e7937924baebb4786fafbb2ad21abe6e5f92d18455a5bf5cc5403721fc42a6775eb79bacffc9cc7fa8b6bdcf2bc82dcedc4296fe93b4cbadaf56135ed83d29fd00d8c6f840a8f4f0d6dcdf65c2129008dbf0d601a882ec8242eec713b0675bc7924850203010001a382016630820162301d0603551d0e041604140cdb6c82490f4a670ab814ee7ac4485288eb5638301f0603551d230418301680144e2254201895e6e36ee60ffafab912ed06178f39300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030106082b0601050507030230120603551d130101ff040830060101ff020100303406082b0601050507010104283026302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d30420603551d1f043b30393037a035a0338631687474703a2f2f63726c332e64696769636572742e636f6d2f4469676943657274476c6f62616c526f6f7447322e63726c30630603551d20045c305a303706096086480186fd6c0101302a302806082b06010505070201161c68747470733a2f2f7777772e64696769636572742e636f6d2f435053300b06096086480186fd6c01023008060667810c0102013008060667810c010202300d06092a864886f70d01010b050003820101001944a539be0add6b664a56e6139d146011d733448a5cfa8733393a5d05290a1785ff8a94f1a3a16a3b324501435758a1fee3c883b60746d162093ab81becdbe375f54fbee726048e23da6afd3a82c2dba467bbbd54b2f7240ab759dcb69a828bbef0bcb55991ce401ed314029112888db046f34312c835ff478b98823e9988d4ff660e8623a4687e0aa0a4376cb0b7345c8450128b7121970accfde9189f4509b30798c2cbcae05dfae096bd5705da881801ac2e7c2852fcf4fad43f6bab33d14b9236baa6b7b66213e382612605a106714c6fb006424bcdabd28d4bd75ddc659cd7b1ff7576b57a7a31cd68c4d2105d163c4f8546f45b7c22f28df8fe6f05c7 C:\Users\Admin\AppData\Roaming\op\GUP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\CBFE9EB43B3B37FE0DFBC4C2EB2D4E07D08BD8E8 C:\Users\Admin\AppData\Roaming\op\GUP.exe N/A

NTFS ADS

Description Indicator Process Target
File created C:\Users\Admin\Downloads\WiniumDriver.msi:Zone.Identifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
File created C:\Users\Admin\Downloads\WiniumDriver(1).msi:Zone.Identifier C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\System32\msiexec.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Windows\System32\msiexec.exe N/A
N/A N/A C:\Windows\System32\msiexec.exe N/A
N/A N/A C:\Windows\System32\msiexec.exe N/A
N/A N/A C:\Windows\System32\msiexec.exe N/A
N/A N/A C:\Windows\System32\msiexec.exe N/A
N/A N/A C:\Windows\System32\msiexec.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3548 wrote to memory of 3876 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3548 wrote to memory of 3876 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3548 wrote to memory of 3876 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3548 wrote to memory of 3876 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3548 wrote to memory of 3876 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3548 wrote to memory of 3876 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3548 wrote to memory of 3876 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3548 wrote to memory of 3876 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3548 wrote to memory of 3876 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3548 wrote to memory of 3876 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3548 wrote to memory of 3876 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3876 wrote to memory of 4444 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3876 wrote to memory of 4444 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3876 wrote to memory of 4444 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3876 wrote to memory of 4444 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3876 wrote to memory of 4444 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3876 wrote to memory of 4444 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3876 wrote to memory of 4444 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3876 wrote to memory of 4444 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3876 wrote to memory of 4444 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3876 wrote to memory of 4444 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3876 wrote to memory of 4444 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3876 wrote to memory of 4444 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3876 wrote to memory of 4444 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3876 wrote to memory of 4444 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3876 wrote to memory of 4444 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3876 wrote to memory of 4444 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3876 wrote to memory of 4444 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3876 wrote to memory of 4444 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3876 wrote to memory of 4444 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3876 wrote to memory of 4444 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3876 wrote to memory of 4444 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3876 wrote to memory of 4444 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3876 wrote to memory of 4444 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3876 wrote to memory of 4444 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3876 wrote to memory of 4444 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3876 wrote to memory of 4444 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3876 wrote to memory of 4444 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3876 wrote to memory of 4444 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3876 wrote to memory of 4444 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3876 wrote to memory of 4444 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3876 wrote to memory of 4444 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3876 wrote to memory of 4444 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3876 wrote to memory of 4444 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3876 wrote to memory of 4444 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3876 wrote to memory of 4444 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3876 wrote to memory of 4444 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3876 wrote to memory of 4444 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3876 wrote to memory of 4444 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3876 wrote to memory of 4444 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3876 wrote to memory of 4444 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3876 wrote to memory of 4444 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3876 wrote to memory of 4444 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3876 wrote to memory of 4444 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3876 wrote to memory of 4444 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3876 wrote to memory of 4444 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3876 wrote to memory of 2244 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3876 wrote to memory of 2244 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3876 wrote to memory of 2244 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3876 wrote to memory of 2244 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3876 wrote to memory of 2244 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3876 wrote to memory of 2244 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3876 wrote to memory of 2244 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3876 wrote to memory of 2244 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Windows\system32\sihost.exe

sihost.exe

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "https://winiumdriver.com/update"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url https://winiumdriver.com/update

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1992 -parentBuildID 20240401114208 -prefsHandle 1904 -prefMapHandle 1884 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e119664b-0e2d-4cdb-b1d8-8b2f8b2caa42} 3876 "\\.\pipe\gecko-crash-server-pipe.3876" gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2432 -parentBuildID 20240401114208 -prefsHandle 2408 -prefMapHandle 2396 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {daf3225a-0b75-4656-816d-4adef9445d06} 3876 "\\.\pipe\gecko-crash-server-pipe.3876" socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3128 -childID 1 -isForBrowser -prefsHandle 3044 -prefMapHandle 3400 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1260 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {faf8db1d-23b3-4957-9333-8dbce47998fa} 3876 "\\.\pipe\gecko-crash-server-pipe.3876" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3724 -childID 2 -isForBrowser -prefsHandle 3100 -prefMapHandle 2936 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1260 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {856fcb30-b942-4b1b-9fa9-090d7b1bf3a2} 3876 "\\.\pipe\gecko-crash-server-pipe.3876" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4588 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4604 -prefMapHandle 4600 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fa264731-0899-43f2-a484-6a439a3079ce} 3876 "\\.\pipe\gecko-crash-server-pipe.3876" utility

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5304 -childID 3 -isForBrowser -prefsHandle 5296 -prefMapHandle 5424 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1260 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cf78ad5d-6da5-4b4f-8408-95c138858feb} 3876 "\\.\pipe\gecko-crash-server-pipe.3876" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5580 -childID 4 -isForBrowser -prefsHandle 5432 -prefMapHandle 5444 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1260 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0c797842-0637-43f0-8a87-a0373f9b9232} 3876 "\\.\pipe\gecko-crash-server-pipe.3876" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5748 -childID 5 -isForBrowser -prefsHandle 5752 -prefMapHandle 5756 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1260 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e4241ebc-7ebf-45fb-8468-a104730dfbf5} 3876 "\\.\pipe\gecko-crash-server-pipe.3876" tab

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Windows\System32\msiexec.exe

"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\Downloads\WiniumDriver.msi"

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 9EEA925C9C83F73415628F2C0A094D41 C

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\System32\msiexec.exe

"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\Downloads\WiniumDriver.msi"

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 56475DDCA51A4D013E8F7AEF21A03FE4 C

C:\Windows\system32\srtasks.exe

C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 63A12AB61F3C592B9002DC41424F7026

C:\Windows\Installer\MSI42A6.tmp

"C:\Windows\Installer\MSI42A6.tmp" /DontWait "C:\Users\Admin\AppData\Roaming\op\\GUP.EXE"

C:\Users\Admin\AppData\Roaming\op\GUP.exe

"C:\Users\Admin\AppData\Roaming\op\GUP.exe"

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding E9D8A85B870029E5370A891730B28099

C:\Windows\Installer\MSI63BF.tmp

"C:\Windows\Installer\MSI63BF.tmp" /DontWait "C:\Users\Admin\AppData\Roaming\op\\GUP.EXE"

C:\Users\Admin\AppData\Roaming\op\GUP.exe

"C:\Users\Admin\AppData\Roaming\op\GUP.exe"

C:\Windows\System32\msiexec.exe

"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\Downloads\WiniumDriver(1).msi"

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 5B1D10343AA65C09F8E3801827C71682 C

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding D0AB502CB6B8E8C6FDF614D54EDF6B78

C:\Windows\Installer\MSIB54F.tmp

"C:\Windows\Installer\MSIB54F.tmp" /DontWait "C:\Users\Admin\AppData\Roaming\op\\GUP.EXE"

C:\Users\Admin\AppData\Roaming\op\GUP.exe

"C:\Users\Admin\AppData\Roaming\op\GUP.exe"

C:\Windows\System32\regsvr32.exe

C:\Windows\System32\regsvr32.exe -e -n -i:"C:\Users\Admin\0d02\HVDPCYGS\HVDPCYGS.ocx" "C:\Users\Admin\0d02\HVDPCYGS\HVDPCYGS.ocx"

C:\Windows\SysWOW64\regsvr32.exe

-e -n -i:"C:\Users\Admin\0d02\HVDPCYGS\HVDPCYGS.ocx" "C:\Users\Admin\0d02\HVDPCYGS\HVDPCYGS.ocx"

C:\Windows\System32\regsvr32.exe

C:\Windows\System32\regsvr32.exe -e -n -i:"C:\Users\Admin\0d02\HVDPCYGS\HVDPCYGS.ocx" "C:\Users\Admin\0d02\HVDPCYGS\HVDPCYGS.ocx"

C:\Windows\SysWOW64\regsvr32.exe

-e -n -i:"C:\Users\Admin\0d02\HVDPCYGS\HVDPCYGS.ocx" "C:\Users\Admin\0d02\HVDPCYGS\HVDPCYGS.ocx"

C:\Windows\System32\regsvr32.exe

C:\Windows\System32\regsvr32.exe -e -n -i:"C:\Users\Admin\0d02\HVDPCYGS\HVDPCYGS.ocx" "C:\Users\Admin\0d02\HVDPCYGS\HVDPCYGS.ocx"

C:\Windows\SysWOW64\regsvr32.exe

-e -n -i:"C:\Users\Admin\0d02\HVDPCYGS\HVDPCYGS.ocx" "C:\Users\Admin\0d02\HVDPCYGS\HVDPCYGS.ocx"

C:\Windows\System32\regsvr32.exe

C:\Windows\System32\regsvr32.exe -e -n -i:"C:\Users\Admin\0d02\HVDPCYGS\HVDPCYGS.ocx" "C:\Users\Admin\0d02\HVDPCYGS\HVDPCYGS.ocx"

C:\Windows\SysWOW64\regsvr32.exe

-e -n -i:"C:\Users\Admin\0d02\HVDPCYGS\HVDPCYGS.ocx" "C:\Users\Admin\0d02\HVDPCYGS\HVDPCYGS.ocx"

C:\Windows\SysWOW64\msiexec.exe

"C:\Windows\System32\msiexec.exe"

C:\Windows\SysWOW64\openwith.exe

"C:\Windows\system32\openwith.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 5556 -ip 5556

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5556 -s 600

C:\Windows\System32\regsvr32.exe

C:\Windows\System32\regsvr32.exe -e -n -i:"C:\Users\Admin\0d02\HVDPCYGS\HVDPCYGS.ocx" "C:\Users\Admin\0d02\HVDPCYGS\HVDPCYGS.ocx"

C:\Windows\SysWOW64\regsvr32.exe

-e -n -i:"C:\Users\Admin\0d02\HVDPCYGS\HVDPCYGS.ocx" "C:\Users\Admin\0d02\HVDPCYGS\HVDPCYGS.ocx"

Network

Country Destination Domain Proto
N/A 127.0.0.1:52446 tcp
US 8.8.8.8:53 winiumdriver.com udp
US 8.8.8.8:53 spocs.getpocket.com udp
US 8.8.8.8:53 firefox-api-proxy.cdn.mozilla.net udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 34.149.97.1:443 firefox-api-proxy.cdn.mozilla.net tcp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 172.67.165.40:443 winiumdriver.com tcp
US 172.67.165.40:443 winiumdriver.com tcp
US 8.8.8.8:53 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 winiumdriver.com udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 winiumdriver.com udp
US 34.149.97.1:443 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 25.140.123.92.in-addr.arpa udp
US 8.8.8.8:53 40.165.67.172.in-addr.arpa udp
US 172.67.165.40:443 winiumdriver.com udp
US 172.67.165.40:443 winiumdriver.com tcp
US 8.8.8.8:53 winiumbackend.com udp
US 172.67.155.74:443 winiumbackend.com tcp
US 172.67.155.74:443 winiumbackend.com tcp
US 8.8.8.8:53 winiumbackend.com udp
US 8.8.8.8:53 winiumbackend.com udp
US 172.67.155.74:443 winiumbackend.com udp
US 8.8.8.8:53 120.252.208.34.in-addr.arpa udp
US 8.8.8.8:53 74.155.67.172.in-addr.arpa udp
N/A 127.0.0.1:52455 tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 172.67.155.74:443 winiumbackend.com udp
US 8.8.8.8:53 www.dropbox.com udp
GB 162.125.64.18:443 www.dropbox.com tcp
US 8.8.8.8:53 www-env.dropbox-dns.com udp
US 8.8.8.8:53 www-env.dropbox-dns.com udp
US 8.8.8.8:53 18.64.125.162.in-addr.arpa udp
US 8.8.8.8:53 ucb88a34526b9f77eaecceb72448.dl.dropboxusercontent.com udp
GB 162.125.64.15:443 ucb88a34526b9f77eaecceb72448.dl.dropboxusercontent.com tcp
US 8.8.8.8:53 edge-block-www-env.dropbox-dns.com udp
US 8.8.8.8:53 edge-block-www-env.dropbox-dns.com udp
US 8.8.8.8:53 15.64.125.162.in-addr.arpa udp
US 8.8.8.8:53 location.services.mozilla.com udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 35.190.72.216:443 location.services.mozilla.com tcp
US 8.8.8.8:53 prod.classify-client.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.classify-client.prod.webservices.mozgcp.net udp
US 35.190.72.216:443 prod.classify-client.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 201.181.244.35.in-addr.arpa udp
US 8.8.8.8:53 216.72.190.35.in-addr.arpa udp
US 8.8.8.8:53 ciscobinary.openh264.org udp
US 8.8.8.8:53 redirector.gvt1.com udp
GB 88.221.134.209:80 ciscobinary.openh264.org tcp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
GB 142.250.178.14:443 redirector.gvt1.com tcp
US 8.8.8.8:53 redirector.gvt1.com udp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 redirector.gvt1.com udp
GB 142.250.178.14:443 redirector.gvt1.com udp
US 8.8.8.8:53 r4---sn-5hnednss.gvt1.com udp
NL 172.217.132.201:443 r4---sn-5hnednss.gvt1.com tcp
US 8.8.8.8:53 r4.sn-5hnednss.gvt1.com udp
US 8.8.8.8:53 r4.sn-5hnednss.gvt1.com udp
NL 172.217.132.201:443 r4.sn-5hnednss.gvt1.com udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 209.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 14.178.250.142.in-addr.arpa udp
US 8.8.8.8:53 201.132.217.172.in-addr.arpa udp
US 8.8.8.8:53 59.170.16.2.in-addr.arpa udp
US 8.8.8.8:53 226.21.18.104.in-addr.arpa udp
US 8.8.8.8:53 226.20.18.104.in-addr.arpa udp
US 8.8.8.8:53 159.113.53.23.in-addr.arpa udp
US 8.8.8.8:53 motorans.com udp
RU 193.109.85.43:443 motorans.com tcp
US 8.8.8.8:53 cacerts.rapidssl.com udp
SE 192.229.221.95:80 cacerts.rapidssl.com tcp
SE 192.229.221.95:80 cacerts.rapidssl.com tcp
US 8.8.8.8:53 43.85.109.193.in-addr.arpa udp
US 8.8.8.8:53 motorans.com udp
RU 193.109.85.43:54801 motorans.com tcp
RU 193.109.85.43:54801 motorans.com tcp
US 172.67.165.40:443 winiumdriver.com tcp
US 172.67.155.74:443 winiumbackend.com udp
US 172.67.155.74:443 winiumbackend.com tcp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 ucafe1b5153a0a283c78e4ba2868.dl.dropboxusercontent.com udp
GB 162.125.64.15:443 ucafe1b5153a0a283c78e4ba2868.dl.dropboxusercontent.com tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 203.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
RU 193.109.85.43:443 motorans.com tcp
RU 193.109.85.43:443 motorans.com tcp
RU 193.109.85.43:54801 motorans.com tcp
RU 193.109.85.43:443 motorans.com tcp
RU 193.109.85.43:443 motorans.com tcp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 seburage.com udp
RU 194.67.193.73:443 seburage.com tcp
US 8.8.8.8:53 73.193.67.194.in-addr.arpa udp
RU 193.109.85.43:54801 motorans.com tcp
RU 193.109.85.43:54801 motorans.com tcp
US 8.8.8.8:53 91.16.208.104.in-addr.arpa udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
RU 193.109.85.43:443 motorans.com tcp

Files

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\datareporting\glean\pending_pings\b2a7c81d-dce0-4bda-982a-6601a119d6a5

MD5 4984e3e39bc536fa309ef8986ce877b2
SHA1 f715f7956dee675b5c45a731d3b92e1d000545be
SHA256 090994a21f76fbaaf2789dffa598fbeebaf201a74546327501aab2de93ea6ff4
SHA512 d60c1bb68d7963f99ca659a0d7455ea5f6b321bc21f8fee23a67771effe3efea917fcb9837347119c19f1188a1015196050e8ead78f23c09d1025224d50f833b

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\datareporting\glean\pending_pings\2c962544-26e3-4650-8424-1903e5537079

MD5 9daf2b5f44384ab639ac42b7e830b807
SHA1 fbba036ef2e05ac0904ff4bd1a7f22f9b49bbd0d
SHA256 d16875a71ac3b79ad9ac999d913f1ab728bb8009a834604775fd38978fa2af8d
SHA512 9febc66934584141299e665fb85e13adb10f0962da695ca007e7a80083c14a72226f6516feb38eca30e51b65545bf6a41e6023acf6e0f0ab733dd41cdcee653d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\datareporting\glean\pending_pings\82c57b42-0198-4d96-ad54-fe9013b46705

MD5 f592cdb98de13ec91793b03b564b12aa
SHA1 de8f0bc02f11e9fcd6d30c0e46eee551f13e3a38
SHA256 e4b715e7fe425993c8453811b06bbe44d0879738f8f4f6845ddc0364ff30a3bd
SHA512 c24047a899fd071cb266193e8444f1cc8c9b469a4a72851b0334b3a30fe98fcbe40d78f8677988550d449f8f7def02efc4857cd897400d0354e211a991427975

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\datareporting\glean\db\data.safe.tmp

MD5 374ce43c76751636beb1cdc9f45afebd
SHA1 cb991176ad536eb4b2917adf419d9d23788cf7f6
SHA256 21beb205cc927fc9ce2e53ad7f01dc54659a9f8fa74fc065ee91a64867dd4022
SHA512 fec17d19d86f758679838ea1a8aa0de38bbccbd6ceb12bc51fcf5ef7f9b84fca3d3f69ec7f9010d7dfff987d41c953fdda8aa8c5df98607b781e8a2a1c1b778c

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\AlternateServices.bin

MD5 579c57c4d4d9a002c5a42d7e335e24d1
SHA1 2224e4aad6261156870d2e77ec94b7e35f634e1a
SHA256 f6c41f1a32f2f004ed731053775c86de56e5a3047dc2ddf3df8b2ce875831351
SHA512 2f94524b97e0e1fd8f40ec6242e74bc8f324f8f98d47d0b8fc989167d6c55da0dcd0eb557411469adbd899d73b942c43d09e8f8e38cccb35f1325a8b675fffd3

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\AlternateServices.bin

MD5 f6162fbca9b928222e65be3fb8a74d12
SHA1 b5207a5abf79e39732dbe8b734cbba9043e5ea00
SHA256 40fa0385b81f0600ff71b2f3d878527f35971d85a9129de1fcd89d5031914d0d
SHA512 26203363f341ffa942274538e97192b251bf64f3d79a56b825be5fe8be896a5b8f06a0c66b2ec6a99997ed1db84a25bd2fbaff046472bd15bf70d04e8dd9ee04

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\datareporting\glean\db\data.safe.tmp

MD5 6c953239fcd458b0439535ab24dca10a
SHA1 70a312d5ca8284b80974430c83359394094fafed
SHA256 c604ac604d6a3a3f2b050b18556a7643d746c74aa47930ffa228a697e01fb582
SHA512 79df5bcedae3c816936938c955f77ad5d7a122fc8e4ef7c348b739eeb2077aa7ea700af563afe5151bcdf8d0a1a78764a54a9f67a5d3828f4e3d255fb61fc777

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\activity-stream.discovery_stream.json

MD5 7d388316920bf289449d5f4fd202e95c
SHA1 9c9ad52cb7eea8f9e0d480e6e22fa5f07e25dd0d
SHA256 cf4853ea071f97d283e1a6a08270e91f39a1af92bc9678c5030fdf5caa677013
SHA512 9df555aea0502c912d1959be41b2bbc35f7e6a75b20f238eb7bf0eda1e6fa938740b155b828aad7541634615e8faf92ca8e6cc2b7f089159c423f2b4f0710e70

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 41f0da9c5cd3658bc04f65c7e2347e8d
SHA1 4cd4d62f1baf3b51df63a11b4d989a45a6b1dd12
SHA256 738d317bda543000b216ab0394a59797ab38b138d15e7add061290a80de3c835
SHA512 7250b20c573c73ecc4792c1abd57aa8651b659bbad87f077672f3c7af89c858a1c85dad59184dfb821972dc194f9cc2371684ecb6d47e8d2fc1df91952974f9a

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\prefs.js

MD5 572464b999014ad4f7a8b26612dd41ab
SHA1 bc231df36e4f2a22f72560e473d81b20e58afc86
SHA256 8d14088e541e763b41e724dacd2b9b13192b5e00e6cd582d6b7a5d4dc2adac3a
SHA512 ab3327976316504fff406eb643b6463bc9cf3043cfaf86bc07f0c0d69ec846905c2b1189b6bc4abe09f93f98b2f5f9ad389b6b57e0a8fd572673823b76e0113d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\AlternateServices.bin

MD5 81807dc6fd95269034196f3bd791446b
SHA1 8baee70a9b8c7a5b13592125364891bf9fa5bef3
SHA256 68cbdf258a9b29b7c9822ae5d1f0159d3f94d1c9c1c4ba69976dd48760e0efe6
SHA512 03b95713695e75d3416b9226d9f563d4119560afeb0c968ccda773f7aa6ee1934a79ef644a7e53a5be584678db64474570de000f7ad1a21664d10adf32fdf5f0

C:\Users\Admin\Downloads\WiniumDriver.iNuVu18f.msi.part

MD5 63b08411cf4b5a08280641dcd20b447f
SHA1 0ff5d5e38d82ab2d4fa7ffe2dd68fd933680799f
SHA256 0e7b85b621ff044fba0f965f21137f72a69cb96b75c02c47a64915eebae8bdc3
SHA512 09a4bdd960f4414619bf5a4bcf70938fcbb1aa6583242a7fe99a77a36cde3a9fd5cd3d1892b6129c3919bdf4aad8717cf6fdcdd1637f5ce8e5a51f621a4cd45d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\prefs-1.js

MD5 101d84a42f9d6af600228c3b6c3d1e9d
SHA1 28d1f2a6bcc7ab2d7ec6342212eda1eeb8e22b8d
SHA256 31c4e55f1535b52263107eec4c8c7336ba9630e24691f17ce335aa9b094aacfd
SHA512 6041a81b5e7f64cf09b9be965749ee0296fb4d67c36130db28920d023a3a300835c2237f0850ebae6f71be0f1187ccdd1026c44b383209940f7e9085e195f3cc

C:\Users\Admin\AppData\Local\Temp\tmpaddon

MD5 09372174e83dbbf696ee732fd2e875bb
SHA1 ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256 c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512 b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

MD5 2a461e9eb87fd1955cea740a3444ee7a
SHA1 b10755914c713f5a4677494dbe8a686ed458c3c5
SHA256 4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA512 34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

MD5 842039753bf41fa5e11b3a1383061a87
SHA1 3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256 d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512 d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\AlternateServices.bin

MD5 721ee257cd3a1397d0a3a13f5c4f3f45
SHA1 6667be1abb6c8085a85ed256fb733a0103f49345
SHA256 16f7bfcc696d99bf937f0a97c286a090d92f399142d8d399944536b3cac57555
SHA512 c85622d4806eface0ce73fbabedc25092ff17f41ebc697f277fb12adaa5fdc3a1f8e1c40f1c681863c4e112be177731ed514007306c03c3a04f2fae5539e5f3d

C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

MD5 0a8747a2ac9ac08ae9508f36c6d75692
SHA1 b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA256 32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA512 59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

MD5 bf957ad58b55f64219ab3f793e374316
SHA1 a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256 bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA512 79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

MD5 daf7ef3acccab478aaa7d6dc1c60f865
SHA1 f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256 bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA512 5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

C:\Users\Admin\AppData\Local\Temp\MSI9DE.tmp

MD5 421643ee7bb89e6df092bc4b18a40ff8
SHA1 e801582a6dd358060a699c9c5cde31cd07ee49ab
SHA256 d6b89fd5a95071e7b144d8bedcb09b694e9cd14bfbfafb782b17cf8413eac6da
SHA512 d59c4ec7690e535da84f94bef2be7f94d6bfd0b2908fa9a67d0897abe8a2825fd52354c495ea1a7f133f727c2ee356869cc80bacf5557864d535a72d8c396023

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\sessionstore-backups\recovery.baklz4

MD5 2415e21907ff210d5b73e83b63db3724
SHA1 c1a11a19b05f7bc5021107b5b83911cf85045581
SHA256 385b7c1d9b72d8283b0de7492792f9866c3ec2d8ea6f169a1630e4bf036e8f36
SHA512 f054c438ae6b23f6d2f756b25d352c912487de7b0d00b062d4e0514e027c4b6280589e6b6a61789ec77f0fbaff913b9bbc401b5e1d74557b90188a3cca87873e

C:\Users\Admin\AppData\Local\Temp\MSI80be2.LOG

MD5 3497fbaa936b2c866ee9f90ccbbcddac
SHA1 2bbb035b7aa1f17257474a2d68686c59baf8e4e0
SHA256 be34e18ab1a8f734a82ec4b60999935b70aaf4317f485b418c709ff7dcdd6bdb
SHA512 4efc3efe287d0863082f2cdd50d98deb558f67abe6f793906b71138b1baad25d1471f11f807e977cb2ae7946fa06c19156f4af67a18c230e29d111f10cae4061

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\357F04AD41BCF5FE18FCB69F60C6680F_1F8F5C0F188BC014D5B60763F6F6FCF1

MD5 ba22e6ff58052de94a3b21f05676dbf1
SHA1 1b7b40ebde6df15eb28463a5ab0b156261c38d66
SHA256 21a524a38d0fefe08c4e203e7f44a1673aa685908864d159d31b707387915bdd
SHA512 57c443b59c4b3ee0a7d3a58f691096721b8afbc540f81c090f30095659731c6906141962852f80183397ae3aedf331d91fdf2352beacee18c4ffa30e638eabf0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\357F04AD41BCF5FE18FCB69F60C6680F_1F8F5C0F188BC014D5B60763F6F6FCF1

MD5 9118d6756d0e728466e7c88e0648f6e5
SHA1 dce6614846e2a172a169c2e06fe31c83f97d0dbc
SHA256 11baa97fe93dd24aaf3eb39aa44e86b3fb21facb5b514ac10b75897437f9b38d
SHA512 84cc8d41f77326d5e106930ead7d67566a5256edb96e6d96c293cff7e99af4e4ecd219a9da93bb960e4759954a5519a48c4deaa4fb37e6c2e30ad130cb138b06

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\9CB4373A4252DE8D2212929836304EC5_1AB74AA2E3A56E1B8AD8D3FEC287554E

MD5 c1001285214565ff5f493f51eedfd826
SHA1 bef796ceb3a31b837acd601dd4860afe8f9950b7
SHA256 969273d5dafc8a3df073c72e3c9be850774a11da114fb76e2d99d9416592d41d
SHA512 8d933dc39bcfa9d89da7cb22a1031cbdfdeda3066ea1e5c911c28df0df5883352b095b2911dcbd22d84382b86bfd6e6b519ba0d0bb7f7284da23fa3caca55afe

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\9CB4373A4252DE8D2212929836304EC5_1AB74AA2E3A56E1B8AD8D3FEC287554E

MD5 f5404f45013ffc3c5a7d00b0c9fc4526
SHA1 d19d92879b10e2bd093b1d95570736a65b494d5e
SHA256 e4e6c87d5d5bdcf9255e711254333534e691d5bb02a2a1f60e8b57099f6e72fc
SHA512 5f18e595941ef0acbe50d4316aea1b9d7893b1266acbc3fe5cc45cbb83e29b66eb2091ab8968317830d3fc50017cb98318e72bef09f1c66654115db6d641821b

C:\Windows\Installer\MSI42A6.tmp

MD5 d2f8c062aba50ca096cbd5387a2d0b8b
SHA1 04f07790822954d02458d93fba83208ca5223a1a
SHA256 ea6094300c250528ffae4e7972d84eb5b45cfbd018133516c166e40e89ed65bf
SHA512 f51bf12be51832cd7190c255234c558094c0135e8bf05ffd67c2f4a8b0233161fa71c44e86b107956e4b75f5e2a28da58736da61a71f0c600ec1cf1b4e9e86fa

C:\Config.Msi\e5840ce.rbs

MD5 236fdd379f9035a6adf5309299eb1405
SHA1 4defc3c4633b57cc72a8c138ff1a84a4e2c1562a
SHA256 4fea77dc2c80fb964853a646957c55b71a75439503424576c1821fa6867baf81
SHA512 10f6e33f7c2e490d0b50cc71f01154f14e5ee354bb67581451f4facd7057d3976b6f6ea0f3e94c85d41a25f0d4502db2b71bddae266f5a33020a5f897f254405

C:\Users\Admin\AppData\Roaming\op\GUP.exe

MD5 7be4b26502bb2a8ed4982805b590dec5
SHA1 afa1ee71fe23c4e7f8fc0195f5fb4a3d968500b6
SHA256 97e196b8aa0694ecf37bddab2ade90ffba78251af7e49f6a24adea0a6ee704b3
SHA512 013ce05ca4982b8bbafa33b4011b1a2731c605f581223557ef66cf75df96307d5b2444a9ccb28b3ff39e34ad989e2d5b931ab9bfcccd7dd5f63eabdb726ab749

C:\Users\Admin\AppData\Roaming\op\libcurl.dll

MD5 e73d75e539b7e9acf48683fc6b2cb4ab
SHA1 64006f712a8358817cc546922a1c402eb50a88dc
SHA256 17c8ef5428940de7399b3165fb2f7bf2f247e7082ce14a2c611931ea29f11c40
SHA512 0971977cab1348a62ea646cd12544f5285670fbe2cf5039df3a5dd8b002d770f2a143f2656a6c5b9138d6da3282a2321cfc7ef5e4a2e32459b89f9bf96f6b956

C:\Users\Admin\AppData\Roaming\op\gup.xml

MD5 30823e98edc86ac1c1b71ba49366bb86
SHA1 1fbaedf0850c6bb298d81843a174fe2ed0d09388
SHA256 f26e3a06fc46eefb24d2d412c5e5ed1bc97ec14e2b7d8670aea0736ce7fb15dd
SHA512 6a907ec6e57d4a7ee0eac473df439db48d4c3457d440417a0a1908e1e8fbc7a15955166dc5d4b2c2dc42e92caa73c74c12b7f9b477c9991ee677a93cd3aa45f5

memory/5984-621-0x000000007F080000-0x000000007F3E9000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\MSI824e8.LOG

MD5 0f00d02d6482059d58ba0a3240d99593
SHA1 88ce44a091c682c68ae5e9267f4e55e10f560600
SHA256 f3d72eeec0831cdbd0a3d83e20f2359b93a4e7a1ee11598c4b2f3a624a761490
SHA512 fee327f148ff9c12ee3617090c18c445b64c2ec15a1711dc622b56172af9c0cc76b0f6cac38b5d6b3f7e2e69628086367a4fa75d114ef54839b3be3177289f81

memory/2528-637-0x000001C9A0230000-0x000001C9A0CF1000-memory.dmp

C:\Config.Msi\e5840d0.rbs

MD5 dfbe2ffa059c4e6183d84d49d24ef5a2
SHA1 fb6c6ab155c1a430f5e771cb2063e8da5d841936
SHA256 d5a3d9e36dd91de172b066141a0acd4dd90833eee13d16f6df3d431ec6ca555d
SHA512 3dc95410e659d40b13adefdfa3083eace9a10f298f2c54182131aee35f010bc5e1c99074edd2e487aca7692329503f89071a2d4eeb5ee36a79264536b47ac169

memory/5984-666-0x0000000072F70000-0x00000000734A5000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\sessionstore-backups\recovery.baklz4

MD5 834c3e57e1644b595cf51ec64f406267
SHA1 564a8acdec6d37d8b70a302558c6ec7442504d02
SHA256 7764d06e39dd8e2cd6eab8835aa136a0b3bf728bbd591c3b20174a30a3ad5014
SHA512 8e353b6a348f1ab6dfa16fe98922e6fc1e01a3e9806c57978136833b0eb8fab8f1e28dabc6fd994acfffb2a5cc5c5d1125592dc75c810794aa35a18b6d140e20

C:\Config.Msi\e5840d4.rbs

MD5 2f0934559f14d01680d424fc72bad00f
SHA1 049fffe2690d834422beb031a0245d47afa6f95d
SHA256 f454d66570bab623c7f2fe4f871ae6c977554347908aef9a867cf8aa819b146a
SHA512 65fe75b87b9cd35d2b5caf342545ee053e5844e85ddd7615989f28d2a647c80fda30269164f27b176f043ca1a1d3a6cb7b93b2bf8096cc5360e939cfcad1fab3

memory/2528-743-0x000001C9A0230000-0x000001C9A0CF1000-memory.dmp

memory/5984-749-0x0000000072F70000-0x00000000734A5000-memory.dmp

memory/5984-772-0x0000000072F70000-0x00000000734A5000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\sessionstore-backups\recovery.baklz4

MD5 a4b314e84c37bcaec0a568f8292d5d58
SHA1 23b2fac24354c6af7390d271ea0dcd2b876747da
SHA256 7e3256d75dec58094610dcc3f30bf45a4720f3c93b4daaea0842497a69029a67
SHA512 42e7e6eae3dfd3be462efc348ae1601586b5f4073980b803f86eb603c25648c2ca3247f435f6e6de76ba2df80e172fa55f9d6c1457194033975bd2e1130183fa

memory/5984-797-0x0000000072F70000-0x00000000734A5000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\2L3KUMJYMC4FWR1W1NYE.temp

MD5 1e64dd9a982a43ec68f16e6a47c30615
SHA1 cf32aaa411b83c2de3ddab55ed2f29023ccbf882
SHA256 59bc5c408c19e24ee1731c5f8f447c66c98d6a640e38572ec2e0a74d3cfa4244
SHA512 54592ea5511c9f60a26d50d6fd607d1f0b247452d65a692477a41abc0d4d06e4318776f5420f44767592ac43d675f6ac3e7ff4c52544cc16dba5e04a98c706dc

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\prefs-1.js

MD5 8cd4394125eab822a2d7aed804b78bdd
SHA1 366641f6298d7e852dd2c56214299ae5e100197c
SHA256 fb446f7d942530598f1944331344b0d7abcda9b7f81e7b38a685987759c1d753
SHA512 12657b397eb4faa570aa8600ea988fa3b6e85793e7dc031b5beee9267173285ef0f8ab50471c77fd5e708fc7a21ae7181b1dc6ae7c5c197d0c6fb0d2280bae7d

memory/5984-854-0x0000000072F70000-0x00000000734A5000-memory.dmp

memory/5556-859-0x0000000002620000-0x0000000002A20000-memory.dmp

memory/5556-860-0x0000000002620000-0x0000000002A20000-memory.dmp

memory/5556-858-0x0000000000B80000-0x0000000000B89000-memory.dmp

memory/5556-861-0x00007FFB0D450000-0x00007FFB0D645000-memory.dmp

memory/5556-863-0x0000000075CB0000-0x0000000075EC5000-memory.dmp

memory/2108-864-0x0000000000DB0000-0x0000000000DB9000-memory.dmp

memory/2108-866-0x0000000002C40000-0x0000000003040000-memory.dmp

memory/2108-869-0x0000000075CB0000-0x0000000075EC5000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\datareporting\glean\db\data.safe.tmp

MD5 f2fcd15defc2c1f976314360d538da79
SHA1 b5e0e3fb578b3e1660bbc6b153f84109278b0210
SHA256 8ce02c072804c97a8b802fb6da148b44b0e07704aca3913d0f820f2822409c71
SHA512 ce0607c2f6501f455623be10db973fcaa5152dffe46997fe1f5ed93058d634fd6f09fd88308e3ce4b942e97f4fd6cc13a71ab5512e86d0a15137bf29dca1586f

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\datareporting\glean\db\data.safe.tmp

MD5 594656f6ad6a0a537e1a833e8d25bfca
SHA1 cec50713c4b3c46c07e4a7fb28337b9232f27a8e
SHA256 5fc1d324ce7da7d407f9304bc1b9b61fc6ab5884226d23dfa6af18bec7ad7284
SHA512 4f757c704ce2bf6007e9963d1e18983297647ab589d28721ab73d696625ec85086292f1a833f9633ed8175f8974293d5f3cf54bb5f2cd00905478b405488565d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 5fe09b26184f3e77cf394060cd3373ff
SHA1 47dff47223cf9e8485b70863e21f1c3eb801fe04
SHA256 24be145c3d7d8fe1531c800275bab507892563b9291fed5f35a86e217a9ffd7b
SHA512 ad2554e3f5ce2f697895a96cdc5ce640063f0c823c0c7c6462e79fa5fee0e2bd3bcfa86cb16ff54c3704bfc3dce665cbfec26a13464901987949bf73bf2956e2