Analysis Overview
Threat Level: Known bad
The file https://winiumdriver.com/update was found to be: Known bad.
Malicious Activity Summary
Suspicious use of NtCreateUserProcessOtherParentProcess
Rhadamanthys
Downloads MZ/PE file
Loads dropped DLL
Executes dropped EXE
Enumerates connected drives
Blocklisted process makes network request
Suspicious use of SetThreadContext
Drops file in Windows directory
System Location Discovery: System Language Discovery
Program crash
Uses Task Scheduler COM API
Uses Volume Shadow Copy service COM API
Suspicious use of SetWindowsHookEx
Modifies registry class
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Checks SCSI registry key(s)
Checks processor information in registry
NTFS ADS
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-09-18 18:37
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-09-18 18:37
Reported
2024-09-18 18:43
Platform
win10v2004-20240802-en
Max time kernel
359s
Max time network
357s
Command Line
Signatures
Rhadamanthys
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 5556 created 2552 | N/A | C:\Windows\SysWOW64\msiexec.exe | C:\Windows\system32\sihost.exe |
Downloads MZ/PE file
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Installer\MSI42A6.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\op\GUP.exe | N/A |
| N/A | N/A | C:\Windows\Installer\MSI63BF.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\op\GUP.exe | N/A |
| N/A | N/A | C:\Windows\Installer\MSIB54F.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\op\GUP.exe | N/A |
Loads dropped DLL
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\System32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\System32\msiexec.exe | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\H: | C:\Windows\System32\msiexec.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\System32\msiexec.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\System32\msiexec.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\System32\msiexec.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\System32\msiexec.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\System32\msiexec.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\System32\msiexec.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\System32\msiexec.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\System32\msiexec.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\System32\msiexec.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\System32\msiexec.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\System32\msiexec.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\System32\msiexec.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\System32\msiexec.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\System32\msiexec.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\System32\msiexec.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\System32\msiexec.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\System32\msiexec.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\System32\msiexec.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\System32\msiexec.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\System32\msiexec.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\System32\msiexec.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\System32\msiexec.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\System32\msiexec.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\System32\msiexec.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\System32\msiexec.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\System32\msiexec.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\System32\msiexec.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\System32\msiexec.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\System32\msiexec.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\System32\msiexec.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\System32\msiexec.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\System32\msiexec.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\System32\msiexec.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\System32\msiexec.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\System32\msiexec.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\System32\msiexec.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\System32\msiexec.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\System32\msiexec.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\System32\msiexec.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\System32\msiexec.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\System32\msiexec.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\System32\msiexec.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\System32\msiexec.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\System32\msiexec.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\System32\msiexec.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\System32\msiexec.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\System32\msiexec.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 5984 set thread context of 5556 | N/A | C:\Users\Admin\AppData\Roaming\op\GUP.exe | C:\Windows\SysWOW64\msiexec.exe |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Installer\MSI53A0.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI596E.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIB54F.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIB491.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI5350.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\ | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\e5840d3.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIB471.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\inprogressinstallinfo.ipi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI5380.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIB4A1.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIB4F1.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\e5840cd.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI414A.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI63BF.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\e5840d3.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\e5840cd.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI4189.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI41AA.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\SourceHash{B0EFEB0C-B73C-452D-A9AA-2F60183AD374} | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\e5840cf.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\e5840cf.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI4247.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI42A6.tmp | C:\Windows\system32\msiexec.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\msiexec.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\syswow64\MsiExec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\syswow64\MsiExec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\op\GUP.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\syswow64\MsiExec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Installer\MSI63BF.tmp | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\syswow64\MsiExec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\openwith.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\syswow64\MsiExec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\op\GUP.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Installer\MSIB54F.tmp | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\op\GUP.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Installer\MSI42A6.tmp | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\syswow64\MsiExec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\msiexec.exe | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters | C:\Windows\system32\vssvc.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters | C:\Windows\system32\vssvc.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr | C:\Windows\system32\vssvc.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000bf081c85bb6cd1e80000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000bf081c850000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900bf081c85000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1dbf081c85000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000bf081c8500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\system32\vssvc.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\system32\vssvc.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\CBFE9EB43B3B37FE0DFBC4C2EB2D4E07D08BD8E8\Blob = 030000000100000014000000cbfe9eb43b3b37fe0dfbc4c2eb2d4e07d08bd8e81400000001000000140000000cdb6c82490f4a670ab814ee7ac4485288eb563804000000010000001000000098eb0b62c3fe53eac8caa8fdb58020ee0f0000000100000020000000b4e0a8c98b0aae43b7383037accd11a1c964971f6b74fcbc370cd030fb328ddd19000000010000001000000058f4c3aea49be319eaff0e54cef46cd35c00000001000000040000000008000018000000010000001000000014c3bd3549ee225aece13734ad8ca0b84b0000000100000044000000450032004300360043004200410046003000410046003000380043004600320030003300420041003700340042004600300044003000410042003600440035005f0000002000000001000000b7040000308204b33082039ba00302010202100b259422ced9812a15a04e99528a0efa300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3137313130323132323433335a170d3237313130323132323433335a3060310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d311f301d06035504031316526170696453534c20544c532052534120434120473130820122300d06092a864886f70d01010105000382010f003082010a0282010100bfb9592544123516e25d5049050ae0cbfc8dda25089a67a6a26d11e36a9fdaa7dcf2d5a60dae985eed871a3703283ec66f5c347e84d24ea3d81b80e6154cfabc81773ce08ef960a38789503836b249419ea9dac250caac7ad07904223cc837ed4b40b7d74e5a6ece74e839ad61c930f4cb28ad172398c1444cfbf088f05345329061c36da1a5e01090e38b9aca93e5064961e8a4eea96f9fc81f0fe5dd0e7937924baebb4786fafbb2ad21abe6e5f92d18455a5bf5cc5403721fc42a6775eb79bacffc9cc7fa8b6bdcf2bc82dcedc4296fe93b4cbadaf56135ed83d29fd00d8c6f840a8f4f0d6dcdf65c2129008dbf0d601a882ec8242eec713b0675bc7924850203010001a382016630820162301d0603551d0e041604140cdb6c82490f4a670ab814ee7ac4485288eb5638301f0603551d230418301680144e2254201895e6e36ee60ffafab912ed06178f39300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030106082b0601050507030230120603551d130101ff040830060101ff020100303406082b0601050507010104283026302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d30420603551d1f043b30393037a035a0338631687474703a2f2f63726c332e64696769636572742e636f6d2f4469676943657274476c6f62616c526f6f7447322e63726c30630603551d20045c305a303706096086480186fd6c0101302a302806082b06010505070201161c68747470733a2f2f7777772e64696769636572742e636f6d2f435053300b06096086480186fd6c01023008060667810c0102013008060667810c010202300d06092a864886f70d01010b050003820101001944a539be0add6b664a56e6139d146011d733448a5cfa8733393a5d05290a1785ff8a94f1a3a16a3b324501435758a1fee3c883b60746d162093ab81becdbe375f54fbee726048e23da6afd3a82c2dba467bbbd54b2f7240ab759dcb69a828bbef0bcb55991ce401ed314029112888db046f34312c835ff478b98823e9988d4ff660e8623a4687e0aa0a4376cb0b7345c8450128b7121970accfde9189f4509b30798c2cbcae05dfae096bd5705da881801ac2e7c2852fcf4fad43f6bab33d14b9236baa6b7b66213e382612605a106714c6fb006424bcdabd28d4bd75ddc659cd7b1ff7576b57a7a31cd68c4d2105d163c4f8546f45b7c22f28df8fe6f05c7 | C:\Users\Admin\AppData\Roaming\op\GUP.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\CBFE9EB43B3B37FE0DFBC4C2EB2D4E07D08BD8E8 | C:\Users\Admin\AppData\Roaming\op\GUP.exe | N/A |
NTFS ADS
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\Downloads\WiniumDriver.msi:Zone.Identifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| File created | C:\Users\Admin\Downloads\WiniumDriver(1).msi:Zone.Identifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateTokenPrivilege | N/A | C:\Windows\System32\msiexec.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\System32\msiexec.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\System32\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\msiexec.exe | N/A |
| Token: SeMachineAccountPrivilege | N/A | C:\Windows\System32\msiexec.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\System32\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\msiexec.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\msiexec.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\msiexec.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\msiexec.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\msiexec.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\msiexec.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\msiexec.exe | N/A |
| Token: SeCreatePermanentPrivilege | N/A | C:\Windows\System32\msiexec.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\msiexec.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\msiexec.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\msiexec.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\System32\msiexec.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\msiexec.exe | N/A |
| Token: SeChangeNotifyPrivilege | N/A | C:\Windows\System32\msiexec.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\msiexec.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\msiexec.exe | N/A |
| Token: SeSyncAgentPrivilege | N/A | C:\Windows\System32\msiexec.exe | N/A |
| Token: SeEnableDelegationPrivilege | N/A | C:\Windows\System32\msiexec.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\msiexec.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Windows\System32\msiexec.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\System32\msiexec.exe | N/A |
| Token: SeCreateTokenPrivilege | N/A | C:\Windows\System32\msiexec.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\System32\msiexec.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\System32\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\msiexec.exe | N/A |
| Token: SeMachineAccountPrivilege | N/A | C:\Windows\System32\msiexec.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\System32\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\msiexec.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\msiexec.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\msiexec.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\msiexec.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\msiexec.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\msiexec.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\msiexec.exe | N/A |
| Token: SeCreatePermanentPrivilege | N/A | C:\Windows\System32\msiexec.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\msiexec.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\msiexec.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\msiexec.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\System32\msiexec.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\msiexec.exe | N/A |
| Token: SeChangeNotifyPrivilege | N/A | C:\Windows\System32\msiexec.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\msiexec.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\msiexec.exe | N/A |
| Token: SeSyncAgentPrivilege | N/A | C:\Windows\System32\msiexec.exe | N/A |
| Token: SeEnableDelegationPrivilege | N/A | C:\Windows\System32\msiexec.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\msiexec.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Windows\System32\msiexec.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\System32\msiexec.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\op\GUP.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\op\GUP.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\op\GUP.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Uses Volume Shadow Copy service COM API
Processes
C:\Windows\system32\sihost.exe
sihost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "https://winiumdriver.com/update"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url https://winiumdriver.com/update
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1992 -parentBuildID 20240401114208 -prefsHandle 1904 -prefMapHandle 1884 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e119664b-0e2d-4cdb-b1d8-8b2f8b2caa42} 3876 "\\.\pipe\gecko-crash-server-pipe.3876" gpu
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2432 -parentBuildID 20240401114208 -prefsHandle 2408 -prefMapHandle 2396 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {daf3225a-0b75-4656-816d-4adef9445d06} 3876 "\\.\pipe\gecko-crash-server-pipe.3876" socket
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3128 -childID 1 -isForBrowser -prefsHandle 3044 -prefMapHandle 3400 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1260 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {faf8db1d-23b3-4957-9333-8dbce47998fa} 3876 "\\.\pipe\gecko-crash-server-pipe.3876" tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3724 -childID 2 -isForBrowser -prefsHandle 3100 -prefMapHandle 2936 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1260 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {856fcb30-b942-4b1b-9fa9-090d7b1bf3a2} 3876 "\\.\pipe\gecko-crash-server-pipe.3876" tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4588 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4604 -prefMapHandle 4600 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fa264731-0899-43f2-a484-6a439a3079ce} 3876 "\\.\pipe\gecko-crash-server-pipe.3876" utility
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5304 -childID 3 -isForBrowser -prefsHandle 5296 -prefMapHandle 5424 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1260 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cf78ad5d-6da5-4b4f-8408-95c138858feb} 3876 "\\.\pipe\gecko-crash-server-pipe.3876" tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5580 -childID 4 -isForBrowser -prefsHandle 5432 -prefMapHandle 5444 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1260 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0c797842-0637-43f0-8a87-a0373f9b9232} 3876 "\\.\pipe\gecko-crash-server-pipe.3876" tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5748 -childID 5 -isForBrowser -prefsHandle 5752 -prefMapHandle 5756 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1260 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e4241ebc-7ebf-45fb-8468-a104730dfbf5} 3876 "\\.\pipe\gecko-crash-server-pipe.3876" tab
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Windows\System32\msiexec.exe
"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\Downloads\WiniumDriver.msi"
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 9EEA925C9C83F73415628F2C0A094D41 C
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\System32\msiexec.exe
"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\Downloads\WiniumDriver.msi"
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 56475DDCA51A4D013E8F7AEF21A03FE4 C
C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 63A12AB61F3C592B9002DC41424F7026
C:\Windows\Installer\MSI42A6.tmp
"C:\Windows\Installer\MSI42A6.tmp" /DontWait "C:\Users\Admin\AppData\Roaming\op\\GUP.EXE"
C:\Users\Admin\AppData\Roaming\op\GUP.exe
"C:\Users\Admin\AppData\Roaming\op\GUP.exe"
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding E9D8A85B870029E5370A891730B28099
C:\Windows\Installer\MSI63BF.tmp
"C:\Windows\Installer\MSI63BF.tmp" /DontWait "C:\Users\Admin\AppData\Roaming\op\\GUP.EXE"
C:\Users\Admin\AppData\Roaming\op\GUP.exe
"C:\Users\Admin\AppData\Roaming\op\GUP.exe"
C:\Windows\System32\msiexec.exe
"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\Downloads\WiniumDriver(1).msi"
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 5B1D10343AA65C09F8E3801827C71682 C
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding D0AB502CB6B8E8C6FDF614D54EDF6B78
C:\Windows\Installer\MSIB54F.tmp
"C:\Windows\Installer\MSIB54F.tmp" /DontWait "C:\Users\Admin\AppData\Roaming\op\\GUP.EXE"
C:\Users\Admin\AppData\Roaming\op\GUP.exe
"C:\Users\Admin\AppData\Roaming\op\GUP.exe"
C:\Windows\System32\regsvr32.exe
C:\Windows\System32\regsvr32.exe -e -n -i:"C:\Users\Admin\0d02\HVDPCYGS\HVDPCYGS.ocx" "C:\Users\Admin\0d02\HVDPCYGS\HVDPCYGS.ocx"
C:\Windows\SysWOW64\regsvr32.exe
-e -n -i:"C:\Users\Admin\0d02\HVDPCYGS\HVDPCYGS.ocx" "C:\Users\Admin\0d02\HVDPCYGS\HVDPCYGS.ocx"
C:\Windows\System32\regsvr32.exe
C:\Windows\System32\regsvr32.exe -e -n -i:"C:\Users\Admin\0d02\HVDPCYGS\HVDPCYGS.ocx" "C:\Users\Admin\0d02\HVDPCYGS\HVDPCYGS.ocx"
C:\Windows\SysWOW64\regsvr32.exe
-e -n -i:"C:\Users\Admin\0d02\HVDPCYGS\HVDPCYGS.ocx" "C:\Users\Admin\0d02\HVDPCYGS\HVDPCYGS.ocx"
C:\Windows\System32\regsvr32.exe
C:\Windows\System32\regsvr32.exe -e -n -i:"C:\Users\Admin\0d02\HVDPCYGS\HVDPCYGS.ocx" "C:\Users\Admin\0d02\HVDPCYGS\HVDPCYGS.ocx"
C:\Windows\SysWOW64\regsvr32.exe
-e -n -i:"C:\Users\Admin\0d02\HVDPCYGS\HVDPCYGS.ocx" "C:\Users\Admin\0d02\HVDPCYGS\HVDPCYGS.ocx"
C:\Windows\System32\regsvr32.exe
C:\Windows\System32\regsvr32.exe -e -n -i:"C:\Users\Admin\0d02\HVDPCYGS\HVDPCYGS.ocx" "C:\Users\Admin\0d02\HVDPCYGS\HVDPCYGS.ocx"
C:\Windows\SysWOW64\regsvr32.exe
-e -n -i:"C:\Users\Admin\0d02\HVDPCYGS\HVDPCYGS.ocx" "C:\Users\Admin\0d02\HVDPCYGS\HVDPCYGS.ocx"
C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\System32\msiexec.exe"
C:\Windows\SysWOW64\openwith.exe
"C:\Windows\system32\openwith.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 5556 -ip 5556
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5556 -s 600
C:\Windows\System32\regsvr32.exe
C:\Windows\System32\regsvr32.exe -e -n -i:"C:\Users\Admin\0d02\HVDPCYGS\HVDPCYGS.ocx" "C:\Users\Admin\0d02\HVDPCYGS\HVDPCYGS.ocx"
C:\Windows\SysWOW64\regsvr32.exe
-e -n -i:"C:\Users\Admin\0d02\HVDPCYGS\HVDPCYGS.ocx" "C:\Users\Admin\0d02\HVDPCYGS\HVDPCYGS.ocx"
Network
| Country | Destination | Domain | Proto |
| N/A | 127.0.0.1:52446 | tcp | |
| US | 8.8.8.8:53 | winiumdriver.com | udp |
| US | 8.8.8.8:53 | spocs.getpocket.com | udp |
| US | 8.8.8.8:53 | firefox-api-proxy.cdn.mozilla.net | udp |
| US | 8.8.8.8:53 | prod.ads.prod.webservices.mozgcp.net | udp |
| US | 34.149.97.1:443 | firefox-api-proxy.cdn.mozilla.net | tcp |
| US | 8.8.8.8:53 | prod.remote-settings.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | shavar.prod.mozaws.net | udp |
| US | 172.67.165.40:443 | winiumdriver.com | tcp |
| US | 172.67.165.40:443 | winiumdriver.com | tcp |
| US | 8.8.8.8:53 | firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.content-signature-chains.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | winiumdriver.com | udp |
| US | 8.8.8.8:53 | prod.ads.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | shavar.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.content-signature-chains.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.remote-settings.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | winiumdriver.com | udp |
| US | 34.149.97.1:443 | firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.140.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 40.165.67.172.in-addr.arpa | udp |
| US | 172.67.165.40:443 | winiumdriver.com | udp |
| US | 172.67.165.40:443 | winiumdriver.com | tcp |
| US | 8.8.8.8:53 | winiumbackend.com | udp |
| US | 172.67.155.74:443 | winiumbackend.com | tcp |
| US | 172.67.155.74:443 | winiumbackend.com | tcp |
| US | 8.8.8.8:53 | winiumbackend.com | udp |
| US | 8.8.8.8:53 | winiumbackend.com | udp |
| US | 172.67.155.74:443 | winiumbackend.com | udp |
| US | 8.8.8.8:53 | 120.252.208.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.155.67.172.in-addr.arpa | udp |
| N/A | 127.0.0.1:52455 | tcp | |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 172.67.155.74:443 | winiumbackend.com | udp |
| US | 8.8.8.8:53 | www.dropbox.com | udp |
| GB | 162.125.64.18:443 | www.dropbox.com | tcp |
| US | 8.8.8.8:53 | www-env.dropbox-dns.com | udp |
| US | 8.8.8.8:53 | www-env.dropbox-dns.com | udp |
| US | 8.8.8.8:53 | 18.64.125.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ucb88a34526b9f77eaecceb72448.dl.dropboxusercontent.com | udp |
| GB | 162.125.64.15:443 | ucb88a34526b9f77eaecceb72448.dl.dropboxusercontent.com | tcp |
| US | 8.8.8.8:53 | edge-block-www-env.dropbox-dns.com | udp |
| US | 8.8.8.8:53 | edge-block-www-env.dropbox-dns.com | udp |
| US | 8.8.8.8:53 | 15.64.125.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | location.services.mozilla.com | udp |
| US | 8.8.8.8:53 | prod.balrog.prod.cloudops.mozgcp.net | udp |
| US | 35.190.72.216:443 | location.services.mozilla.com | tcp |
| US | 8.8.8.8:53 | prod.classify-client.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.balrog.prod.cloudops.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.classify-client.prod.webservices.mozgcp.net | udp |
| US | 35.190.72.216:443 | prod.classify-client.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 201.181.244.35.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 216.72.190.35.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ciscobinary.openh264.org | udp |
| US | 8.8.8.8:53 | redirector.gvt1.com | udp |
| GB | 88.221.134.209:80 | ciscobinary.openh264.org | tcp |
| US | 8.8.8.8:53 | a19.dscg10.akamai.net | udp |
| GB | 142.250.178.14:443 | redirector.gvt1.com | tcp |
| US | 8.8.8.8:53 | redirector.gvt1.com | udp |
| US | 8.8.8.8:53 | a19.dscg10.akamai.net | udp |
| US | 8.8.8.8:53 | redirector.gvt1.com | udp |
| GB | 142.250.178.14:443 | redirector.gvt1.com | udp |
| US | 8.8.8.8:53 | r4---sn-5hnednss.gvt1.com | udp |
| NL | 172.217.132.201:443 | r4---sn-5hnednss.gvt1.com | tcp |
| US | 8.8.8.8:53 | r4.sn-5hnednss.gvt1.com | udp |
| US | 8.8.8.8:53 | r4.sn-5hnednss.gvt1.com | udp |
| NL | 172.217.132.201:443 | r4.sn-5hnednss.gvt1.com | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.178.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 201.132.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 59.170.16.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 226.21.18.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 226.20.18.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 159.113.53.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | motorans.com | udp |
| RU | 193.109.85.43:443 | motorans.com | tcp |
| US | 8.8.8.8:53 | cacerts.rapidssl.com | udp |
| SE | 192.229.221.95:80 | cacerts.rapidssl.com | tcp |
| SE | 192.229.221.95:80 | cacerts.rapidssl.com | tcp |
| US | 8.8.8.8:53 | 43.85.109.193.in-addr.arpa | udp |
| US | 8.8.8.8:53 | motorans.com | udp |
| RU | 193.109.85.43:54801 | motorans.com | tcp |
| RU | 193.109.85.43:54801 | motorans.com | tcp |
| US | 172.67.165.40:443 | winiumdriver.com | tcp |
| US | 172.67.155.74:443 | winiumbackend.com | udp |
| US | 172.67.155.74:443 | winiumbackend.com | tcp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ucafe1b5153a0a283c78e4ba2868.dl.dropboxusercontent.com | udp |
| GB | 162.125.64.15:443 | ucafe1b5153a0a283c78e4ba2868.dl.dropboxusercontent.com | tcp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.142.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | prod.balrog.prod.cloudops.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.balrog.prod.cloudops.mozgcp.net | udp |
| RU | 193.109.85.43:443 | motorans.com | tcp |
| RU | 193.109.85.43:443 | motorans.com | tcp |
| RU | 193.109.85.43:54801 | motorans.com | tcp |
| RU | 193.109.85.43:443 | motorans.com | tcp |
| RU | 193.109.85.43:443 | motorans.com | tcp |
| US | 8.8.8.8:53 | prod.remote-settings.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.remote-settings.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | seburage.com | udp |
| RU | 194.67.193.73:443 | seburage.com | tcp |
| US | 8.8.8.8:53 | 73.193.67.194.in-addr.arpa | udp |
| RU | 193.109.85.43:54801 | motorans.com | tcp |
| RU | 193.109.85.43:54801 | motorans.com | tcp |
| US | 8.8.8.8:53 | 91.16.208.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | prod.content-signature-chains.prod.webservices.mozgcp.net | udp |
| RU | 193.109.85.43:443 | motorans.com | tcp |
Files
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\datareporting\glean\pending_pings\b2a7c81d-dce0-4bda-982a-6601a119d6a5
| MD5 | 4984e3e39bc536fa309ef8986ce877b2 |
| SHA1 | f715f7956dee675b5c45a731d3b92e1d000545be |
| SHA256 | 090994a21f76fbaaf2789dffa598fbeebaf201a74546327501aab2de93ea6ff4 |
| SHA512 | d60c1bb68d7963f99ca659a0d7455ea5f6b321bc21f8fee23a67771effe3efea917fcb9837347119c19f1188a1015196050e8ead78f23c09d1025224d50f833b |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\datareporting\glean\pending_pings\2c962544-26e3-4650-8424-1903e5537079
| MD5 | 9daf2b5f44384ab639ac42b7e830b807 |
| SHA1 | fbba036ef2e05ac0904ff4bd1a7f22f9b49bbd0d |
| SHA256 | d16875a71ac3b79ad9ac999d913f1ab728bb8009a834604775fd38978fa2af8d |
| SHA512 | 9febc66934584141299e665fb85e13adb10f0962da695ca007e7a80083c14a72226f6516feb38eca30e51b65545bf6a41e6023acf6e0f0ab733dd41cdcee653d |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\datareporting\glean\pending_pings\82c57b42-0198-4d96-ad54-fe9013b46705
| MD5 | f592cdb98de13ec91793b03b564b12aa |
| SHA1 | de8f0bc02f11e9fcd6d30c0e46eee551f13e3a38 |
| SHA256 | e4b715e7fe425993c8453811b06bbe44d0879738f8f4f6845ddc0364ff30a3bd |
| SHA512 | c24047a899fd071cb266193e8444f1cc8c9b469a4a72851b0334b3a30fe98fcbe40d78f8677988550d449f8f7def02efc4857cd897400d0354e211a991427975 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\datareporting\glean\db\data.safe.tmp
| MD5 | 374ce43c76751636beb1cdc9f45afebd |
| SHA1 | cb991176ad536eb4b2917adf419d9d23788cf7f6 |
| SHA256 | 21beb205cc927fc9ce2e53ad7f01dc54659a9f8fa74fc065ee91a64867dd4022 |
| SHA512 | fec17d19d86f758679838ea1a8aa0de38bbccbd6ceb12bc51fcf5ef7f9b84fca3d3f69ec7f9010d7dfff987d41c953fdda8aa8c5df98607b781e8a2a1c1b778c |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\AlternateServices.bin
| MD5 | 579c57c4d4d9a002c5a42d7e335e24d1 |
| SHA1 | 2224e4aad6261156870d2e77ec94b7e35f634e1a |
| SHA256 | f6c41f1a32f2f004ed731053775c86de56e5a3047dc2ddf3df8b2ce875831351 |
| SHA512 | 2f94524b97e0e1fd8f40ec6242e74bc8f324f8f98d47d0b8fc989167d6c55da0dcd0eb557411469adbd899d73b942c43d09e8f8e38cccb35f1325a8b675fffd3 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\AlternateServices.bin
| MD5 | f6162fbca9b928222e65be3fb8a74d12 |
| SHA1 | b5207a5abf79e39732dbe8b734cbba9043e5ea00 |
| SHA256 | 40fa0385b81f0600ff71b2f3d878527f35971d85a9129de1fcd89d5031914d0d |
| SHA512 | 26203363f341ffa942274538e97192b251bf64f3d79a56b825be5fe8be896a5b8f06a0c66b2ec6a99997ed1db84a25bd2fbaff046472bd15bf70d04e8dd9ee04 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\datareporting\glean\db\data.safe.tmp
| MD5 | 6c953239fcd458b0439535ab24dca10a |
| SHA1 | 70a312d5ca8284b80974430c83359394094fafed |
| SHA256 | c604ac604d6a3a3f2b050b18556a7643d746c74aa47930ffa228a697e01fb582 |
| SHA512 | 79df5bcedae3c816936938c955f77ad5d7a122fc8e4ef7c348b739eeb2077aa7ea700af563afe5151bcdf8d0a1a78764a54a9f67a5d3828f4e3d255fb61fc777 |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\activity-stream.discovery_stream.json
| MD5 | 7d388316920bf289449d5f4fd202e95c |
| SHA1 | 9c9ad52cb7eea8f9e0d480e6e22fa5f07e25dd0d |
| SHA256 | cf4853ea071f97d283e1a6a08270e91f39a1af92bc9678c5030fdf5caa677013 |
| SHA512 | 9df555aea0502c912d1959be41b2bbc35f7e6a75b20f238eb7bf0eda1e6fa938740b155b828aad7541634615e8faf92ca8e6cc2b7f089159c423f2b4f0710e70 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
| MD5 | 41f0da9c5cd3658bc04f65c7e2347e8d |
| SHA1 | 4cd4d62f1baf3b51df63a11b4d989a45a6b1dd12 |
| SHA256 | 738d317bda543000b216ab0394a59797ab38b138d15e7add061290a80de3c835 |
| SHA512 | 7250b20c573c73ecc4792c1abd57aa8651b659bbad87f077672f3c7af89c858a1c85dad59184dfb821972dc194f9cc2371684ecb6d47e8d2fc1df91952974f9a |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\prefs.js
| MD5 | 572464b999014ad4f7a8b26612dd41ab |
| SHA1 | bc231df36e4f2a22f72560e473d81b20e58afc86 |
| SHA256 | 8d14088e541e763b41e724dacd2b9b13192b5e00e6cd582d6b7a5d4dc2adac3a |
| SHA512 | ab3327976316504fff406eb643b6463bc9cf3043cfaf86bc07f0c0d69ec846905c2b1189b6bc4abe09f93f98b2f5f9ad389b6b57e0a8fd572673823b76e0113d |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\AlternateServices.bin
| MD5 | 81807dc6fd95269034196f3bd791446b |
| SHA1 | 8baee70a9b8c7a5b13592125364891bf9fa5bef3 |
| SHA256 | 68cbdf258a9b29b7c9822ae5d1f0159d3f94d1c9c1c4ba69976dd48760e0efe6 |
| SHA512 | 03b95713695e75d3416b9226d9f563d4119560afeb0c968ccda773f7aa6ee1934a79ef644a7e53a5be584678db64474570de000f7ad1a21664d10adf32fdf5f0 |
C:\Users\Admin\Downloads\WiniumDriver.iNuVu18f.msi.part
| MD5 | 63b08411cf4b5a08280641dcd20b447f |
| SHA1 | 0ff5d5e38d82ab2d4fa7ffe2dd68fd933680799f |
| SHA256 | 0e7b85b621ff044fba0f965f21137f72a69cb96b75c02c47a64915eebae8bdc3 |
| SHA512 | 09a4bdd960f4414619bf5a4bcf70938fcbb1aa6583242a7fe99a77a36cde3a9fd5cd3d1892b6129c3919bdf4aad8717cf6fdcdd1637f5ce8e5a51f621a4cd45d |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\prefs-1.js
| MD5 | 101d84a42f9d6af600228c3b6c3d1e9d |
| SHA1 | 28d1f2a6bcc7ab2d7ec6342212eda1eeb8e22b8d |
| SHA256 | 31c4e55f1535b52263107eec4c8c7336ba9630e24691f17ce335aa9b094aacfd |
| SHA512 | 6041a81b5e7f64cf09b9be965749ee0296fb4d67c36130db28920d023a3a300835c2237f0850ebae6f71be0f1187ccdd1026c44b383209940f7e9085e195f3cc |
C:\Users\Admin\AppData\Local\Temp\tmpaddon
| MD5 | 09372174e83dbbf696ee732fd2e875bb |
| SHA1 | ba360186ba650a769f9303f48b7200fb5eaccee1 |
| SHA256 | c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f |
| SHA512 | b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info
| MD5 | 2a461e9eb87fd1955cea740a3444ee7a |
| SHA1 | b10755914c713f5a4677494dbe8a686ed458c3c5 |
| SHA256 | 4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc |
| SHA512 | 34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll
| MD5 | 842039753bf41fa5e11b3a1383061a87 |
| SHA1 | 3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153 |
| SHA256 | d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c |
| SHA512 | d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\AlternateServices.bin
| MD5 | 721ee257cd3a1397d0a3a13f5c4f3f45 |
| SHA1 | 6667be1abb6c8085a85ed256fb733a0103f49345 |
| SHA256 | 16f7bfcc696d99bf937f0a97c286a090d92f399142d8d399944536b3cac57555 |
| SHA512 | c85622d4806eface0ce73fbabedc25092ff17f41ebc697f277fb12adaa5fdc3a1f8e1c40f1c681863c4e112be177731ed514007306c03c3a04f2fae5539e5f3d |
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1
| MD5 | 0a8747a2ac9ac08ae9508f36c6d75692 |
| SHA1 | b287a96fd6cc12433adb42193dfe06111c38eaf0 |
| SHA256 | 32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03 |
| SHA512 | 59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json
| MD5 | bf957ad58b55f64219ab3f793e374316 |
| SHA1 | a11adc9d7f2c28e04d9b35e23b7616d0527118a1 |
| SHA256 | bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda |
| SHA512 | 79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll
| MD5 | daf7ef3acccab478aaa7d6dc1c60f865 |
| SHA1 | f8246162b97ce4a945feced27b6ea114366ff2ad |
| SHA256 | bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e |
| SHA512 | 5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75 |
C:\Users\Admin\AppData\Local\Temp\MSI9DE.tmp
| MD5 | 421643ee7bb89e6df092bc4b18a40ff8 |
| SHA1 | e801582a6dd358060a699c9c5cde31cd07ee49ab |
| SHA256 | d6b89fd5a95071e7b144d8bedcb09b694e9cd14bfbfafb782b17cf8413eac6da |
| SHA512 | d59c4ec7690e535da84f94bef2be7f94d6bfd0b2908fa9a67d0897abe8a2825fd52354c495ea1a7f133f727c2ee356869cc80bacf5557864d535a72d8c396023 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\sessionstore-backups\recovery.baklz4
| MD5 | 2415e21907ff210d5b73e83b63db3724 |
| SHA1 | c1a11a19b05f7bc5021107b5b83911cf85045581 |
| SHA256 | 385b7c1d9b72d8283b0de7492792f9866c3ec2d8ea6f169a1630e4bf036e8f36 |
| SHA512 | f054c438ae6b23f6d2f756b25d352c912487de7b0d00b062d4e0514e027c4b6280589e6b6a61789ec77f0fbaff913b9bbc401b5e1d74557b90188a3cca87873e |
C:\Users\Admin\AppData\Local\Temp\MSI80be2.LOG
| MD5 | 3497fbaa936b2c866ee9f90ccbbcddac |
| SHA1 | 2bbb035b7aa1f17257474a2d68686c59baf8e4e0 |
| SHA256 | be34e18ab1a8f734a82ec4b60999935b70aaf4317f485b418c709ff7dcdd6bdb |
| SHA512 | 4efc3efe287d0863082f2cdd50d98deb558f67abe6f793906b71138b1baad25d1471f11f807e977cb2ae7946fa06c19156f4af67a18c230e29d111f10cae4061 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\357F04AD41BCF5FE18FCB69F60C6680F_1F8F5C0F188BC014D5B60763F6F6FCF1
| MD5 | ba22e6ff58052de94a3b21f05676dbf1 |
| SHA1 | 1b7b40ebde6df15eb28463a5ab0b156261c38d66 |
| SHA256 | 21a524a38d0fefe08c4e203e7f44a1673aa685908864d159d31b707387915bdd |
| SHA512 | 57c443b59c4b3ee0a7d3a58f691096721b8afbc540f81c090f30095659731c6906141962852f80183397ae3aedf331d91fdf2352beacee18c4ffa30e638eabf0 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\357F04AD41BCF5FE18FCB69F60C6680F_1F8F5C0F188BC014D5B60763F6F6FCF1
| MD5 | 9118d6756d0e728466e7c88e0648f6e5 |
| SHA1 | dce6614846e2a172a169c2e06fe31c83f97d0dbc |
| SHA256 | 11baa97fe93dd24aaf3eb39aa44e86b3fb21facb5b514ac10b75897437f9b38d |
| SHA512 | 84cc8d41f77326d5e106930ead7d67566a5256edb96e6d96c293cff7e99af4e4ecd219a9da93bb960e4759954a5519a48c4deaa4fb37e6c2e30ad130cb138b06 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\9CB4373A4252DE8D2212929836304EC5_1AB74AA2E3A56E1B8AD8D3FEC287554E
| MD5 | c1001285214565ff5f493f51eedfd826 |
| SHA1 | bef796ceb3a31b837acd601dd4860afe8f9950b7 |
| SHA256 | 969273d5dafc8a3df073c72e3c9be850774a11da114fb76e2d99d9416592d41d |
| SHA512 | 8d933dc39bcfa9d89da7cb22a1031cbdfdeda3066ea1e5c911c28df0df5883352b095b2911dcbd22d84382b86bfd6e6b519ba0d0bb7f7284da23fa3caca55afe |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\9CB4373A4252DE8D2212929836304EC5_1AB74AA2E3A56E1B8AD8D3FEC287554E
| MD5 | f5404f45013ffc3c5a7d00b0c9fc4526 |
| SHA1 | d19d92879b10e2bd093b1d95570736a65b494d5e |
| SHA256 | e4e6c87d5d5bdcf9255e711254333534e691d5bb02a2a1f60e8b57099f6e72fc |
| SHA512 | 5f18e595941ef0acbe50d4316aea1b9d7893b1266acbc3fe5cc45cbb83e29b66eb2091ab8968317830d3fc50017cb98318e72bef09f1c66654115db6d641821b |
C:\Windows\Installer\MSI42A6.tmp
| MD5 | d2f8c062aba50ca096cbd5387a2d0b8b |
| SHA1 | 04f07790822954d02458d93fba83208ca5223a1a |
| SHA256 | ea6094300c250528ffae4e7972d84eb5b45cfbd018133516c166e40e89ed65bf |
| SHA512 | f51bf12be51832cd7190c255234c558094c0135e8bf05ffd67c2f4a8b0233161fa71c44e86b107956e4b75f5e2a28da58736da61a71f0c600ec1cf1b4e9e86fa |
C:\Config.Msi\e5840ce.rbs
| MD5 | 236fdd379f9035a6adf5309299eb1405 |
| SHA1 | 4defc3c4633b57cc72a8c138ff1a84a4e2c1562a |
| SHA256 | 4fea77dc2c80fb964853a646957c55b71a75439503424576c1821fa6867baf81 |
| SHA512 | 10f6e33f7c2e490d0b50cc71f01154f14e5ee354bb67581451f4facd7057d3976b6f6ea0f3e94c85d41a25f0d4502db2b71bddae266f5a33020a5f897f254405 |
C:\Users\Admin\AppData\Roaming\op\GUP.exe
| MD5 | 7be4b26502bb2a8ed4982805b590dec5 |
| SHA1 | afa1ee71fe23c4e7f8fc0195f5fb4a3d968500b6 |
| SHA256 | 97e196b8aa0694ecf37bddab2ade90ffba78251af7e49f6a24adea0a6ee704b3 |
| SHA512 | 013ce05ca4982b8bbafa33b4011b1a2731c605f581223557ef66cf75df96307d5b2444a9ccb28b3ff39e34ad989e2d5b931ab9bfcccd7dd5f63eabdb726ab749 |
C:\Users\Admin\AppData\Roaming\op\libcurl.dll
| MD5 | e73d75e539b7e9acf48683fc6b2cb4ab |
| SHA1 | 64006f712a8358817cc546922a1c402eb50a88dc |
| SHA256 | 17c8ef5428940de7399b3165fb2f7bf2f247e7082ce14a2c611931ea29f11c40 |
| SHA512 | 0971977cab1348a62ea646cd12544f5285670fbe2cf5039df3a5dd8b002d770f2a143f2656a6c5b9138d6da3282a2321cfc7ef5e4a2e32459b89f9bf96f6b956 |
C:\Users\Admin\AppData\Roaming\op\gup.xml
| MD5 | 30823e98edc86ac1c1b71ba49366bb86 |
| SHA1 | 1fbaedf0850c6bb298d81843a174fe2ed0d09388 |
| SHA256 | f26e3a06fc46eefb24d2d412c5e5ed1bc97ec14e2b7d8670aea0736ce7fb15dd |
| SHA512 | 6a907ec6e57d4a7ee0eac473df439db48d4c3457d440417a0a1908e1e8fbc7a15955166dc5d4b2c2dc42e92caa73c74c12b7f9b477c9991ee677a93cd3aa45f5 |
memory/5984-621-0x000000007F080000-0x000000007F3E9000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\MSI824e8.LOG
| MD5 | 0f00d02d6482059d58ba0a3240d99593 |
| SHA1 | 88ce44a091c682c68ae5e9267f4e55e10f560600 |
| SHA256 | f3d72eeec0831cdbd0a3d83e20f2359b93a4e7a1ee11598c4b2f3a624a761490 |
| SHA512 | fee327f148ff9c12ee3617090c18c445b64c2ec15a1711dc622b56172af9c0cc76b0f6cac38b5d6b3f7e2e69628086367a4fa75d114ef54839b3be3177289f81 |
memory/2528-637-0x000001C9A0230000-0x000001C9A0CF1000-memory.dmp
C:\Config.Msi\e5840d0.rbs
| MD5 | dfbe2ffa059c4e6183d84d49d24ef5a2 |
| SHA1 | fb6c6ab155c1a430f5e771cb2063e8da5d841936 |
| SHA256 | d5a3d9e36dd91de172b066141a0acd4dd90833eee13d16f6df3d431ec6ca555d |
| SHA512 | 3dc95410e659d40b13adefdfa3083eace9a10f298f2c54182131aee35f010bc5e1c99074edd2e487aca7692329503f89071a2d4eeb5ee36a79264536b47ac169 |
memory/5984-666-0x0000000072F70000-0x00000000734A5000-memory.dmp
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\sessionstore-backups\recovery.baklz4
| MD5 | 834c3e57e1644b595cf51ec64f406267 |
| SHA1 | 564a8acdec6d37d8b70a302558c6ec7442504d02 |
| SHA256 | 7764d06e39dd8e2cd6eab8835aa136a0b3bf728bbd591c3b20174a30a3ad5014 |
| SHA512 | 8e353b6a348f1ab6dfa16fe98922e6fc1e01a3e9806c57978136833b0eb8fab8f1e28dabc6fd994acfffb2a5cc5c5d1125592dc75c810794aa35a18b6d140e20 |
C:\Config.Msi\e5840d4.rbs
| MD5 | 2f0934559f14d01680d424fc72bad00f |
| SHA1 | 049fffe2690d834422beb031a0245d47afa6f95d |
| SHA256 | f454d66570bab623c7f2fe4f871ae6c977554347908aef9a867cf8aa819b146a |
| SHA512 | 65fe75b87b9cd35d2b5caf342545ee053e5844e85ddd7615989f28d2a647c80fda30269164f27b176f043ca1a1d3a6cb7b93b2bf8096cc5360e939cfcad1fab3 |
memory/2528-743-0x000001C9A0230000-0x000001C9A0CF1000-memory.dmp
memory/5984-749-0x0000000072F70000-0x00000000734A5000-memory.dmp
memory/5984-772-0x0000000072F70000-0x00000000734A5000-memory.dmp
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\sessionstore-backups\recovery.baklz4
| MD5 | a4b314e84c37bcaec0a568f8292d5d58 |
| SHA1 | 23b2fac24354c6af7390d271ea0dcd2b876747da |
| SHA256 | 7e3256d75dec58094610dcc3f30bf45a4720f3c93b4daaea0842497a69029a67 |
| SHA512 | 42e7e6eae3dfd3be462efc348ae1601586b5f4073980b803f86eb603c25648c2ca3247f435f6e6de76ba2df80e172fa55f9d6c1457194033975bd2e1130183fa |
memory/5984-797-0x0000000072F70000-0x00000000734A5000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\2L3KUMJYMC4FWR1W1NYE.temp
| MD5 | 1e64dd9a982a43ec68f16e6a47c30615 |
| SHA1 | cf32aaa411b83c2de3ddab55ed2f29023ccbf882 |
| SHA256 | 59bc5c408c19e24ee1731c5f8f447c66c98d6a640e38572ec2e0a74d3cfa4244 |
| SHA512 | 54592ea5511c9f60a26d50d6fd607d1f0b247452d65a692477a41abc0d4d06e4318776f5420f44767592ac43d675f6ac3e7ff4c52544cc16dba5e04a98c706dc |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\prefs-1.js
| MD5 | 8cd4394125eab822a2d7aed804b78bdd |
| SHA1 | 366641f6298d7e852dd2c56214299ae5e100197c |
| SHA256 | fb446f7d942530598f1944331344b0d7abcda9b7f81e7b38a685987759c1d753 |
| SHA512 | 12657b397eb4faa570aa8600ea988fa3b6e85793e7dc031b5beee9267173285ef0f8ab50471c77fd5e708fc7a21ae7181b1dc6ae7c5c197d0c6fb0d2280bae7d |
memory/5984-854-0x0000000072F70000-0x00000000734A5000-memory.dmp
memory/5556-859-0x0000000002620000-0x0000000002A20000-memory.dmp
memory/5556-860-0x0000000002620000-0x0000000002A20000-memory.dmp
memory/5556-858-0x0000000000B80000-0x0000000000B89000-memory.dmp
memory/5556-861-0x00007FFB0D450000-0x00007FFB0D645000-memory.dmp
memory/5556-863-0x0000000075CB0000-0x0000000075EC5000-memory.dmp
memory/2108-864-0x0000000000DB0000-0x0000000000DB9000-memory.dmp
memory/2108-866-0x0000000002C40000-0x0000000003040000-memory.dmp
memory/2108-869-0x0000000075CB0000-0x0000000075EC5000-memory.dmp
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\datareporting\glean\db\data.safe.tmp
| MD5 | f2fcd15defc2c1f976314360d538da79 |
| SHA1 | b5e0e3fb578b3e1660bbc6b153f84109278b0210 |
| SHA256 | 8ce02c072804c97a8b802fb6da148b44b0e07704aca3913d0f820f2822409c71 |
| SHA512 | ce0607c2f6501f455623be10db973fcaa5152dffe46997fe1f5ed93058d634fd6f09fd88308e3ce4b942e97f4fd6cc13a71ab5512e86d0a15137bf29dca1586f |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\datareporting\glean\db\data.safe.tmp
| MD5 | 594656f6ad6a0a537e1a833e8d25bfca |
| SHA1 | cec50713c4b3c46c07e4a7fb28337b9232f27a8e |
| SHA256 | 5fc1d324ce7da7d407f9304bc1b9b61fc6ab5884226d23dfa6af18bec7ad7284 |
| SHA512 | 4f757c704ce2bf6007e9963d1e18983297647ab589d28721ab73d696625ec85086292f1a833f9633ed8175f8974293d5f3cf54bb5f2cd00905478b405488565d |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
| MD5 | 5fe09b26184f3e77cf394060cd3373ff |
| SHA1 | 47dff47223cf9e8485b70863e21f1c3eb801fe04 |
| SHA256 | 24be145c3d7d8fe1531c800275bab507892563b9291fed5f35a86e217a9ffd7b |
| SHA512 | ad2554e3f5ce2f697895a96cdc5ce640063f0c823c0c7c6462e79fa5fee0e2bd3bcfa86cb16ff54c3704bfc3dce665cbfec26a13464901987949bf73bf2956e2 |