ec60beee43104003bc410371ae1ef8e846e17ff5733556dbd8e7acae68058200

Analysis

max time kernel
138s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
26/04/2024, 15:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

01181a8e0bc4def08284efb5ac9f840a_JaffaCakes118.exe
Size

2.4MB
MD5

01181a8e0bc4def08284efb5ac9f840a
SHA1

68c761c2ccda1836051e20c5cf50b99efe6d3b77
SHA256

ec60beee43104003bc410371ae1ef8e846e17ff5733556dbd8e7acae68058200
SHA512

ede6e43c5e4dd56a68a15c06717241464ad9091ca30bd8092f9b10146156a1ae1b761b40bf20acd28a8be3038da7511d6fe3b21c6bb1f7e5d7794f667ff53f44
SSDEEP

49152:TZZuTCbQ4pPiwlugX+JmaSNzY/9rqYv4/QQB6xcz9fT++Y9H7FCD:dZ+Cbgwl1+J3K09O/dB6GxTKFg

Score

8^/10

discovery evasion spyware stealer

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	01181a8e0bc4def08284efb5ac9f840a_JaffaCakes118.exe

Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Executes dropped EXE 15 IoCs

pid	Process
712	certutil.exe
3384	certutil.exe
4716	certutil.exe
2000	certutil.exe
3884	certutil.exe
3472	certutil.exe
3440	certutil.exe
220	certutil.exe
2376	certutil.exe
4076	certutil.exe
748	certutil.exe
2416	certutil.exe
640	SoftwareUpdate.exe
4592	SoftwareUpdate.exe
1616	SoftwareUpdate.exe

Loads dropped DLL 64 IoCs

pid	Process
1920	01181a8e0bc4def08284efb5ac9f840a_JaffaCakes118.exe
1920	01181a8e0bc4def08284efb5ac9f840a_JaffaCakes118.exe
1920	01181a8e0bc4def08284efb5ac9f840a_JaffaCakes118.exe
1920	01181a8e0bc4def08284efb5ac9f840a_JaffaCakes118.exe
712	certutil.exe
712	certutil.exe
712	certutil.exe
712	certutil.exe
712	certutil.exe
712	certutil.exe
712	certutil.exe
712	certutil.exe
712	certutil.exe
712	certutil.exe
712	certutil.exe
712	certutil.exe
712	certutil.exe
712	certutil.exe
712	certutil.exe
3384	certutil.exe
3384	certutil.exe
3384	certutil.exe
3384	certutil.exe
3384	certutil.exe
3384	certutil.exe
3384	certutil.exe
3384	certutil.exe
3384	certutil.exe
3384	certutil.exe
3384	certutil.exe
3384	certutil.exe
4716	certutil.exe
4716	certutil.exe
4716	certutil.exe
4716	certutil.exe
4716	certutil.exe
4716	certutil.exe
4716	certutil.exe
4716	certutil.exe
4716	certutil.exe
4716	certutil.exe
4716	certutil.exe
2000	certutil.exe
2000	certutil.exe
2000	certutil.exe
2000	certutil.exe
2000	certutil.exe
2000	certutil.exe
2000	certutil.exe
2000	certutil.exe
2000	certutil.exe
2000	certutil.exe
2000	certutil.exe
3884	certutil.exe
3884	certutil.exe
3884	certutil.exe
3884	certutil.exe
3884	certutil.exe
3884	certutil.exe
3884	certutil.exe
3884	certutil.exe
3884	certutil.exe
3884	certutil.exe
3884	certutil.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 19 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Mozilla Firefox\browser\defaults\Profile\key4.db-journal	certutil.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\defaults\Profile\cert9.db	certutil.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\defaults\Profile\secmod.db	cmd.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\defaults\Profile\pkcs11.txt	certutil.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\defaults\Profile\cert9.db	certutil.exe
File created	C:\Program Files (x86)\TopShape-B4\uninstall.exe	01181a8e0bc4def08284efb5ac9f840a_JaffaCakes118.exe
File created	C:\Program Files\Mozilla Firefox\browser\defaults\Profile\cert8.db	cmd.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\defaults\Profile\cert8.db	cmd.exe
File created	C:\Program Files\Mozilla Firefox\browser\defaults\Profile\key3.db	cmd.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\defaults\Profile\key3.db	cmd.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\defaults\Profile\key3.db	certutil.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\defaults\Profile\cert8.db	certutil.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\defaults\Profile\key4.db	certutil.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\defaults\Profile\key3.db	certutil.exe
File created	C:\Program Files (x86)\TopShape-B4\1060	01181a8e0bc4def08284efb5ac9f840a_JaffaCakes118.exe
File created	C:\Program Files\Mozilla Firefox\browser\defaults\Profile\secmod.db	cmd.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\defaults\Profile\cert8.db	certutil.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\defaults\Profile\cert9.db-journal	certutil.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\defaults\Profile\key4.db	certutil.exe

Launches sc.exe 8 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4816	sc.exe
4516	sc.exe
2032	sc.exe
2172	sc.exe
2208	sc.exe
232	sc.exe
3968	sc.exe
4904	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\FB62F2C07F02E76881C6984B688279E307C10836	01181a8e0bc4def08284efb5ac9f840a_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\FB62F2C07F02E76881C6984B688279E307C10836\Blob = 030000000100000014000000fb62f2c07f02e76881c6984b688279e307c10836200000000100000002060000308205fe308203e6a0030201020209009094f5e7e0c73583300d06092a864886f70d01010b050030818b310b30090603550406130247423110300e06035504080c07456e676c616e6431183016060355040a0c0f4361756c69666c6f776572204c7464312e302c060355040b0c254361756c69666c6f776572204c746420436572746966696361746520417574686f726974793120301e06035504030c174361756c69666c6f776572204c746420526f6f74204341301e170d3138303831333133323334335a170d3338303830383133323334335a30818b310b30090603550406130247423110300e06035504080c07456e676c616e6431183016060355040a0c0f4361756c69666c6f776572204c7464312e302c060355040b0c254361756c69666c6f776572204c746420436572746966696361746520417574686f726974793120301e06035504030c174361756c69666c6f776572204c746420526f6f7420434130820222300d06092a864886f70d01010105000382020f003082020a0282020100d6e394345618de5fa18914d04dd63ec2987abd0236846b8d86a7c343fc95dd3bc38abd2633df46ea30e0f3a82c1de49bbe105e9dfee8aaa1e546a2678d628ef87ad2d2abac1bc9828ca98bebb86572075bb5ee182f60aa7fb3098e5a0a89f41bed98b4463a98013102659b30971a5ca436e21ac9780aadbbebee3f220f296245c91e328ce6106e89ea3f1461ddc3703c1e80679feeaff003a5594206b3c4826bfdcf09922b38b6b044bf49f532cc342b4335a786c6c7cfdafbadc7e3af94b2504ecdd6116789840709c6e951a4bc7400d7f897eb8ffa7734c77c9acb4a108cdaf711054bc2b326057090ed2a13ef71fbd8305c58040814e475cd844bd7ad0afa049de0d73ec1e29ad052672029db370c15252c1d44f49b608b43546d5733b64e92aa89c52e078f5876b803077c5066c878362a7747918795f6236f65edd762c5ed26fd968f010ea040a0f007ce2d92ddf8fed3908d3ca3f1205ddc5cba890e33d145628bfc7f9b5fbed62dd7ee10ba6ef0dbafa25dfa0a69e0b28ea1be59ba2bf3be163633530edfe89a1c49fe83768ba72ffcd9aecc0cabccc781da7b4e281e1d141394f8c633a1f3c09fdd5e301c65ba1c793ef6d655bc922672a39c1309fd60bddb01897d6d68b65c79b05e7180cf6282bf3856ac0ba00e08a9a2a29a817ce478ddf980ad1f917f0e5004ca4f42a0b3b0c8024b33084c585d2873cbe46eef0203010001a3633061301d0603551d0e04160414b37ca2e8f1bea6a3925ddef9b2d7046994542981301f0603551d23041830168014b37ca2e8f1bea6a3925ddef9b2d7046994542981300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186300d06092a864886f70d01010b050003820201006fa571fa2cb9ec0f2ce0f0df5bd731f784223d6e24535d8701557f0bd0c524baa228117e3f6ceb38b04c4bae8eae9840063881ccef6c1df562b85ef56d4ad5dd0e01a33f99ccb53cca1317ea36f45e60c3230d8ab3d27cfd661c2f5fe0c61e9b7b6c2c19db3f3e5c1790f967b926296e69f813f85220d9a29958a0856422af683b78bb0f7529168866bdfd31e7276bb655b298198bc297d09fa0b954a00736fef381a43169c8c62e93349cdf2bf11478c2a2b873fdb2134ef00cd5da091d5d1a53c512e0dd7f5b6eb102b0a3f4a41a76fa9a23545bf04cf9ce07ffc6e01eb1d7f602a50e4c1ee049080c6bfe7738f881f96300c897708c31ae4044b96fe4b5adc1baa38eedb41ece892f12dd1cd30fbf12d1b54f914fcd8094c242bf30c2856198e7e8bc39839704cb212d787cc736db487dc620e04a71ca8efdf9702cfd94453eeb7e3079bdc344e7305923a3a0dff606f5ec6b5710f7f47bc96aecd57a0648f47767de8f688549765a73140f4759b2c33f4654e880862af6cb50112a08bbb44c7c2f381211345887d04e20e840b33b4952aea2a741673abf4e3b3fb450182260988014c8e9ab6909dc97366cdae80fc5a0e6240d8c153efb8e28b8ba701699530d0f4abdbd13167055d7b20d2d4a8f64862996cbd1e839a6c9d9ee3f17e609394f60015e83c9228ab43dc3e03f07b5e42e722b22b8a8e2d638b3c3e8f51c68	01181a8e0bc4def08284efb5ac9f840a_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 39 IoCs

pid	Process
1920	01181a8e0bc4def08284efb5ac9f840a_JaffaCakes118.exe
1920	01181a8e0bc4def08284efb5ac9f840a_JaffaCakes118.exe
1920	01181a8e0bc4def08284efb5ac9f840a_JaffaCakes118.exe
1920	01181a8e0bc4def08284efb5ac9f840a_JaffaCakes118.exe
1920	01181a8e0bc4def08284efb5ac9f840a_JaffaCakes118.exe
1920	01181a8e0bc4def08284efb5ac9f840a_JaffaCakes118.exe
1920	01181a8e0bc4def08284efb5ac9f840a_JaffaCakes118.exe
1920	01181a8e0bc4def08284efb5ac9f840a_JaffaCakes118.exe
1920	01181a8e0bc4def08284efb5ac9f840a_JaffaCakes118.exe
1920	01181a8e0bc4def08284efb5ac9f840a_JaffaCakes118.exe
1920	01181a8e0bc4def08284efb5ac9f840a_JaffaCakes118.exe
1920	01181a8e0bc4def08284efb5ac9f840a_JaffaCakes118.exe
1920	01181a8e0bc4def08284efb5ac9f840a_JaffaCakes118.exe
1920	01181a8e0bc4def08284efb5ac9f840a_JaffaCakes118.exe
1920	01181a8e0bc4def08284efb5ac9f840a_JaffaCakes118.exe
1920	01181a8e0bc4def08284efb5ac9f840a_JaffaCakes118.exe
1920	01181a8e0bc4def08284efb5ac9f840a_JaffaCakes118.exe
1920	01181a8e0bc4def08284efb5ac9f840a_JaffaCakes118.exe
1920	01181a8e0bc4def08284efb5ac9f840a_JaffaCakes118.exe
1920	01181a8e0bc4def08284efb5ac9f840a_JaffaCakes118.exe
1920	01181a8e0bc4def08284efb5ac9f840a_JaffaCakes118.exe
1920	01181a8e0bc4def08284efb5ac9f840a_JaffaCakes118.exe
1920	01181a8e0bc4def08284efb5ac9f840a_JaffaCakes118.exe
1920	01181a8e0bc4def08284efb5ac9f840a_JaffaCakes118.exe
1920	01181a8e0bc4def08284efb5ac9f840a_JaffaCakes118.exe
1920	01181a8e0bc4def08284efb5ac9f840a_JaffaCakes118.exe
1920	01181a8e0bc4def08284efb5ac9f840a_JaffaCakes118.exe
1920	01181a8e0bc4def08284efb5ac9f840a_JaffaCakes118.exe
2604	msedge.exe
2604	msedge.exe
2028	msedge.exe
2028	msedge.exe
1464	identity_helper.exe
1464	identity_helper.exe
1464	identity_helper.exe
2716	msedge.exe
2716	msedge.exe
2716	msedge.exe
2716	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeSecurityPrivilege	1920	01181a8e0bc4def08284efb5ac9f840a_JaffaCakes118.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1920 wrote to memory of 4336	1920	01181a8e0bc4def08284efb5ac9f840a_JaffaCakes118.exe	77
PID 1920 wrote to memory of 4336	1920	01181a8e0bc4def08284efb5ac9f840a_JaffaCakes118.exe	77
PID 1920 wrote to memory of 4336	1920	01181a8e0bc4def08284efb5ac9f840a_JaffaCakes118.exe	77
PID 4336 wrote to memory of 712	4336	cmd.exe	79
PID 4336 wrote to memory of 712	4336	cmd.exe	79
PID 4336 wrote to memory of 712	4336	cmd.exe	79
PID 4336 wrote to memory of 3384	4336	cmd.exe	80
PID 4336 wrote to memory of 3384	4336	cmd.exe	80
PID 4336 wrote to memory of 3384	4336	cmd.exe	80
PID 4336 wrote to memory of 4716	4336	cmd.exe	81
PID 4336 wrote to memory of 4716	4336	cmd.exe	81
PID 4336 wrote to memory of 4716	4336	cmd.exe	81
PID 4336 wrote to memory of 2000	4336	cmd.exe	82
PID 4336 wrote to memory of 2000	4336	cmd.exe	82
PID 4336 wrote to memory of 2000	4336	cmd.exe	82
PID 4336 wrote to memory of 3884	4336	cmd.exe	83
PID 4336 wrote to memory of 3884	4336	cmd.exe	83
PID 4336 wrote to memory of 3884	4336	cmd.exe	83
PID 4336 wrote to memory of 3472	4336	cmd.exe	84
PID 4336 wrote to memory of 3472	4336	cmd.exe	84
PID 4336 wrote to memory of 3472	4336	cmd.exe	84
PID 4336 wrote to memory of 3440	4336	cmd.exe	85
PID 4336 wrote to memory of 3440	4336	cmd.exe	85
PID 4336 wrote to memory of 3440	4336	cmd.exe	85
PID 4336 wrote to memory of 220	4336	cmd.exe	86
PID 4336 wrote to memory of 220	4336	cmd.exe	86
PID 4336 wrote to memory of 220	4336	cmd.exe	86
PID 4336 wrote to memory of 2376	4336	cmd.exe	87
PID 4336 wrote to memory of 2376	4336	cmd.exe	87
PID 4336 wrote to memory of 2376	4336	cmd.exe	87
PID 4336 wrote to memory of 4076	4336	cmd.exe	88
PID 4336 wrote to memory of 4076	4336	cmd.exe	88
PID 4336 wrote to memory of 4076	4336	cmd.exe	88
PID 4336 wrote to memory of 748	4336	cmd.exe	89
PID 4336 wrote to memory of 748	4336	cmd.exe	89
PID 4336 wrote to memory of 748	4336	cmd.exe	89
PID 4336 wrote to memory of 1436	4336	cmd.exe	90
PID 4336 wrote to memory of 1436	4336	cmd.exe	90
PID 4336 wrote to memory of 1436	4336	cmd.exe	90
PID 4336 wrote to memory of 2416	4336	cmd.exe	91
PID 4336 wrote to memory of 2416	4336	cmd.exe	91
PID 4336 wrote to memory of 2416	4336	cmd.exe	91
PID 4336 wrote to memory of 3144	4336	cmd.exe	92
PID 4336 wrote to memory of 3144	4336	cmd.exe	92
PID 4336 wrote to memory of 3144	4336	cmd.exe	92
PID 1920 wrote to memory of 4904	1920	01181a8e0bc4def08284efb5ac9f840a_JaffaCakes118.exe	93
PID 1920 wrote to memory of 4904	1920	01181a8e0bc4def08284efb5ac9f840a_JaffaCakes118.exe	93
PID 1920 wrote to memory of 4904	1920	01181a8e0bc4def08284efb5ac9f840a_JaffaCakes118.exe	93
PID 1920 wrote to memory of 4816	1920	01181a8e0bc4def08284efb5ac9f840a_JaffaCakes118.exe	95
PID 1920 wrote to memory of 4816	1920	01181a8e0bc4def08284efb5ac9f840a_JaffaCakes118.exe	95
PID 1920 wrote to memory of 4816	1920	01181a8e0bc4def08284efb5ac9f840a_JaffaCakes118.exe	95
PID 1920 wrote to memory of 4516	1920	01181a8e0bc4def08284efb5ac9f840a_JaffaCakes118.exe	97
PID 1920 wrote to memory of 4516	1920	01181a8e0bc4def08284efb5ac9f840a_JaffaCakes118.exe	97
PID 1920 wrote to memory of 4516	1920	01181a8e0bc4def08284efb5ac9f840a_JaffaCakes118.exe	97
PID 1920 wrote to memory of 2032	1920	01181a8e0bc4def08284efb5ac9f840a_JaffaCakes118.exe	99
PID 1920 wrote to memory of 2032	1920	01181a8e0bc4def08284efb5ac9f840a_JaffaCakes118.exe	99
PID 1920 wrote to memory of 2032	1920	01181a8e0bc4def08284efb5ac9f840a_JaffaCakes118.exe	99
PID 1920 wrote to memory of 2172	1920	01181a8e0bc4def08284efb5ac9f840a_JaffaCakes118.exe	101
PID 1920 wrote to memory of 2172	1920	01181a8e0bc4def08284efb5ac9f840a_JaffaCakes118.exe	101
PID 1920 wrote to memory of 2172	1920	01181a8e0bc4def08284efb5ac9f840a_JaffaCakes118.exe	101
PID 1920 wrote to memory of 2208	1920	01181a8e0bc4def08284efb5ac9f840a_JaffaCakes118.exe	103
PID 1920 wrote to memory of 2208	1920	01181a8e0bc4def08284efb5ac9f840a_JaffaCakes118.exe	103
PID 1920 wrote to memory of 2208	1920	01181a8e0bc4def08284efb5ac9f840a_JaffaCakes118.exe	103
PID 1920 wrote to memory of 640	1920	01181a8e0bc4def08284efb5ac9f840a_JaffaCakes118.exe	105

C:\Users\Admin\AppData\Local\Temp\01181a8e0bc4def08284efb5ac9f840a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\01181a8e0bc4def08284efb5ac9f840a_JaffaCakes118.exe"
1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Drops file in Program Files directory
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1920
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nso36B1.tmp\FF\add-certs.cmd
  2⤵
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:4336
- - C:\Users\Admin\AppData\Local\Temp\nso36B1.tmp\FF\bin\certutil.exe
    "C:\Users\Admin\AppData\Local\Temp\nso36B1.tmp\FF\bin\certutil.exe" -A -n "AddedByUser ca.cert" -i "C:\Users\Admin\AppData\Local\Temp\nso36B1.tmp\FF\cacert\ca.cert.pem" -t "cTC,cTC,cTC", -d "C:\Program Files\Mozilla Firefox\browser\defaults\Profile"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    PID:712
- - C:\Users\Admin\AppData\Local\Temp\nso36B1.tmp\FF\bin\certutil.exe
    "C:\Users\Admin\AppData\Local\Temp\nso36B1.tmp\FF\bin\certutil.exe" -A -n "AddedByUser ca.cert" -i "C:\Users\Admin\AppData\Local\Temp\nso36B1.tmp\FF\cacert\ca.cert.pem" -t "cTC,cTC,cTC", -d sql:"C:\Program Files\Mozilla Firefox\browser\defaults\Profile"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    PID:3384
- - C:\Users\Admin\AppData\Local\Temp\nso36B1.tmp\FF\bin\certutil.exe
    "C:\Users\Admin\AppData\Local\Temp\nso36B1.tmp\FF\bin\certutil.exe" -A -n "AddedByUser ca.cert" -i "C:\Users\Admin\AppData\Local\Temp\nso36B1.tmp\FF\cacert\ca.cert.pem" -t "cTC,cTC,cTC", -d "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\kfphrdoc.Admin"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:4716
- - C:\Users\Admin\AppData\Local\Temp\nso36B1.tmp\FF\bin\certutil.exe
    "C:\Users\Admin\AppData\Local\Temp\nso36B1.tmp\FF\bin\certutil.exe" -A -n "AddedByUser ca.cert" -i "C:\Users\Admin\AppData\Local\Temp\nso36B1.tmp\FF\cacert\ca.cert.pem" -t "cTC,cTC,cTC", -d sql:"C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\kfphrdoc.Admin"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2000
- - C:\Users\Admin\AppData\Local\Temp\nso36B1.tmp\FF\bin\certutil.exe
    "C:\Users\Admin\AppData\Local\Temp\nso36B1.tmp\FF\bin\certutil.exe" -A -n "AddedByUser ca.cert" -i "C:\Users\Admin\AppData\Local\Temp\nso36B1.tmp\FF\cacert\ca.cert.pem" -t "cTC,cTC,cTC", -d "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nzxw1g49.default-release"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:3884
- - C:\Users\Admin\AppData\Local\Temp\nso36B1.tmp\FF\bin\certutil.exe
    "C:\Users\Admin\AppData\Local\Temp\nso36B1.tmp\FF\bin\certutil.exe" -A -n "AddedByUser ca.cert" -i "C:\Users\Admin\AppData\Local\Temp\nso36B1.tmp\FF\cacert\ca.cert.pem" -t "cTC,cTC,cTC", -d sql:"C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nzxw1g49.default-release"
    3⤵
    - Executes dropped EXE
    PID:3472
- - C:\Users\Admin\AppData\Local\Temp\nso36B1.tmp\FF\bin\certutil.exe
    "C:\Users\Admin\AppData\Local\Temp\nso36B1.tmp\FF\bin\certutil.exe" -A -n "AddedByUser ca.cert" -i "C:\Users\Admin\AppData\Local\Temp\nso36B1.tmp\FF\cacert\ca.cert.pem" -t "cTC,cTC,cTC", -d "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\kfphrdoc.Admin"
    3⤵
    - Executes dropped EXE
    PID:3440
- - C:\Users\Admin\AppData\Local\Temp\nso36B1.tmp\FF\bin\certutil.exe
    "C:\Users\Admin\AppData\Local\Temp\nso36B1.tmp\FF\bin\certutil.exe" -A -n "AddedByUser ca.cert" -i "C:\Users\Admin\AppData\Local\Temp\nso36B1.tmp\FF\cacert\ca.cert.pem" -t "cTC,cTC,cTC", -d sql:"C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\kfphrdoc.Admin"
    3⤵
    - Executes dropped EXE
    PID:220
- - C:\Users\Admin\AppData\Local\Temp\nso36B1.tmp\FF\bin\certutil.exe
    "C:\Users\Admin\AppData\Local\Temp\nso36B1.tmp\FF\bin\certutil.exe" -A -n "AddedByUser ca.cert" -i "C:\Users\Admin\AppData\Local\Temp\nso36B1.tmp\FF\cacert\ca.cert.pem" -t "cTC,cTC,cTC", -d "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nzxw1g49.default-release"
    3⤵
    - Executes dropped EXE
    PID:2376
- - C:\Users\Admin\AppData\Local\Temp\nso36B1.tmp\FF\bin\certutil.exe
    "C:\Users\Admin\AppData\Local\Temp\nso36B1.tmp\FF\bin\certutil.exe" -A -n "AddedByUser ca.cert" -i "C:\Users\Admin\AppData\Local\Temp\nso36B1.tmp\FF\cacert\ca.cert.pem" -t "cTC,cTC,cTC", -d sql:"C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nzxw1g49.default-release"
    3⤵
    - Executes dropped EXE
    PID:4076
- - C:\Users\Admin\AppData\Local\Temp\nso36B1.tmp\FF\bin\certutil.exe
    "C:\Users\Admin\AppData\Local\Temp\nso36B1.tmp\FF\bin\certutil.exe" -L -d "C:\Program Files\Mozilla Firefox\browser\defaults\Profile"
    3⤵
    - Executes dropped EXE
    PID:748
- - C:\Windows\SysWOW64\findstr.exe
    findstr /i "AddedByUser ca.cert"
    3⤵
    PID:1436
- - C:\Users\Admin\AppData\Local\Temp\nso36B1.tmp\FF\bin\certutil.exe
    "C:\Users\Admin\AppData\Local\Temp\nso36B1.tmp\FF\bin\certutil.exe" -L -d sql:"C:\Program Files\Mozilla Firefox\browser\defaults\Profile"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    PID:2416
- - C:\Windows\SysWOW64\findstr.exe
    findstr /i "AddedByUser ca.cert"
    3⤵
    PID:3144
- C:\Windows\SysWOW64\sc.exe
  sc stop TopShape
  2⤵
  - Launches sc.exe
  PID:4904
- C:\Windows\SysWOW64\sc.exe
  sc stop TopShape.me
  2⤵
  - Launches sc.exe
  PID:4816
- C:\Windows\SysWOW64\sc.exe
  sc stop Software Updater
  2⤵
  - Launches sc.exe
  PID:4516
- C:\Windows\SysWOW64\sc.exe
  sc stop TopShape
  2⤵
  - Launches sc.exe
  PID:2032
- C:\Windows\SysWOW64\sc.exe
  sc stop TopShape.me
  2⤵
  - Launches sc.exe
  PID:2172
- C:\Windows\SysWOW64\sc.exe
  sc stop Software Updater
  2⤵
  - Launches sc.exe
  PID:2208
- C:\Users\Admin\AppData\Roaming\TopShape-B4\SoftwareUpdate.exe
  C:\Users\Admin\AppData\Roaming\TopShape-B4\SoftwareUpdate.exe /uninstall
  2⤵
  - Executes dropped EXE
  PID:640
- C:\Users\Admin\AppData\Roaming\TopShape-B4\SoftwareUpdate.exe
  C:\Users\Admin\AppData\Roaming\TopShape-B4\SoftwareUpdate.exe /install
  2⤵
  - Executes dropped EXE
  PID:4592
- C:\Windows\SysWOW64\sc.exe
  sc failure "Software Updater Service" actions= restart/60000/restart/60000// reset= 86400
  2⤵
  - Launches sc.exe
  PID:232
- C:\Windows\SysWOW64\sc.exe
  sc start "Software Updater Service"
  2⤵
  - Launches sc.exe
  PID:3968

C:\Users\Admin\AppData\Roaming\TopShape-B4\SoftwareUpdate.exe
"C:\Users\Admin\AppData\Roaming\TopShape-B4\SoftwareUpdate.exe" /run "/aff_id=1002" "/app_id=1"
1⤵
- Executes dropped EXE
PID:1616

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.topshape.me/thankyou.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2028
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xe4,0x108,0x7ff80c8546f8,0x7ff80c854708,0x7ff80c854718
  2⤵
  PID:716
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2060,4894102470099275363,5897387789444582860,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2076 /prefetch:2
  2⤵
  PID:1924
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2060,4894102470099275363,5897387789444582860,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2364 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2604
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2060,4894102470099275363,5897387789444582860,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2960 /prefetch:8
  2⤵
  PID:3124
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,4894102470099275363,5897387789444582860,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:1
  2⤵
  PID:4468
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,4894102470099275363,5897387789444582860,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3376 /prefetch:1
  2⤵
  PID:3900
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,4894102470099275363,5897387789444582860,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4232 /prefetch:1
  2⤵
  PID:2536
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2060,4894102470099275363,5897387789444582860,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5692 /prefetch:8
  2⤵
  PID:3132
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2060,4894102470099275363,5897387789444582860,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5692 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1464
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,4894102470099275363,5897387789444582860,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5368 /prefetch:1
  2⤵
  PID:3360
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,4894102470099275363,5897387789444582860,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5260 /prefetch:1
  2⤵
  PID:2524
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,4894102470099275363,5897387789444582860,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4124 /prefetch:1
  2⤵
  PID:2372
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,4894102470099275363,5897387789444582860,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5760 /prefetch:1
  2⤵
  PID:1440
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2060,4894102470099275363,5897387789444582860,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1048 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2716

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3536

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:212

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Mozilla Firefox\browser\defaults\Profile\cert8.db

Filesize
64KB

MD5
f246333f077ea7b490a063eeb7e22913

SHA1
bf10c0615b50279b3d75ef83fe8c594d4868f95f

SHA256
3af11109e80d49b16554050e2d90565d1e849512f4279445b6b8f6a80bc41dc6

SHA512
da7abc23817a8cfebe3b970a28eaef0eb97b6750439c56bcabb1e6e85056050c8291a17ecab6f7b98193ac30c0554d673321eff138ca03c379860113c85f9c45

Download Submit
C:\Program Files\Mozilla Firefox\browser\defaults\Profile\key4.db

Filesize
9KB

MD5
e45c3fb0f28fe6590e3d75c785e65c1f

SHA1
d96690392e6428cac59bbaa9b2bcdbac27e683e5

SHA256
020b3c13b4dc97a12af70e1330d364ff2b17d08b6e4f607f3527ebcf962a2421

SHA512
be49505abd641bfd4a1bf6698578dab5951dbd1b254cf540f863f586a76576833d9f52f82810b047582ff379884d7452085b277132e6627c7fbc4733a0246e2f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\1835b3cc-2cf1-48eb-9db2-2982d5ce99f4.tmp

Filesize
11KB

MD5
9de862c29c5eb34d99d1b4b4e996601d

SHA1
568429ab9ec01e54137941c5cec6cb6b3816b11f

SHA256
8ca5f314b3c7c7771ab5623c971b6f8d37264f81161a81241532951113c6865d

SHA512
3b679bf6b7ce7b2a1dbbb7e596bce9221afcbe857c124a9892d5a1074b916d9af411869b092fb311a764bf038b09bc2e41382bfac8be07f70798c640138ed285

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ea98e583ad99df195d29aa066204ab56

SHA1
f89398664af0179641aa0138b337097b617cb2db

SHA256
a7abb51435909fa2d75c6f2ff5c69a93d4a0ab276ed579e7d8733b2a63ffbee6

SHA512
e109be3466e653e5d310b3e402e1626298b09205d223722a82344dd78504f3c33e1e24e8402a02f38cd2c9c50d96a303ce4846bea5a583423937ab018cd5782f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4f7152bc5a1a715ef481e37d1c791959

SHA1
c8a1ed674c62ae4f45519f90a8cc5a81eff3a6d7

SHA256
704dd4f98d8ca34ec421f23ba1891b178c23c14b3301e4655efc5c02d356c2bc

SHA512
2e6b02ca35d76a655a17a5f3e9dbd8d7517c7dae24f0095c7350eb9e7bdf9e1256a7009aa8878f96c89d1ea4fe5323a41f72b8c551806dda62880d7ff231ff5c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
888B

MD5
ef317745c2be2db6dcbf2ef596e7149a

SHA1
14d1b6109a722f066db4442753b749837f000d70

SHA256
9243f7882a7116cc62b7f9f6727f9d4225ff31b3b74289476674734d868372d2

SHA512
bd0de4b2bc09b57ae847bfb652e1b6e3d46ea83d4c7f18b18ce35eff7aeb4d6bfa2a1e0b24fc83e82090127297bb74d80b60cd497e69d0ee67177fc95340d778

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
f4ca13bcda78bc01a4186b9d1d7eea3c

SHA1
9b06a83e78fc2a54c291cc6aef7dc8e0ee11843e

SHA256
e1313b0a16f98f120629f9fbf12b0f1055d7c3830657c8a3a41f9bebd7d873f7

SHA512
6988ac50e1034a7b0550e3109d64e1623c06d90c43a94fde57aba50b35e562cb5a50b5b1f746f7623b930545d105a54c251f12d518af59dac6c123d6657ff890

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
d2fa065475646d22da7c8a26b13f9c73

SHA1
d1e4f7a1a99ac3d883f363973193f6c68949b746

SHA256
78349b9393d999e6371e49000f7fad8d850dd6d455e21a5863181b2a62383706

SHA512
1faa7315861ed60c50eb26920428876647cb255d0646d9a7c05078d2f5c757d689ea645673b7205247e07d17449b8811e6a254941f02219a14745793d2719a2a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
13481a75ee201e148ccc946b4240e848

SHA1
028fa7854e5a81987b79850ff4f201175896cc46

SHA256
88d9353dfeccfc25067888197bef271044b7f31421e3fabf47f6cf722e6181ba

SHA512
03ff76ccb85dcaf27abf7f117ba7b82cfcf12911f20b1f23398ec37a4b4435a956d702299b61ab5ebb09682b1f2e75aaaba875c0338089285c3f724fad6da75d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso36B1.tmp\FF\add-certs.cmd

Filesize
3KB

MD5
5ac423d78077c6ec8d99974dd9681d11

SHA1
0d91d80de298fb008f522ed95842932bb92f6099

SHA256
664e3b7b27995e01fd31dff1699b39b995c0e9efebaefa16247669eafce08e08

SHA512
dce34c3dc7bb2cec567be2e12c0362be260c59b940efc869a2421f647af9ce847c4793c86f5a155206c2d41c40ee07144b81992f629ba8d9d2644834effdbda9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso36B1.tmp\FF\bin\MSVCR120.dll

Filesize
948KB

MD5
034ccadc1c073e4216e9466b720f9849

SHA1
f19e9d8317161edc7d3e963cc0fc46bd5e4a55a1

SHA256
86e39b5995af0e042fcdaa85fe2aefd7c9ddc7ad65e6327bd5e7058bc3ab615f

SHA512
5f11ef92d936669ee834a5cef5c7d0e7703bf05d03dc4f09b9dcfe048d7d5adfaab6a9c7f42e8080a5e9aad44a35f39f3940d5cca20623d9cafe373c635570f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso36B1.tmp\FF\bin\certutil.exe

Filesize
112KB

MD5
f8da06687fb47ca2c355c38ca2766262

SHA1
4b6bc2776a07cef559e2d9260ee7e3873d2b25d9

SHA256
64ad18f4d9bef01b86e39ca1e774dfa37db46bc8267453c418dd7f723d6d014c

SHA512
128605c51fd15599d69a2713f461605f069a71387ce176bd5afcc65c04a4ca240056b4c1e63846b7e02c29ecd2d163f7ca3b502d881c319203e2110c6fc05862

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso36B1.tmp\FF\bin\freebl3.dll

Filesize
314KB

MD5
f474dd91bb12f230209ec3163ce7e6c4

SHA1
04ff682e527a1c132f73bd836b7880dfa1128528

SHA256
f63b2cab4b77ac63a1beca66872a991e1f8233f2c513d42460dbf28c733b138c

SHA512
01f1feaacda301b013f5e097fa5816b0075b7389ee0522e8fe350802093f6cdfe6ade24ff2a0350896b333e44a77901bbcead85f8cf98bfa91fb110c18adbfee

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso36B1.tmp\FF\bin\nspr4.dll

Filesize
155KB

MD5
bd0e897dbc2dcc0cf1287ffd7c734cf0

SHA1
5c9c6c6082127d106520ff2e88d4cd4b665d134f

SHA256
2d2096447b366d6640f2670edb474ab208d8d85b5650db5e80cc985d1189f911

SHA512
db21b151b9877c9b5a5dc2eda3afa6a75a827ce1f340032427b7de1d9f9803767aecc582862b58885f456c78fc75ee529581089b725975600e45c6af785280a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso36B1.tmp\FF\bin\nss3.dll

Filesize
788KB

MD5
54f3932864eed803bd1cb82df43f0c76

SHA1
675960acfed6df22ae0a41973b08494554b37f1a

SHA256
96e068e6162a98d212b57c86b14fc539f1bbdccd363f68efd8cdfecc90c699d3

SHA512
3e1eccb33b8371dbe4801c5c3909130eb4e2a8a9aec80d2c7b2528b00dd137c5ffe672095963d207b48e10f8e024c34fe841aa7ed22c7b7fa6e058165fce90b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso36B1.tmp\FF\bin\nssdbm3.dll

Filesize
100KB

MD5
8cc6a31974a175a65d6c090feed39f42

SHA1
30dfeddc8a4a59aeb7198d8cc9c712f3248a1e51

SHA256
f64111faa9966d7b7859c6467bedbd64559284b049f55ffadc54dfc50a3a4264

SHA512
597b2fb5ba96fe656e2c81d3d411adfc4e693510f130872e16c9cc70355b41fccfc0b9dbc16171af76e2caa7945fdf2519cea40b9ef1a161ed967346df595d5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso36B1.tmp\FF\bin\nssutil3.dll

Filesize
108KB

MD5
c19416e9cf9e571068ca14276c6e0620

SHA1
b5e8ee4659b678fb3b234055b1eeda920eb20b30

SHA256
ba9341807b42e90bb0380d51a83d3d6a0de7d57b6820a8b0cbe5e36e978860fa

SHA512
5cde579f66e0677f1419dc11723e1f7b5a7d408b4b3250e26aa0c0863a46b6fd86f17813416769f1eec89375f3c9c83fed468a17d1ef80f83ff1744927e7da79

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso36B1.tmp\FF\bin\plc4.dll

Filesize
13KB

MD5
88b4df8d7d536a195f866b70c48ed534

SHA1
a385bcd411c3dfad1c08cf56977c1ba45ecbf2f9

SHA256
09f01488a002915b8472a4e82adb7a3e8cb43bd77db347b0178eae614f846a0a

SHA512
b8291cc96a40391d69a75dd348204083f2e21a752a8af3339fd524f8dbb9947575c33eb8ecf77fc177cf2e3568777b2de267cf63301034b28adcfef40ab821c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso36B1.tmp\FF\bin\plds4.dll

Filesize
11KB

MD5
b7ed50495d311cf6e7ad247968dd2079

SHA1
3364725821ea012f8fa99df102677befc5ff929f

SHA256
20166e281b31ae60672b9d87cb69fcba0c38cc5e18a8ba081c5601ccfab7589f

SHA512
a783f0a00d016a5974f87399637bddd5a5821e3a79c5acb2f6b3f097c9bffefb8a1dee7d968c0646faa2d854a105c57988d244d9c47fb9c189d8383c00a8d2fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso36B1.tmp\FF\bin\smime3.dll

Filesize
96KB

MD5
94624bbab23a92e0a5f90cce9a5a340d

SHA1
a81d1e0a2c75657f698cee9346fa85423b9b365f

SHA256
b0104ea7aaa257b111982bd0763c1c47fff76bd70249f84dcad834d50444df1a

SHA512
d623e4d271a0dcc0f16e4a2dc4d10422de42445d6da60a5fdb149c511b5e5363de448696592e11dce118f950eed2e92cffb78056c80e1a8e3a42d44ec54cb9f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso36B1.tmp\FF\bin\softokn3.dll

Filesize
166KB

MD5
6832b9a7ab871d81be42054f117b8299

SHA1
935c0fe7e6cb356a8854e3b7046fd7fc0aa29c61

SHA256
b1316e04b3bf464906f4e015d3e71b4e06a65cc6e59a20a96984ee1e862dcb0e

SHA512
e6579f7df7b3c43219e47630a6b51a576d2ffa9902ddb0f309f5ccb210242dd16ebec75439b2bac22e5cb0b62984386cb6eb4190b2914827b79e3e4afbbdee9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso36B1.tmp\FF\bin\sqlite3.dll

Filesize
467KB

MD5
3a58690aff7051bb18ea9d764a450551

SHA1
5ce859b3229da70925ffa25564cb6d7c84dd6c36

SHA256
d2d0b729837574d2eb6adac4f819bc4f8534ac9a43b17663942b2401a02db02a

SHA512
299634094a624ee8ad2898d3f2bdf8fee23f234c160992e68d087af828a16ff18e3d1fb1ca5755e82f592d6e3e335c63a9c8dad04ef003d2127bbfcdbec649d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso36B1.tmp\FF\certificate.cer

Filesize
2KB

MD5
1363185d42f410daefe74f2f9b932c7d

SHA1
e62700d8e30658c75600100ec2bab95fe27d3095

SHA256
609bcc31872e361c41c9e3ce6882c5245e052e6bb695d5682a964593fce9b429

SHA512
abadbece11f0c185c6b17d022b6a509ca3904438a1cdd8ca08d768f5c3298335b4c5425c67852397bb7dc60490071f8b617fbf771d9eb179e46e3cda8083fa5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso36B1.tmp\FF\db\empty\cert8.db

Filesize
64KB

MD5
54026638677f2ed4d24a452821a5be4c

SHA1
9653ec968c1c2595a343f9106a3e7546bc454df0

SHA256
2522bb7036f417d293f7c978c414bc463efd281d218d51f90b6d973e3da104cd

SHA512
9fe10855179f52dd2f7d3be1fb10f84c9e707b8b6580753f5a21c3ead859463d800906da0424b8ff3ee1f59c734d7ee65c31a2af0701f2e2c6627978b7fefa81

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso36B1.tmp\FF\db\empty\key3.db

Filesize
16KB

MD5
f6cd36aaa8773caf03a15628d8943951

SHA1
b473fae3265f2023f91396529dce3224dd2b505f

SHA256
ae6d6cb4716eceb1447850ee6105e982718c8710c1488bb709338cd074715222

SHA512
f32fb28353590c98d61d79afeef7415023542f2833bec43d4df68ee696c5a95ad10160d9d94d3434792b0301a942037bf61f021f82941231ed043a9b43dda7f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso36B1.tmp\FF\db\empty\secmod.db

Filesize
16KB

MD5
02a3b00dafc8c7fb117bfcb1de9859cb

SHA1
c0dbc33717ea22ca740e6039fd3459d614599a74

SHA256
38ada995217652d8e48eb6b8eb49e84a0b246ca336254b669285207db61622c1

SHA512
b9e425df73287de15714930e8236cd4e4624887d6193d6ccb5f37850b31e94bfbd737992817bd8b47ecacfc04948207e6bb71a3ff5e30caa41472826d7d44a1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso36B1.tmp\INetC.dll

Filesize
21KB

MD5
92ec4dd8c0ddd8c4305ae1684ab65fb0

SHA1
d850013d582a62e502942f0dd282cc0c29c4310e

SHA256
5520208a33e6409c129b4ea1270771f741d95afe5b048c2a1e6a2cc2ad829934

SHA512
581351aef694f2489e1a0977ebca55c4d7268ca167127cefb217ed0d2098136c7eb433058469449f75be82b8e5d484c9e7b6cf0b32535063709272d7810ec651

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso36B1.tmp\ShellExecAsUser.dll

Filesize
7KB

MD5
86a81b9ab7de83aa01024593a03d1872

SHA1
8fd7c645e6e2cb1f1bcb97b3b5f85ce1660b66be

SHA256
27d61cacd2995f498ba971b3b2c53330bc0e9900c9d23e57b2927aadfdee8115

SHA512
cc37bd5d74d185077bdf6c4a974fb29922e3177e2c5971c664f46c057aad1236e6f3f856c5d82f1d677c29896f0e3e71283ef04f886db58abae151cb27c827ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso36B1.tmp\System.dll

Filesize
11KB

MD5
55a26d7800446f1373056064c64c3ce8

SHA1
80256857e9a0a9c8897923b717f3435295a76002

SHA256
904fd5481d72f4e03b01a455f848dedd095d0fb17e33608e0d849f5196fb6ff8

SHA512
04b8ab7a85c26f188c0a06f524488d6f2ac2884bf107c860c82e94ae12c3859f825133d78338fd2b594dfc48f7dc9888ae76fee786c6252a5c77c88755128a5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso36B1.tmp\nsExec.dll

Filesize
6KB

MD5
b38561661a7164e3bbb04edc3718fe89

SHA1
f13c873c8db121ba21244b1e9a457204360d543f

SHA256
c2c88e4a32c734b0cb4ae507c1a9a1b417a2375079111fb1b35fab23aedd41d9

SHA512
fedcaac20722de3519382011ccf22314af3edcd11b69f814db14710966853b69b9b5fc98383edcdb64d050ff825264eaba27b1c5adfe61d1fc9d77f13a052ced

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso36B1.tmp\nsProcess.dll

Filesize
4KB

MD5
05450face243b3a7472407b999b03a72

SHA1
ffd88af2e338ae606c444390f7eaaf5f4aef2cd9

SHA256
95fe9d92512ff2318cc2520311ef9145b2cee01209ab0e1b6e45c7ce1d4d0e89

SHA512
f4cbe30166aff20a226a7150d93a876873ba699d80d7e9f46f32a9b4753fa7966c3113a3124340b39ca67a13205463a413e740e541e742903e3f89af5a53ad3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso36B1.tmp\nsis7z.dll

Filesize
403KB

MD5
d3850d9ef1d81d2ee2e0a1583e3292f8

SHA1
36a88c987ac8fff6d97f5eea9af5c7421f0496ae

SHA256
47ee083861b20a03a751593073dfb533a0aa447833bfb190a73732c7efb2a2b2

SHA512
3af395aeb470f4f5f26d2072811be2d15e90597ed40d5f1a6ab53e6b66f8a143785868db0476cbf129751cee2ae070ddad179848830e1215393c826101f9caac

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\kfphrdoc.Admin\key4.db

Filesize
13KB

MD5
07c95f7d77b85d0314857ad5bde983e9

SHA1
dde030c71d552d7e3b180eee8a234e306535f766

SHA256
6c601977a8f31ded4881212112d23babaa6429dbe45e9ba5a484e6a1dd877798

SHA512
b671bf98359b72b209d500bec0844fa84d1510ca689ac9d91b6dff53bf9d130f4958b866d2138d89c4e7ffad77e317714c8eb7eee47558626efd7db66f097dfa

Download Submit