Malware Analysis Report

2025-01-18 22:01

Sample ID 240622-nhscqawcnh
Target 01e56543f6c7b85323239505ede60e84_JaffaCakes118
SHA256 68e085f0ff972925746a52b4da1b252728bf8af1f237b8241a8d5c80c03ddf54
Tags
execution adware discovery spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral29

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral27

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral30

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral31

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral28

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral32

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

68e085f0ff972925746a52b4da1b252728bf8af1f237b8241a8d5c80c03ddf54

Threat Level: Shows suspicious behavior

The file 01e56543f6c7b85323239505ede60e84_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

execution adware discovery spyware stealer

Reads user/profile data of web browsers

Executes dropped EXE

Loads dropped DLL

Checks installed software on the system

Installs/modifies Browser Helper Object

Drops file in System32 directory

Drops file in Program Files directory

Command and Scripting Interpreter: JavaScript

Unsigned PE

Program crash

Enumerates physical storage devices

NSIS installer

Suspicious use of AdjustPrivilegeToken

Uses Task Scheduler COM API

Checks processor information in registry

Modifies Internet Explorer settings

Suspicious use of WriteProcessMemory

Runs net.exe

Suspicious use of SendNotifyMessage

Suspicious use of SetWindowsHookEx

Modifies registry class

Kills process with taskkill

Suspicious behavior: EnumeratesProcesses

Modifies data under HKEY_USERS

Enumerates system info in registry

Suspicious use of FindShellTrayWindow

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-22 11:24

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral11

Detonation Overview

Submitted

2024-06-22 11:24

Reported

2024-06-22 11:26

Platform

win7-20240611-en

Max time kernel

120s

Max time network

124s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\content\priam_firefox.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\content\priam_firefox.js

Network

N/A

Files

N/A

Analysis: behavioral14

Detonation Overview

Submitted

2024-06-22 11:24

Reported

2024-06-22 11:26

Platform

win10v2004-20240508-en

Max time kernel

147s

Max time network

150s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\defaults\preferences\priam_prefs.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\defaults\preferences\priam_prefs.js

Network

Country Destination Domain Proto
US 52.111.229.43:443 tcp

Files

N/A

Analysis: behavioral16

Detonation Overview

Submitted

2024-06-22 11:24

Reported

2024-06-22 11:26

Platform

win10v2004-20240611-en

Max time kernel

145s

Max time network

140s

Command Line

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\html\background.html

Signatures

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3708 wrote to memory of 116 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3708 wrote to memory of 116 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3708 wrote to memory of 3588 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3708 wrote to memory of 3588 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3708 wrote to memory of 3588 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3708 wrote to memory of 3588 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3708 wrote to memory of 3588 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3708 wrote to memory of 3588 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3708 wrote to memory of 3588 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3708 wrote to memory of 3588 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3708 wrote to memory of 3588 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3708 wrote to memory of 3588 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3708 wrote to memory of 3588 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3708 wrote to memory of 3588 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3708 wrote to memory of 3588 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3708 wrote to memory of 3588 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3708 wrote to memory of 3588 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3708 wrote to memory of 3588 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3708 wrote to memory of 3588 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3708 wrote to memory of 3588 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3708 wrote to memory of 3588 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3708 wrote to memory of 3588 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3708 wrote to memory of 3588 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3708 wrote to memory of 3588 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3708 wrote to memory of 3588 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3708 wrote to memory of 3588 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3708 wrote to memory of 3588 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3708 wrote to memory of 3588 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3708 wrote to memory of 3588 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3708 wrote to memory of 3588 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3708 wrote to memory of 3588 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3708 wrote to memory of 3588 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3708 wrote to memory of 3588 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3708 wrote to memory of 3588 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3708 wrote to memory of 3588 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3708 wrote to memory of 3588 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3708 wrote to memory of 3588 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3708 wrote to memory of 3588 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3708 wrote to memory of 3588 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3708 wrote to memory of 3588 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3708 wrote to memory of 3588 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3708 wrote to memory of 3588 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3708 wrote to memory of 1060 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3708 wrote to memory of 1060 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3708 wrote to memory of 3976 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3708 wrote to memory of 3976 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3708 wrote to memory of 3976 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3708 wrote to memory of 3976 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3708 wrote to memory of 3976 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3708 wrote to memory of 3976 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3708 wrote to memory of 3976 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3708 wrote to memory of 3976 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3708 wrote to memory of 3976 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3708 wrote to memory of 3976 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3708 wrote to memory of 3976 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3708 wrote to memory of 3976 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3708 wrote to memory of 3976 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3708 wrote to memory of 3976 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3708 wrote to memory of 3976 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3708 wrote to memory of 3976 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3708 wrote to memory of 3976 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3708 wrote to memory of 3976 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3708 wrote to memory of 3976 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3708 wrote to memory of 3976 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Processes

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\html\background.html

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffaa00d46f8,0x7ffaa00d4708,0x7ffaa00d4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,10385116464203205162,9335839655658430729,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2144 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2108,10385116464203205162,9335839655658430729,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2300 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2108,10385116464203205162,9335839655658430729,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2816 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,10385116464203205162,9335839655658430729,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3196 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,10385116464203205162,9335839655658430729,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3228 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,10385116464203205162,9335839655658430729,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5116 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,10385116464203205162,9335839655658430729,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5116 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,10385116464203205162,9335839655658430729,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4124 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,10385116464203205162,9335839655658430729,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4920 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,10385116464203205162,9335839655658430729,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3256 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,10385116464203205162,9335839655658430729,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,10385116464203205162,9335839655658430729,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3980 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
BE 2.17.107.113:443 www.bing.com tcp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 113.107.17.2.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 66.112.168.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 56067634f68231081c4bd5bdbfcc202f
SHA1 5582776da6ffc75bb0973840fc3d15598bc09eb1
SHA256 8c08b0cbceb301c8f960aa674c6e7f6dbf40b4a1c2684e6fb0456ec5ff0e56b4
SHA512 c4657393e0b9ec682570d7e251644a858d33e056ccd0f3eebffd0fde25244b3a699b8d9244bcdac00d6f74b49833629b270e099c2b557f729a9066922583f784

\??\pipe\LOCAL\crashpad_3708_DQJOJVNKMQONFRDR

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 81e892ca5c5683efdf9135fe0f2adb15
SHA1 39159b30226d98a465ece1da28dc87088b20ecad
SHA256 830f394548cff6eed3608476190a7ee7d65fe651adc638c5b27ce58639a91e17
SHA512 c943f4cfe8615ac159cfac13c10b67e6c0c9093851dd3ac6dda3b82e195d3554e3c37962010a2d0ae5074828d376402624f0dda5499c9997e962e4cfd26444c0

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 b5f44a0bd49dafcd53c024c68b9244d8
SHA1 e23111f18814acfd262afdd93442fb5cd741a925
SHA256 278a11ee2a604096bdf7edae53e9fe353b83e9b0a19158e05f606e8532a43579
SHA512 645cca9779c581f69a4c7b64f6925041333d7d914f6b3ce0ecd031d95d50a69ef35a1fbc5e24d384ea8512ed17a5d4c9d111a2339da0c6c85a40b1957a15d3aa

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 ed1f485c44655f3ee753fd5d76433980
SHA1 de81656cec0dba216ea9a41a69e594eea4bc9f07
SHA256 debdbc0b95183ed3c1324ea0a8f3c7980812ac97dcc9f6808ef3ce3196e2412e
SHA512 2f4fc821c2b59ea8b3c9d65a757d9b7d49b2281519718573d12f0e786e523fc5b875f0d469f3dfa4ab069470fa220238032daa61ad5737039b27914e5003655d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 b6ebe850dbed3edce28f6009ecb9c760
SHA1 9d6d1098531ca437b53a2595f28c4c212ef24d95
SHA256 0818414b8a9fb8886d429c41482729ef0a9dbd9dcffc6840d17deb6182b57b48
SHA512 089d8ee1a6166cf296a78d3f7f99f48022173706c8ca62bb2b4024909f627c0f241cc199249ebf68cf7790ccfe02b37ea53eea832d6ad6ed4d1331f157935f3e

Analysis: behavioral25

Detonation Overview

Submitted

2024-06-22 11:24

Reported

2024-06-22 11:26

Platform

win7-20240221-en

Max time kernel

121s

Max time network

122s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\plugins\PriamNPAPI.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\plugins\PriamNPAPI.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\plugins\PriamNPAPI.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2012 -s 224

Network

N/A

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-22 11:24

Reported

2024-06-22 11:26

Platform

win7-20240611-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Wajam\Updater\WajamUpdater.exe N/A
N/A N/A C:\Program Files (x86)\Wajam\Updater\WajamUpdater.exe N/A

Reads user/profile data of web browsers

spyware stealer

Checks installed software on the system

discovery

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{A7A6995D-6EE1-4FD1-A258-49395D5BF99C} C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{A7A6995D-6EE1-4FD1-A258-49395D5BF99C}\ = "Wajam IE BHO" C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{A7A6995D-6EE1-4FD1-A258-49395D5BF99C}\NoExplorer = "1" C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat C:\Program Files (x86)\Wajam\Updater\WajamUpdater.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Wajam\IE\favicon.ico C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Wajam\Updater\WajamUpdater.exe C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Wajam\Updater\wajamLogo.bmp C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Wajam\install.log C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Wajam\Firefox\{5a95a9e0-59dd-4314-bd84-4d18ca83a0e2}.xpi C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Wajam\Firefox\firefox_trigger_extension.htm C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Wajam\IE\priam_bho.dll C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Wajam\install.log C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Wajam\uninstall.exe C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe N/A

Enumerates physical storage devices

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Taskkill.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "425217327" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{F7BC4BA1-3089-11EF-AFF9-DA79F2D4D836} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000006fb3d087c4ee9c4bb22550fd83a0390500000000020000000000106600000001000020000000708cc1b7fd6c3539bbf0bbbb58c4094ec7c9bc3c2a4fcc6ca84013a6dff2585c000000000e8000000002000020000000fff63c7899bb9e8e34df7fbfb5ebd1685a52b9e6a6a443159dc61a1f5f925fad900000006119fde4465a87922b93d6abf8450f26d573edb13f69e0c11ca0a65a85035b716136e8ba024034723ef922ebcbb0a6f4b9321213a036d8f8c76594e5f6442f6c877d67d8ae54cf90f98535edfa8b4c4138dbf078f23483883a0c783429e5f6f6fc0e97c8570d4548fe09299ecbc50d65853aec91bd649a0377157e9617f3f9bd791bd618a30d3cb8f67f34e3e4b1202040000000553d4f35c916e98f07e06d08b91e637b0564617082a87863dd64d93bb9b31ffb8f198a9b82779fc7895f8e663fd05f0f4bab18ca5c1e280877c1edf8d4fd9db3 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000006fb3d087c4ee9c4bb22550fd83a0390500000000020000000000106600000001000020000000ebfba11770f73dcc66c2d54ef52b725ac26ed9d37d99e2d44da314331b0cb1cd000000000e8000000002000020000000a43a1e3455f481b0d0fb9b303e09de6dfe9a82ac8f3f25e9e14b77044c4c709c20000000e1d35d7bc0a2d0bc586981f78cfb803050624003fc48f51f68be9e4c569e83b540000000a9a1fd3a7ade42bb8de534bd997ad048afec0447dfb3aa444f4c915f4dc15a10c9c2f43cbf9e6a7c9ec2c2b1b2a1caefcb2e1330c72833788de9005d9bf66187 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 40880dcf96c4da01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Program Files (x86)\Wajam\Updater\WajamUpdater.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings C:\Program Files (x86)\Wajam\Updater\WajamUpdater.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f004e000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Program Files (x86)\Wajam\Updater\WajamUpdater.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections C:\Program Files (x86)\Wajam\Updater\WajamUpdater.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Program Files (x86)\Wajam\Updater\WajamUpdater.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{463F1434-8416-461B-9992-BF87DDBBEBE7}\WpadDecisionTime = a04470b996c4da01 C:\Program Files (x86)\Wajam\Updater\WajamUpdater.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\36-a4-51-75-91-6e\WpadDecisionReason = "1" C:\Program Files (x86)\Wajam\Updater\WajamUpdater.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\36-a4-51-75-91-6e\WpadDecisionTime = a04470b996c4da01 C:\Program Files (x86)\Wajam\Updater\WajamUpdater.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\36-a4-51-75-91-6e\WpadDecision = "0" C:\Program Files (x86)\Wajam\Updater\WajamUpdater.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Program Files (x86)\Wajam\Updater\WajamUpdater.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" C:\Program Files (x86)\Wajam\Updater\WajamUpdater.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad C:\Program Files (x86)\Wajam\Updater\WajamUpdater.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{463F1434-8416-461B-9992-BF87DDBBEBE7}\WpadDecisionReason = "1" C:\Program Files (x86)\Wajam\Updater\WajamUpdater.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{463F1434-8416-461B-9992-BF87DDBBEBE7}\WpadNetworkName = "Network 3" C:\Program Files (x86)\Wajam\Updater\WajamUpdater.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" C:\Program Files (x86)\Wajam\Updater\WajamUpdater.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings C:\Program Files (x86)\Wajam\Updater\WajamUpdater.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" C:\Program Files (x86)\Wajam\Updater\WajamUpdater.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" C:\Program Files (x86)\Wajam\Updater\WajamUpdater.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix C:\Program Files (x86)\Wajam\Updater\WajamUpdater.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{463F1434-8416-461B-9992-BF87DDBBEBE7} C:\Program Files (x86)\Wajam\Updater\WajamUpdater.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{463F1434-8416-461B-9992-BF87DDBBEBE7}\WpadDecision = "0" C:\Program Files (x86)\Wajam\Updater\WajamUpdater.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\36-a4-51-75-91-6e C:\Program Files (x86)\Wajam\Updater\WajamUpdater.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{463F1434-8416-461B-9992-BF87DDBBEBE7}\36-a4-51-75-91-6e C:\Program Files (x86)\Wajam\Updater\WajamUpdater.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" C:\Program Files (x86)\Wajam\Updater\WajamUpdater.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\wajam.WajamDownloader.1\CLSID\ = "{5D64294B-1341-4FE7-B6D8-7C36828D4DD5}" C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A7A6995D-6EE1-4FD1-A258-49395D5BF99C} C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A7A6995D-6EE1-4FD1-A258-49395D5BF99C}\TypeLib C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{431532BD-0AE1-4ABC-BE8C-919F3D1332E2}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\wajam.WajamBHO.1\ = "Wajam" C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5D64294B-1341-4FE7-B6D8-7C36828D4DD5} C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{095BFD3C-4602-4FE1-96F1-AEFAFBFD067D}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\Wajam\\IE" C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{431532BD-0AE1-4ABC-BE8C-919F3D1332E2}\TypeLib C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{431532BD-0AE1-4ABC-BE8C-919F3D1332E2} C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\wajam.WajamDownloader C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5D64294B-1341-4FE7-B6D8-7C36828D4DD5}\ProgID C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{431532BD-0AE1-4ABC-BE8C-919F3D1332E2}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\wajam.WajamBHO.1 C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\wajam.WajamDownloader.1 C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\wajam.WajamDownloader.1\ = "WajamDownloader Class" C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{095BFD3C-4602-4FE1-96F1-AEFAFBFD067D}\1.0\FLAGS\ = "0" C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{1FAEE6D5-34F4-42AA-8025-3FD8F3EC4634} C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{095BFD3C-4602-4FE1-96F1-AEFAFBFD067D}\1.0\0 C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5D64294B-1341-4FE7-B6D8-7C36828D4DD5}\ProgID\ = "wajam.WajamDownloader.1" C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{431532BD-0AE1-4ABC-BE8C-919F3D1332E2}\InProcServer32\ThreadingModel = "Both" C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{431532BD-0AE1-4ABC-BE8C-919F3D1332E2}\NumMethods C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5D64294B-1341-4FE7-B6D8-7C36828D4DD5}\TypeLib C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{431532BD-0AE1-4ABC-BE8C-919F3D1332E2} C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\wajam.WajamBHO C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\wajam.WajamBHO\ = "Wajam" C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A7A6995D-6EE1-4FD1-A258-49395D5BF99C}\ProgID\ = "wajam.WajamBHO.1" C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\wajam.WajamDownloader\CLSID C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5D64294B-1341-4FE7-B6D8-7C36828D4DD5}\ = "WajamDownloader Class" C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5D64294B-1341-4FE7-B6D8-7C36828D4DD5}\VersionIndependentProgID C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{431532BD-0AE1-4ABC-BE8C-919F3D1332E2}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{431532BD-0AE1-4ABC-BE8C-919F3D1332E2}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{095BFD3C-4602-4FE1-96F1-AEFAFBFD067D} C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\wajam.WajamBHO\CurVer C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\wajam.WajamBHO\CurVer\ = "wajam.WajamBHO.1" C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A7A6995D-6EE1-4FD1-A258-49395D5BF99C}\InprocServer32\ = "C:\\Program Files (x86)\\Wajam\\IE\\priam_bho.dll" C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A7A6995D-6EE1-4FD1-A258-49395D5BF99C}\InprocServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\wajam.WajamDownloader\CurVer C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5D64294B-1341-4FE7-B6D8-7C36828D4DD5}\TypeLib\ = "{095BFD3C-4602-4FE1-96F1-AEFAFBFD067D}" C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{431532BD-0AE1-4ABC-BE8C-919F3D1332E2}\NumMethods\ = "18" C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A7A6995D-6EE1-4FD1-A258-49395D5BF99C}\Programmable C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A7A6995D-6EE1-4FD1-A258-49395D5BF99C}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\wajam.WajamDownloader\ = "WajamDownloader Class" C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5D64294B-1341-4FE7-B6D8-7C36828D4DD5}\VersionIndependentProgID\ = "wajam.WajamDownloader" C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{095BFD3C-4602-4FE1-96F1-AEFAFBFD067D}\1.0\ = "wajam 1.0 Type Library" C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{095BFD3C-4602-4FE1-96F1-AEFAFBFD067D}\1.0\HELPDIR C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{D616A4A2-7B38-4DBC-9093-6FE7A4A21B17} C:\Program Files (x86)\Wajam\Updater\WajamUpdater.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\wajam.WajamDownloader.1\CLSID C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\wajam.WajamDownloader\CurVer\ = "wajam.WajamDownloader.1" C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{095BFD3C-4602-4FE1-96F1-AEFAFBFD067D}\1.0\0\win32\ = "C:\\Program Files (x86)\\Wajam\\IE\\priam_bho.dll" C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{431532BD-0AE1-4ABC-BE8C-919F3D1332E2}\TypeLib\ = "{095BFD3C-4602-4FE1-96F1-AEFAFBFD067D}" C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\wajam.WajamBHO.1\CLSID\ = "{A7A6995D-6EE1-4FD1-A258-49395D5BF99C}" C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{431532BD-0AE1-4ABC-BE8C-919F3D1332E2} C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{D616A4A2-7B38-4DBC-9093-6FE7A4A21B17}\LocalService = "WajamUpdater" C:\Program Files (x86)\Wajam\Updater\WajamUpdater.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{1FAEE6D5-34F4-42AA-8025-3FD8F3EC4634}\ = "Wajam" C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\priam_bho.DLL\AppID = "{1FAEE6D5-34F4-42AA-8025-3FD8F3EC4634}" C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A7A6995D-6EE1-4FD1-A258-49395D5BF99C}\VersionIndependentProgID\ = "wajam.WajamBHO" C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5D64294B-1341-4FE7-B6D8-7C36828D4DD5}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{095BFD3C-4602-4FE1-96F1-AEFAFBFD067D}\1.0 C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{431532BD-0AE1-4ABC-BE8C-919F3D1332E2}\InProcServer32 C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{431532BD-0AE1-4ABC-BE8C-919F3D1332E2}\ = "PSFactoryBuffer" C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\priam_bho.DLL C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe N/A

Runs net.exe

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2300 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe C:\Windows\SysWOW64\net.exe
PID 2300 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe C:\Windows\SysWOW64\net.exe
PID 2300 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe C:\Windows\SysWOW64\net.exe
PID 2300 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe C:\Windows\SysWOW64\net.exe
PID 2676 wrote to memory of 2920 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2676 wrote to memory of 2920 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2676 wrote to memory of 2920 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2676 wrote to memory of 2920 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2300 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe C:\Windows\SysWOW64\Taskkill.exe
PID 2300 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe C:\Windows\SysWOW64\Taskkill.exe
PID 2300 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe C:\Windows\SysWOW64\Taskkill.exe
PID 2300 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe C:\Windows\SysWOW64\Taskkill.exe
PID 2300 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe C:\Program Files (x86)\Wajam\Updater\WajamUpdater.exe
PID 2300 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe C:\Program Files (x86)\Wajam\Updater\WajamUpdater.exe
PID 2300 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe C:\Program Files (x86)\Wajam\Updater\WajamUpdater.exe
PID 2300 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe C:\Program Files (x86)\Wajam\Updater\WajamUpdater.exe
PID 2300 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe C:\Program Files (x86)\Wajam\Updater\WajamUpdater.exe
PID 2300 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe C:\Program Files (x86)\Wajam\Updater\WajamUpdater.exe
PID 2300 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe C:\Program Files (x86)\Wajam\Updater\WajamUpdater.exe
PID 2300 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe C:\Windows\SysWOW64\net.exe
PID 2300 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe C:\Windows\SysWOW64\net.exe
PID 2300 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe C:\Windows\SysWOW64\net.exe
PID 2300 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe C:\Windows\SysWOW64\net.exe
PID 2584 wrote to memory of 2536 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2584 wrote to memory of 2536 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2584 wrote to memory of 2536 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2584 wrote to memory of 2536 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2300 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2300 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2300 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2300 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2412 wrote to memory of 2620 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2412 wrote to memory of 2620 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2412 wrote to memory of 2620 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2412 wrote to memory of 2620 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2300 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2300 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2300 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2300 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1372 wrote to memory of 1332 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1372 wrote to memory of 1332 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1372 wrote to memory of 1332 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1372 wrote to memory of 1332 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1372 wrote to memory of 1332 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1372 wrote to memory of 1332 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1372 wrote to memory of 1332 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1372 wrote to memory of 1332 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1372 wrote to memory of 1332 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1372 wrote to memory of 1332 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1372 wrote to memory of 1332 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1372 wrote to memory of 1332 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1332 wrote to memory of 544 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1332 wrote to memory of 544 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1332 wrote to memory of 544 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1332 wrote to memory of 1144 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1332 wrote to memory of 1144 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1332 wrote to memory of 1144 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1332 wrote to memory of 1144 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1332 wrote to memory of 1144 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1332 wrote to memory of 1144 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1332 wrote to memory of 1144 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1332 wrote to memory of 1144 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1332 wrote to memory of 1144 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1332 wrote to memory of 1144 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe"

C:\Windows\SysWOW64\net.exe

net stop WajamUpdater

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop WajamUpdater

C:\Windows\SysWOW64\Taskkill.exe

Taskkill /IM WajamUpdater.exe /F

C:\Program Files (x86)\Wajam\Updater\WajamUpdater.exe

"C:\Program Files (x86)\Wajam\Updater\WajamUpdater.exe" /Service

C:\Windows\SysWOW64\net.exe

net start WajamUpdater

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 start WajamUpdater

C:\Program Files (x86)\Wajam\Updater\WajamUpdater.exe

"C:\Program Files (x86)\Wajam\Updater\WajamUpdater.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" "http://www.wajam.com/index.php?firstrun=1&unique_id=55A9EF60FB61650E48DB9D7F19F956E1&aid=1642&aid2=none&enabled=1"

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2412 CREDAT:275457 /prefetch:2

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" "C:\Program Files (x86)\Wajam\Firefox\firefox_trigger_extension.htm"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" "C:\Program Files (x86)\Wajam\Firefox\firefox_trigger_extension.htm"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1332.0.1347903021\1328612313" -parentBuildID 20221007134813 -prefsHandle 1232 -prefMapHandle 1224 -prefsLen 20769 -prefMapSize 233414 -appDir "C:\Program Files\Mozilla Firefox\browser" - {aca378bc-966d-4530-a6b7-4e8fbe7a4d8e} 1332 "\\.\pipe\gecko-crash-server-pipe.1332" 1296 102efe58 gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1332.1.556569715\702964750" -parentBuildID 20221007134813 -prefsHandle 1500 -prefMapHandle 1496 -prefsLen 21630 -prefMapSize 233414 -appDir "C:\Program Files\Mozilla Firefox\browser" - {cc843a33-d711-45e6-98de-74affd411afa} 1332 "\\.\pipe\gecko-crash-server-pipe.1332" 1512 e72858 socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1332.2.146558151\769928201" -childID 1 -isForBrowser -prefsHandle 1900 -prefMapHandle 1788 -prefsLen 21733 -prefMapSize 233414 -jsInitHandle 732 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {76730eeb-d9e5-4170-9c30-5d9554800023} 1332 "\\.\pipe\gecko-crash-server-pipe.1332" 2100 e63258 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1332.3.394073693\694017561" -childID 2 -isForBrowser -prefsHandle 2916 -prefMapHandle 2912 -prefsLen 26138 -prefMapSize 233414 -jsInitHandle 732 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f5864657-3b57-4be8-b806-3c8728328f53} 1332 "\\.\pipe\gecko-crash-server-pipe.1332" 2928 e2f258 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1332.4.1954760981\1768116358" -childID 3 -isForBrowser -prefsHandle 3824 -prefMapHandle 3820 -prefsLen 26197 -prefMapSize 233414 -jsInitHandle 732 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c54c633c-0bc0-4853-b478-3f849ad7fede} 1332 "\\.\pipe\gecko-crash-server-pipe.1332" 3836 1d596e58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1332.5.745669728\490126610" -childID 4 -isForBrowser -prefsHandle 3944 -prefMapHandle 3948 -prefsLen 26197 -prefMapSize 233414 -jsInitHandle 732 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {62e8bc24-760d-489d-933c-37d9617d8f51} 1332 "\\.\pipe\gecko-crash-server-pipe.1332" 3932 1d594d58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1332.6.1396478968\887774837" -childID 5 -isForBrowser -prefsHandle 4116 -prefMapHandle 4120 -prefsLen 26197 -prefMapSize 233414 -jsInitHandle 732 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a329c93d-f9ea-4fdb-a3f7-55fbef2a2c5b} 1332 "\\.\pipe\gecko-crash-server-pipe.1332" 4104 1d596b58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1332.7.50057171\1863795806" -childID 6 -isForBrowser -prefsHandle 4308 -prefMapHandle 4280 -prefsLen 26531 -prefMapSize 233414 -jsInitHandle 732 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {94630327-49f2-4642-b2c0-d19d69fcd5f3} 1332 "\\.\pipe\gecko-crash-server-pipe.1332" 4316 209c0558 tab

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.wajam.com udp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 8.8.8.8:53 spocs.getpocket.com udp
US 8.8.8.8:53 getpocket.cdn.mozilla.net udp
US 8.8.8.8:53 content-signature-2.cdn.mozilla.net udp
US 34.117.188.166:443 spocs.getpocket.com tcp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 34.117.188.166:443 contile.services.mozilla.com udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 34.120.5.221:443 getpocket.cdn.mozilla.net tcp
US 8.8.8.8:53 shavar.services.mozilla.com udp
US 8.8.8.8:53 prod.pocket.prod.cloudops.mozgcp.net udp
US 34.117.188.166:443 prod.ads.prod.webservices.mozgcp.net tcp
US 34.160.144.191:443 content-signature-2.cdn.mozilla.net tcp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 push.services.mozilla.com udp
US 8.8.8.8:53 prod.pocket.prod.cloudops.mozgcp.net udp
US 52.25.243.81:443 shavar.services.mozilla.com tcp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 autopush.prod.mozaws.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 firefox.settings.services.mozilla.com udp
US 8.8.8.8:53 autopush.prod.mozaws.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 34.107.243.93:443 autopush.prod.mozaws.net tcp
US 34.149.100.209:443 prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.149.100.209:443 prod.remote-settings.prod.webservices.mozgcp.net tcp
US 8.8.8.8:53 firefox-settings-attachments.cdn.mozilla.net udp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
N/A 127.0.0.1:49279 tcp
N/A 127.0.0.1:49287 tcp
US 8.8.8.8:53 tracking-protection.cdn.mozilla.net udp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 8.8.8.8:53 tracking-protection.prod.mozaws.net udp
US 8.8.8.8:53 tracking-protection.prod.mozaws.net udp
US 34.120.158.37:443 tracking-protection.prod.mozaws.net tcp
US 8.8.8.8:53 tracking-protection.cdn.mozilla.net udp
US 8.8.8.8:53 tracking-protection.cdn.mozilla.net udp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 8.8.8.8:53 tracking-protection.cdn.mozilla.net udp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 8.8.8.8:53 tracking-protection.cdn.mozilla.net udp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 8.8.8.8:53 tracking-protection.cdn.mozilla.net udp
US 8.8.8.8:53 tracking-protection.cdn.mozilla.net udp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 8.8.8.8:53 tracking-protection.cdn.mozilla.net udp
US 8.8.8.8:53 tracking-protection.cdn.mozilla.net udp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 8.8.8.8:53 tracking-protection.cdn.mozilla.net udp
US 8.8.8.8:53 tracking-protection.cdn.mozilla.net udp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 8.8.8.8:53 tracking-protection.cdn.mozilla.net udp
US 8.8.8.8:53 tracking-protection.cdn.mozilla.net udp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 8.8.8.8:53 tracking-protection.cdn.mozilla.net udp
US 8.8.8.8:53 tracking-protection.cdn.mozilla.net udp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 8.8.8.8:53 tracking-protection.cdn.mozilla.net udp
US 8.8.8.8:53 tracking-protection.cdn.mozilla.net udp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 8.8.8.8:53 tracking-protection.cdn.mozilla.net udp
US 8.8.8.8:53 tracking-protection.cdn.mozilla.net udp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 8.8.8.8:53 tracking-protection.cdn.mozilla.net udp
US 8.8.8.8:53 support.mozilla.org udp
US 8.8.8.8:53 us-west1.prod.sumo.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 us-west1.prod.sumo.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 aus5.mozilla.org udp
US 35.244.181.201:443 aus5.mozilla.org tcp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 34.160.144.191:443 prod.content-signature-chains.prod.webservices.mozgcp.net tcp
US 8.8.8.8:53 ciscobinary.openh264.org udp
NL 2.18.121.79:80 ciscobinary.openh264.org tcp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 redirector.gvt1.com udp
GB 142.250.187.206:443 redirector.gvt1.com tcp
US 8.8.8.8:53 redirector.gvt1.com udp
US 8.8.8.8:53 redirector.gvt1.com udp
GB 142.250.187.206:443 redirector.gvt1.com udp
US 8.8.8.8:53 r1---sn-aigl6ney.gvt1.com udp
GB 173.194.183.166:443 r1---sn-aigl6ney.gvt1.com tcp
US 8.8.8.8:53 r1.sn-aigl6ney.gvt1.com udp
US 8.8.8.8:53 r1.sn-aigl6ney.gvt1.com udp
GB 173.194.183.166:443 r1.sn-aigl6ney.gvt1.com udp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

\Users\Admin\AppData\Local\Temp\nsi147C.tmp\IpConfig.dll

MD5 a3ed6f7ea493b9644125d494fbf9a1e6
SHA1 ebeee67fb0b5b3302c69f47c5e7fca62e1a809d8
SHA256 ec0f85f8a9d6b77081ba0103f967ef6705b547bf27bcd866d77ac909d21a1e08
SHA512 7099e1bc78ba5727661aa49f75523126563a5ebccdff10cabf868ce5335821118384825f037fbf1408c416c0212aa702a5974bc54d1b63c9d0bcade140f9aae1

\Users\Admin\AppData\Local\Temp\nsi147C.tmp\System.dll

MD5 c17103ae9072a06da581dec998343fc1
SHA1 b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d
SHA256 dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f
SHA512 d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

\Users\Admin\AppData\Local\Temp\nsi147C.tmp\DcryptDll.dll

MD5 904beebec2790ee2ca0c90fc448ac7e0
SHA1 40fabf1eb0a3b7168351c4514c5288216cb1566d
SHA256 f730d9385bf72eac5d579bcf1f7e4330f1d239ca1054d4ead48e9e363d9f4222
SHA512 8bdbbaaf73e396cf9fd9866b3e824b7e70c59a2bdefdb3236387e60d0e645d011265fe79fb193f6c0d6abe2e9c01260720c71cd8f068fcc4624760511c54efaa

\Users\Admin\AppData\Local\Temp\nsi147C.tmp\MoreInfo.dll

MD5 80e34b7f576b710d100f6e7c0bed0c2e
SHA1 2b5b895034d41ee0d0d01bf650594ad0d1346662
SHA256 569d62345f6c915236772fa2575d1806cd2bfe089505807cb477618f1eeccf99
SHA512 f5970c192b7089040fd1cf26e5cab131879b91722dff0216cdc735f9cfde1eda061409b579eb0f11e3b32e5513e34bbedd4050b75bb1b2acc81be814c2c6c59b

\Users\Admin\AppData\Local\Temp\nsi147C.tmp\nsExec.dll

MD5 acc2b699edfea5bf5aae45aba3a41e96
SHA1 d2accf4d494e43ceb2cff69abe4dd17147d29cc2
SHA256 168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e
SHA512 e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

\Program Files (x86)\Wajam\Updater\WajamUpdater.exe

MD5 4aa2cc5979aff984227364f2c23b04f3
SHA1 a252fedceedca1655d593982040cceed07812def
SHA256 b23112ae291efae80aa7f9b1b119eb0da4e426930a23ee77a6a43288f3c0cbb9
SHA512 f0a3d63a90745f7f8e15e526d1e7998ba29392e3af7f847ed9e2ca5c90f2a5889e32794487e31f4973267b9aec0685bb1b7d6a202208a8885ed0bc613439a481

\Program Files (x86)\Wajam\uninstall.exe

MD5 9979166ac0955d94c8bf996788cc57ed
SHA1 cb00d5aee6612816fdda4aa3f4689792eaadd323
SHA256 ab25be7739bc0275d13b9689b7355d70b2dd66cc8f0c683871d717853b64cb1b
SHA512 ada0b4431201026c8e776b603e48dce214e6ecb92a356c15f5437f583fb25e57279eab532ac6e5bd247841ecdc2026db00f669877de020cdff8f83eaeed734b7

\Program Files (x86)\Wajam\IE\priam_bho.dll

MD5 28f3dcbe89cd9dd06fdee806e418a15c
SHA1 f12443dc84b5ad33247e8ac0b0c0765ba78c6a0d
SHA256 0a1fa2058197703119745da2b1b58ec0a28612231924ed10c53cb98a71e2dd7f
SHA512 04eece4f897d620f3669dcfda6e1f6e87e4c428a0021781e7a13f6a0571ba3d15294b8cc16236b62480fd96cb38376f76842471ea7327eb0741d35b15353f32c

\Users\Admin\AppData\Local\Temp\nsi147C.tmp\nsisos.dll

MD5 69806691d649ef1c8703fd9e29231d44
SHA1 e2193fcf5b4863605eec2a5eb17bf84c7ac00166
SHA256 ba79ab7f63f02ed5d5d46b82b11d97dac5b7ef7e9b9a4df926b43ceac18483b6
SHA512 5e5e0319e701d15134a01cb6472c624e271e99891058aef4dfe779c29c73899771a5b6f8b1cd61b543a3b3defeaecaa080c9cc4e76e84038ca08e12084f128eb

\Users\Admin\AppData\Local\Temp\nsi147C.tmp\inetc.dll

MD5 4c01fdfd2b57b32046b3b3635a4f4df8
SHA1 e0af8e418cbe2b2783b5de93279a3b5dcb73490e
SHA256 b98e21645910f82b328f30c644b86c112969b42697e797671647b09eb40ad014
SHA512 cbd354536e2a970d31ba69024208673b1dc56603ad604ff17c5840b4371958fc22bafd90040ae3fb19ae9c248b2cfce08d0bc73cc93481f02c73b86dbc0697b2

C:\Program Files (x86)\Wajam\Firefox\firefox_trigger_extension.htm

MD5 ba7197cc8e52161fcdff765697febe37
SHA1 b03b974574d741ec8ba6042f14553886fe45d76b
SHA256 746739c05859db81f472d8bfe0b2f11ab33a3a661f6943e55e2833184f8925fa
SHA512 168fc12fbfcca80c7398636cb5b8ed0388d5d58227b3c2288f031c48ea490e64d09b1e1d0cd8e7bd67e67e4caae0574909db1d5aa36e8a40c421bf25c93ff8f1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ckqup08y.default-release\datareporting\glean\pending_pings\70d715c4-5b0c-47bf-b239-4d5b91ee0c8c

MD5 4fce831bbe455704eb1de17ac723eec3
SHA1 27743fffbed6d968adcb5f11f13965bdef45ecb0
SHA256 bb534b5fdadb7e98b171d129999297e70abddb4375d31c1401336045b714263f
SHA512 9e0eb398d135719fe43914cd145d12821cf36b4fbd25e8a0ba430d1da3eb0aed454fddc2987d8b9850a972882b4d7fbe6dfc997545a6e77367bfef2c8bcacebb

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ckqup08y.default-release\datareporting\glean\pending_pings\e21a7f31-a81e-4c0c-b643-69cf9095411c

MD5 ecffaa48abab1afcada28ad9c4710357
SHA1 2ad253ee51bcb302fe9d25100ca3b0fa30a436ed
SHA256 0e1f8b66e68a9d1a25a60e679a5fc97caab6b2ca5214105cc156175da239a69a
SHA512 996793dc5b68840624d9a7f5e2891ee875107ab16d43657a96ff507b3fe20e8a8fb63538dbfe0cb452ead765a3aa3470831df116ea49e3095dceeb5a15397c97

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ckqup08y.default-release\datareporting\glean\db\data.safe.bin

MD5 2c42f4eb80fa1ea11d213130d98d0510
SHA1 7337474e53a86a509e9aeb4470e699c662b684ef
SHA256 99fc2989b0a58f791f6630d8eb45b0d51e8d7e4193da550ea468b83c802c2fb9
SHA512 f367974cf16d6d7ea56671138cf123857e5e7982e1ca725f971febf8e3949f14c372b8f11c42dbcb6b7e333c86a610c234ff7ababdb9de90e4f336acf2816bd1

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ckqup08y.default-release\activity-stream.discovery_stream.json.tmp

MD5 4773cff8e8cfbefefa1680fb4e716ba1
SHA1 bfd07f4a6a772230a5c425793b74c6c2d47783c2
SHA256 49edc117703704018492b9ff6a0e0470bc1f4b51464bad7aae9cef26348aa2c1
SHA512 380e13d2107461f7e6702c005ba520edc452d484c50451af582f57937ea44e53d93d18a7e18d251fd7a4bc17496327a9587027de85540216b4c6b45a0a00bfa3

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ckqup08y.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl

MD5 c460716b62456449360b23cf5663f275
SHA1 06573a83d88286153066bae7062cc9300e567d92
SHA256 0ec0f16f92d876a9c1140d4c11e2b346a9292984d9a854360e54e99fdcd99cc0
SHA512 476bc3a333aace4c75d9a971ef202d5889561e10d237792ca89f8d379280262ce98cf3d4728460696f8d7ff429a508237764bf4a9ccb59fd615aee07bdcadf30

C:\Users\Admin\AppData\Local\Temp\Cab4FA9.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ckqup08y.default-release\prefs-1.js

MD5 dd3f042b066efc0759991207b9222371
SHA1 43287c27e714be26a46d2f68835b1c0fe9083799
SHA256 0fc2c7c6be716a1d242983319e3890cea71839c74f33b4ade9268b01481ef240
SHA512 fecc498e0921bf46463fd4b5232ccd1ccbf057bac24a2e487fd6c4f066669a4bd43f7b4add7d5a797ac29980794d66f54d25bc8ae532522b5de529500f37a0d2

C:\Users\Admin\AppData\Local\Temp\Tar5019.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 76ef1ae904789494afb720c79e09f4dc
SHA1 205d7ffb5cd7151a2151de32cb790ad59e627d6b
SHA256 e292229bfdfca60681ad33a2c5bc23474f6f56c19b35250c105228ae1ae865b9
SHA512 b52347fe4317c54d5bb81dddb18576f909290118d4266312b0cb0afdd23d68f72cd4916ac0223f95074a5164132f44c7c8e6d31c93b4ae354d95e2edda0a7f3e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e98c35488900f78fe1b7c16a42bef9f1
SHA1 28a6140d981ef6eb312149438fbf50a33e7582bd
SHA256 5f05e31d4b3b8c08ff2d3d267d904b003c1ed83549dac02e5926599297a7770a
SHA512 dd49493da4de726e802e3cb3c5877acec37995f8c09e42cb294cb3a0b227830ac8950b6f5eaef3e36a3f95f6ce682977c98cb3a71401d6c23bfc4405d6371f87

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a06e7f5d9ee05b9b74605e218b2facc3
SHA1 2094c994bcc25ff9c5425ff4fe5d1a16e0af99da
SHA256 5fe4402f3cf34e1ef5c4d90a536af329d75d2e3e54dfb7644f0131585fdcb80e
SHA512 91eee476cdda7bf616504fa8b3c38161b3c95740ad97aab237d14954517c72a3c8230fc22463d4521d74ab246b96f7370ca14871d5da442009f76e7f2bcb7d3e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 09844fd16d8c0c0e01cc62c73f627e61
SHA1 bf3481dc2adcb9617eae8caacd41ecf5a9b0c3b4
SHA256 60689c383ef57ccf8f47c787dfbd8c05e08291ccaf76834fc3e5e56a65942e9d
SHA512 c58ed05d324fcafee8caae53e3ba3d548f2b6ea90a1cbfe62ccd4cd5c6a2bfabe969dacdb483e34c58e6c6d987c524f5f02bd5a72d44f95665d9b7965fd5364c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f3ef655f5225208298ff99e15d060d55
SHA1 5b72160804383079f05ce072fa980298dcde9979
SHA256 8b0a3fb44d93837684df26255dee2bc67d0e2bf071d60a995f4114273e7b087e
SHA512 44604b6bc213c6c4bfc647083ebc3626a59b3939638b682f62ca3649999f689bd7a6e498ec4b869c6cd5df709d2042512d5bd46684da17baef038517d7cc5e22

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 334cb7e1e44739b401fbd088845ed245
SHA1 4d49d95f7e13bb6c0de18f570f8938fe9869c51d
SHA256 d95a2b8711ed1cd3518f73750992bddafa2505e4428d809c9d44f8254c23574b
SHA512 3e136ff3c0f565c8f776a65b696bed96c698a4d6dad19a47bda9fcb3e70b51414d48c0e7f860f50e5fe823186829c83c4ad84d6e5e7ab408727285b7e0217e36

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b986cfcd2d9e7d9e5bd0d2c881d1995e
SHA1 24efbfdbe4157108d3f9975ce7fac209931ce720
SHA256 1773e5be291af4da2b93e490999927590b37458742e4136cd434a4d10adc7009
SHA512 ef19705ce787bc9355486066233957ba05bc62b88602ed92b3ec82546266a77e432e552eb419bd379146fa235cf72cff34f9ceb2c40fdaa3b48c91940f5d071c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 fcecde94004964203ca468c23c87cc71
SHA1 c8135a9d235cb459df1595916cb47dd81673d6c8
SHA256 ec7266b34495a1deb6c470cea6947535ea440eb120f2a71c2499ff7e5c1f6ae9
SHA512 682f2d90a518b1594ff8a8007e88635402ec8265d8d8f3020336354871839d0e28e49091f44c30a79623efc23f3193c44bce35f1548565988ac05dc6468f350d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 448c1c79bea44cee9698c2d6c7f1879e
SHA1 04b2f244435bca224aed4cf847d5b9d1f2d8a188
SHA256 45b08e7673dd729d97218ae577a1947032b5656e7def8a3eea47ce1c67b22658
SHA512 fc897b5908fe944284971a5ea6b69b022d3803b8875c48872b89173d6e7c1a2683df6e0399fd6888be8138f9a1177a8c9c0c39ff97fd22e6cf60058bde536a2b

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ckqup08y.default-release\sessionstore-backups\recovery.jsonlz4

MD5 efbaa8180ce46a2688315b505c9369b2
SHA1 f7eec3b8586d84ec75ad690567ebbe1fec513c83
SHA256 dc619977ad8698a75019d637ec29ffe74f8f5676d75a1f6547a31017c871afdb
SHA512 7b7477f12967e50b7f1d999252626f68eabcd7ce0cff2b986467f394d3634e780d2bebed676a28da0708d979c485bf5b3b1e4f3268aff5be6ab3f331652ed003

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ckqup08y.default-release\cache2\entries\5CD1EBDF6B57F13C7E783CE5E6D8E9C44014FE1A

MD5 13f57aa003dbf179b2ba8640feb9fba0
SHA1 2c4779faf7f95e2b19603db4139ba18752704117
SHA256 629d670f68d228f89951ccb55165b3df0e0068e6cda7c71f7c531aa840789a04
SHA512 35d1b1b3fc3bae2346e088d20051d984d3b89a4ab2116026f46ef59f7a04290bf86aded342c4051bca011a2e674c71bfac305e39ff06f33e61d5068d1849b92a

C:\Users\Admin\AppData\Local\Temp\tmpaddon

MD5 85430baed3398695717b0263807cf97c
SHA1 fffbee923cea216f50fce5d54219a188a5100f41
SHA256 a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e
SHA512 06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ckqup08y.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info

MD5 3d33cdc0b3d281e67dd52e14435dd04f
SHA1 4db88689282fd4f9e9e6ab95fcbb23df6e6485db
SHA256 f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b
SHA512 a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ckqup08y.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll

MD5 fe3355639648c417e8307c6d051e3e37
SHA1 f54602d4b4778da21bc97c7238fc66aa68c8ee34
SHA256 1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e
SHA512 8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ckqup08y.default-release\prefs-1.js

MD5 7aa59cb7f67b4138cc6cc6ad105231f1
SHA1 2f1794a4bafb4b2238c9dbe6dc4d59b1fecb1ba7
SHA256 14eb2543f110d94d113a5dfcda25b77fc1c8c73cb4bf3fad5524cf3228b6ba5e
SHA512 b989a187b29f672bdd18341b06cc9f3cf00ecc3f0633abb052287f52473aded04e20e0244b5253b6e751ca0c3c03461ba7e1eec6a134f49c8cdf96495d64d3a4

C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

MD5 a01c5ecd6108350ae23d2cddf0e77c17
SHA1 c6ac28a2cd979f1f9a75d56271821d5ff665e2b6
SHA256 345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42
SHA512 b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ckqup08y.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt

MD5 49ddb419d96dceb9069018535fb2e2fc
SHA1 62aa6fea895a8b68d468a015f6e6ab400d7a7ca6
SHA256 2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539
SHA512 48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ckqup08y.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json

MD5 8be33af717bb1b67fbd61c3f4b807e9e
SHA1 7cf17656d174d951957ff36810e874a134dd49e0
SHA256 e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd
SHA512 6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ckqup08y.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib

MD5 688bed3676d2104e7f17ae1cd2c59404
SHA1 952b2cdf783ac72fcb98338723e9afd38d47ad8e
SHA256 33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237
SHA512 7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ckqup08y.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll

MD5 33bf7b0439480effb9fb212efce87b13
SHA1 cee50f2745edc6dc291887b6075ca64d716f495a
SHA256 8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e
SHA512 d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ckqup08y.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig

MD5 937326fead5fd401f6cca9118bd9ade9
SHA1 4526a57d4ae14ed29b37632c72aef3c408189d91
SHA256 68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81
SHA512 b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ckqup08y.default-release\cache2\entries\383A97A57B113BD106DE6984E6DBA5F537327263

MD5 6bb6d12b6b7ef068d7b50436fd7e6641
SHA1 8defe6b30170be3e463daecf84a24af4d2bdb2f9
SHA256 d68f2477c3828aefa955e34f8dcc0a48df279c08ec27202c8db61a6794c3f1e1
SHA512 f74a30e87ed70eb22679dd1b83f40be824961a99291d44c871c543ec1c4fc06e1227c13ed405d4120d7ebc7604764cb9f0a03d9237ef754d51023cba2c4adaa9

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ckqup08y.default-release\prefs-1.js

MD5 2da594e85bf618a4d5be0205e11d1bd5
SHA1 2c69ae3b81c64b21d84592a60177420b09657f01
SHA256 d838fc3f897597a40443e2b0e94589d21840c711c82f29ce80b63ff2fd9dbe18
SHA512 09ab1dedfc6c6c2e347c525a9f063d90a04b9377e45cb1bfce98e6a6374227d479937675a838cd623bd6bfe3a799af7e50247131f38fe9bf032292c42aeddc59

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ckqup08y.default-release\sessionstore-backups\recovery.jsonlz4

MD5 7751dd8c64d5d262b8675cb43813941d
SHA1 ca49b0a29fb0323661706cd2b0653699cc3a1995
SHA256 daa8a54b6da1be5e6b27a58abc845dda0870d480dff7557999059dd870861a87
SHA512 fb2936695bbdbf66feb292ea52d4ff597a8cf1c591c8f5b227398b057e94a2cf3b2c57ccdab5a7312a10770ca3525c4abdc2b263a063d5ec2e42d42c6d7d9c2e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ckqup08y.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 55d8ab0b967c7898266057159edf9f20
SHA1 6ced172d6db9277d1fb06a08c0866631d460ebc2
SHA256 16ed89e629299ef90f7c34e883e30ee2a586a49cf48ac995ef2688c68bfa73cd
SHA512 1a90d15b28aefe3584a586fdd3fdf8f64728a3bdaf37188dc7cc3758c46e6853e222ff4f709167c47e2c58cad418b1b571f135aa02be7bbc9a525eed77589518

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a673be3dc69e83c4cf0e9a2740de2a5b
SHA1 04d1763d609fbf9f2c0624b056e54c87e70f1f95
SHA256 6154b9d9ffca691d31e9b8badb610fd4a0b8aeb07e69490ae8eb2a2ce1bc8723
SHA512 034d490d251899cc005777def46d56e5b2fbd789885c1d197a572d7f5e38aad41f56ceca0743971bffa608da9ae1870b3411680f977dd3f698dab405c67adc7d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f569a543dd0f49749d2c2fb3ae4b5d82
SHA1 d9c9bc1613a6e64c9ecb1f4bdec20143b35b941d
SHA256 45ebd880063286cecc87783123060cec1bdedfc9448c15ff56775a2b288c586d
SHA512 09360168edab2faa78e7521d186fc247cf7eb563d230dd85d347c1ab7309bbb042cb3e33de341240fbd367326e0eab0d2d8ccb310929ab549840be1ed10312ba

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6f116f6f379bb9bfcc3226ee512ceb1a
SHA1 a40e53cc7a40f849c91cf1b37a752a8519b6f4ed
SHA256 e8c1b458f426e5f611e1e28439f20122a7e1949d49f9950d74e42140de073f97
SHA512 e56a90e209474792072386bc07c756fd34c9694914d464d404f09fb4fa98c07e67b34f742500746fde6038451a97d630bb27614b313127e52621f281d371a6fb

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 61259e426e88bbb742eedf885716493f
SHA1 2edec2bfa4d880f8409461b60c5a03dcec05353f
SHA256 121f75951f9cb447de5bf2da0a676e530d191c2dedf5c9ef57c19f6d96164eea
SHA512 f11f895bb5a015aaca72440cd3df3cc9ab9b32480aa540d26c7688a64e46aeef1943624364fdf26b9fa3f2ee9569767601adf7f1e5bba047700710d31b1543f2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2aff1434cbe5b968e255937d45b381a9
SHA1 5b2a8cf2650c27b8dee1b1fce7a4cf959045f600
SHA256 116dcf24caab03db33511211e11700782e0c956040439aedc31a94ab0cfdec29
SHA512 ccc2696d51f766a494d3e9f9d66f34e818c69311a8119e8938b4d7733dcff6d4e349cc8b4a1e734e3ade15d28c358997b9d88daf71241f4b7d458e2b1e14aacc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c7e5fee3093e203e35db10d3240d26ef
SHA1 d640b60ec1ca94cfa409e7a16abff61aa3d9854e
SHA256 aa7e9b48c3baa15e67722256109c87fb04bb573454ebe49f4c24a0b18eabf256
SHA512 c940c335f7787d8cc9bfd255b7b82b2caf9e6df865e2361f4e7e2887fd2cbcfb9d31ed37e856c7455e566af8b803f06d031b90f55ce00ef84d1986372f67aa0b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9f9f96d26f3753c203a10ef7c3f4a708
SHA1 a3f0168c163591f8794abe98195b402045fde669
SHA256 6033fcd4d638067f958b127d1ef3ad85702f75fa21f5f6a2c1d8ca8615d71a4b
SHA512 93702c5ecc0fe7d2a60d5490831ba8239d8cde3cdf45d91d53e7a288636ab1764219175994496746c397ffaddafb94823147ac8a10d6d96f9a9f194ac1e58af9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f4441b8b3fd4db6658f74863a90c5952
SHA1 aac404a9f0e43fbdfbbb5cded127a762e4054886
SHA256 de7460eb05e72721ee1dfb8373295dc04d7846e2ba79843ed802f71eeebbdcd9
SHA512 5eac94b9fb78adc32392637bd324fc19a80faa53f818af52e579550c8933d651eac0cfabbba8dc64869151c7235d174e388a65c9a3b37fc706f8f11a2d5d5447

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 78a0bed4d75059c370cba41c231256f7
SHA1 2344f9ef4ef37ec0783d4add72503aa7e6a06dfd
SHA256 0bb6b047b7b7177e419b648439db5bfaced12df30d32c473e492a795a2915646
SHA512 3b511f4e82dcff41fedb8a493bde40ebb9cf2cfe3b63a39c82324d0d186bc32f50274fe9a33cb74b5c86819cf9b0b350d493ca7317cd5998581ae8c1dca777e3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 70264d88e9fceb13c02e8bf4b35cface
SHA1 53f8718b6e839a62e0b7897dd37ad003f5f77932
SHA256 260ed2c0a35edc4eee86956fa8e853acca837e0c0e93c8d502e69a339aa7faf0
SHA512 6900e0800cc8e096bfe3904fb033d54b4267a74c43955fc73e67e1b55e637b790631fbbc3051bde9f07b4c5cc32d6ee4ac987535e2054bc84f09ccf674219d48

Analysis: behavioral7

Detonation Overview

Submitted

2024-06-22 11:24

Reported

2024-06-22 11:26

Platform

win7-20240611-en

Max time kernel

120s

Max time network

121s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\content\priam_background.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\content\priam_background.js

Network

N/A

Files

N/A

Analysis: behavioral15

Detonation Overview

Submitted

2024-06-22 11:24

Reported

2024-06-22 11:26

Platform

win7-20240220-en

Max time kernel

117s

Max time network

127s

Command Line

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\html\background.html

Signatures

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000c73afa9d00624b4e88a89a1476f1719600000000020000000000106600000001000020000000e98be9c83373ead73729e95ba6551f261325fd723e3c7c2b95542d76e0302817000000000e8000000002000020000000d174c1ac177341e544c9bf3a4e5f18708bf05859e14214fde4e235e75a28223620000000d9296ee39a41f83251fd5316f3ed4387abdcafa27dacf6fcbfcdbf883c24b475400000007182f20a2850a2bb1ca91d355b00d8a6ed85c1b66963cae56d70f00590af57b14a289e2671ae872efab6cc5efb3b86c6da6ef5dbe106ec0bafe7f9e17eccc6ec C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{F524A901-3089-11EF-8554-DE288D05BF47} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000c73afa9d00624b4e88a89a1476f1719600000000020000000000106600000001000020000000c029bb72af826bf6eff2db388b92d8d9ee3abbf2908232658dd55eef889f269d000000000e8000000002000020000000fe449eba54ddbcdf01a691edeb383401b77c1b1dbe910ec164b8d51adb542024900000000980b88c031429cc7d3af0dc5185d5a4cc3ac6609b83bd59ebf42716a2466bc59a7d6f68996919abddea03b9190cd34cd8233b40869fc8119840fb285c80bbc1937923641083b07f003bb8608ddd35e4db76825e8c871df62ba1c8100dd263a786d3bafd0124bf8435a3e685261b1f8dcae25abb8820255d0c9c9f96d13596033bbf8518c1c0088d5e5ab98a4e4fb0b44000000002ebb6e0584a0e26add771ebeef94d5c67a753d9e55f827c9603717355bea8253bdecc38c22199a6c74e8fdfc67e531e881e059e39abf197d5a60df0868dc3be C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "425217322" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 2028b1c996c4da01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Processes

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\html\background.html

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1684 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\Cab20BD.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\Tar219E.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 94d4c08f5e99e4ed883178c4d7d83ced
SHA1 b0896f1758aee37c1462041b91401769efeefc65
SHA256 bfc31cced088c4b209d1fd4cf4ac15c0e317b51cc3f7634da7ec2b15812cc3ee
SHA512 d62d5a816bb38f16928f0a2a52aa6640480b78981377eb591618ced94b268b28b7ea2397cfaa7f200355756a2278d373bb4069a01247245a5bfeb66094672df3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ab68caeb43ee9a2d4d9c27d94ce473e8
SHA1 ea38542fbf3d27c419286698b4273415cdc27073
SHA256 156994f1bc93f873ad7f2b73cf3b37fc1daaf1a5e073a7f983d817cb27c07546
SHA512 f6de7cb333bce6e2b72662c74e2a41e53ccc3087bc3f64ed7fd7dd7a45097302c0abfca8fed3bd1f37027a2881596f7f399a77857d8ba97e8eb0c9ad6623edb9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7cd888bfcaa1fd51b91887d2ba76d2f9
SHA1 1c3a243dfa852a7c2dc988c51b9f4a971e678282
SHA256 3837fc5ef68a4f5682f7216bf1d0ab7fd992e9cd0b795a90ff6c358605429e22
SHA512 7c6895b9f84081292a85b67aedb3f0af4dae50d247b85d58857f2200b65e739e4cf3ac25eb4b75678864c47284f700ea167b25b3e4c49de174bbe801868601b5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6e445e4fa6a0efadaf563bf70381d337
SHA1 2d3aa0f9eb31939855f28cbc495ba4dbb6a07c3f
SHA256 a3a842d728ef855c39bb43fc2890e810a1a79c4c0d9f02704b828ff15786ad53
SHA512 868f62e19b0b7b5c8e277f0fd117def6e90fb9476f449f0c83cd63560d31f8ed66a230c03084a4d8adfc77cbefa6eff2ae9193652eaf0f4693fd853a632e9d13

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 bfb4fa813754efd560310ff380bccfc6
SHA1 2c90c88e66217a5a72df2cfff18111d0e3dc78ae
SHA256 4181ef9f5718920f187dd8a79689d735cd6d6ecf219df2e5a166880d546c754e
SHA512 9f9cb0292b3c2a19c326605b099f9aaa3548f9f51ba463ff56d1fd5361aae7d5899d2d27d81b38f118fac8d418e7e73ddbc5d4944170aa3e6bff2349449cbbb6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a5afb4dbd12dc8f23156475ecae253bc
SHA1 83b25d8de1948a4c5abd26c365a96c48c0594bb0
SHA256 83f4c9bee2875a8b083ea2b001a20e3fd39c9fadc4b8ac893181c9ec97d1f78d
SHA512 c556d4559899c1a362224872e90552a2c8d6fcb3a25c71d9264f905b8c4a9ffda4b9556170b3f21c9c2e0c3133a5cb5dd2571b682fd6b3d1500bc816fb7addf9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1b2d8ae6aed823c861f4c312a0777f9b
SHA1 47c301b3cf99a90abef0718f35e2b7882a62730e
SHA256 c038c3e04f05b206cce73918819cdbe72a3997b429c93dcb504c12baa4a53cc5
SHA512 d0e936002eef19eb96884cc6faf3dff60c4056bba34f024fea981ccd40dcaced3517c5441a907855da781de722f6e8348dab0e0ce71de031950a7f3d9e9c67c9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 abd12133e6775c314eec2f293290c1ff
SHA1 dc870b729424a421c5f40d0e8eab6fed86d77a14
SHA256 cf3eb2d0db5b92ab52fadb71325066ae0f8285f930f678636d25d64ea6c68922
SHA512 928ed0c08eb1326f42311cc76953e36fc9c2e2a59cdcf596a6acc592af77f0b493e0a68fbf5d8d4ba7bc5c811483b1c05e989d806aab2c17e86037077557f94e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ad71c77ced8849b47a0c0c6077f43ed9
SHA1 569d7d770b142235fba9d5a833c0f905d9c1d790
SHA256 129a3699352d88692b408c4d682c7cc012fb9ab3d754d0dd8ac05c1b96110ba3
SHA512 9d3c48173d4be731b4ecf588ceb1ce2c9b07acf270c780e956177db4c6426a321ccee86c0dd8a0092d8779b03e45af8ec4ede13e792a5e65736d8766262b4cc6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 cfcd0ae098605754275cb216d0dd98aa
SHA1 3c548c415315b176ffd8bdd404b059cfc2f98183
SHA256 e04d2251027093bd06c7bf08f49a834a23a9db548e3e4b6fc5632699c48ab121
SHA512 96fad298d74a4b7b49d247c85c2e912957d43b5e2b8e1ab694f9d3258e448ffaabdc399f9614d31534c32f8bfa508f7e467e8bf9d08d009dbe15b70dc0415ccf

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8e0b19b6a39e9267617d601362c017cf
SHA1 c5e16ce151b97a3604be5c004a2148cc52a85f10
SHA256 d197ca87efff911b01a14c514cb04a50c7a0f8f9afe9b5a1ec749e50d58b20ae
SHA512 3f1b3ec6af74ebc77369f979541ed9c59a4f1a3bceed3ab27fd2fd60d5ab0e016cbbf98358a57c1282a5ec7ad98f18d93a6ce91ceb1fa564d0a5c6380c9fac64

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4a205b8662ad7b2464d94a62ef32dd3f
SHA1 1b5507224538979b4290ae9f4405f5f4d89206f3
SHA256 8985c837c742ed2ca54cf63f4e9f1488f27ff41e15e99b0eca173715d6503878
SHA512 78617198a5812b719fd3c693aa61e752ee24d28302c67f56136785b5a2ba59bf39952b951fe612808ab36dbe2bd6737d4720ec580d17084ba187b5e9fa861546

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 57f31d528b54aa57802376403e5af940
SHA1 1145c2aa6d1e61756d7ab05c16f4d230dc46b256
SHA256 8da05e84412eb9d67b50a94cf2e56804d3ce359ca5c961d41ee216be236e5530
SHA512 392d048caa9cca70c0cd14f090af95212f589400a2023f7727c2c133913dc24b9e9e82f5caa5f2c36ad05a8b616b3b42b77668776c535df8177d77ad57feb531

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b8727880cf31b4b4270077085816b1ca
SHA1 e75df58676da070b9b40f534ac092c34afd170d1
SHA256 fea348c236b6396fdb092cccd169ed1efa9f8ca9cd96e78e99114c9e4d15d322
SHA512 db59f61deabeec8c93cdae3ab25493ee784f77b0200c3ae723752e1fe6882bd78605472dc132238bfe1bf8c518c90f9575cae2bbdcaec3a4739cfc94460587af

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7d8d90c10b4c5889f1d7cdfc8fc9d01d
SHA1 dda6b730527b65f94d49678a26e9b43573a65e1d
SHA256 b75957761bbc704e2114d93091501c0bfb45ead2794b5f7f42771274a987044a
SHA512 45b7baaa26181b8a8b43f08308c057f48e3d72af9c636283f18c52cfab47214d3e326dd3f7809121f682c9272bfd9eadf24fb5a9da826910ca9cd042bdcc390b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 fdd077d19c3a577d44f2af73d0881b2d
SHA1 51cc725e095aa8bfc94325515017832f3e256be1
SHA256 2bceed18cf766335747de0b2732f953068bc10ab812f0c02e2f2cc5a840fd81e
SHA512 a9b7e9ffb75aa34637dd7c1cf011a9e198c45479cd7afe075536e783a4c21ce709e846e05ddc3e11310e07c4c9cda701a1c3a5d224d8019a99d26d1280e00c5d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4d8ff1689e6160dcaf1e848d62aa950f
SHA1 8bea0fc4504885ab8fe86ef6e8749517af25baee
SHA256 2d0449878c896436faafbb82e7222377efed66754011c594ed6bf6f9e3b6527e
SHA512 647eb154722be132d15c7820c89b9c805d4771caafeafa8a9569577dee3233f40b6de3d62ebb2356d6fb98bc2cf0d68962f6369cff045c5e56b83d50de56094e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 99be575a270582b0812ce2081643ae71
SHA1 56cea5b9c53f35b71f465ce9682e5a1be80c24b2
SHA256 dcbdce4b16d8b02a8415a7005e6db20a4f6ac8c2c7e6f787abbfca3a59f26ef1
SHA512 e0f1acc7cc17cb26f9ae724cba2ac43322347ca26fb3ef345ae84ff24f475e7042e601374850fb47f39ed6a6d34df602d941f981b9a057d7296b4f05a32e42b3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a02f58b76ea9e1a42f36bcbb989df26d
SHA1 048f2dbfb5d48f4e939513013d730ae3bbf1ca7a
SHA256 9e7b5b6a4379f44479453c119119872ed3e8cf5d8550d1e8c4004d44e58ebd9a
SHA512 be714061f33ba022b0e4d1184846952112a7672ef21b3802de1c2607733e11c444d8c341fa134a465b427763412fec3b971612767079b1d165b647f83252ecd8

Analysis: behavioral19

Detonation Overview

Submitted

2024-06-22 11:24

Reported

2024-06-22 11:26

Platform

win7-20240611-en

Max time kernel

120s

Max time network

121s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\js\priam.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\js\priam.js

Network

N/A

Files

N/A

Analysis: behavioral23

Detonation Overview

Submitted

2024-06-22 11:24

Reported

2024-06-22 11:26

Platform

win7-20231129-en

Max time kernel

121s

Max time network

122s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\js\priam_chrome.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\js\priam_chrome.js

Network

N/A

Files

N/A

Analysis: behavioral9

Detonation Overview

Submitted

2024-06-22 11:24

Reported

2024-06-22 11:26

Platform

win7-20240221-en

Max time kernel

117s

Max time network

119s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\content\priam_background_firefox.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\content\priam_background_firefox.js

Network

N/A

Files

N/A

Analysis: behavioral10

Detonation Overview

Submitted

2024-06-22 11:24

Reported

2024-06-22 11:26

Platform

win10v2004-20240226-en

Max time kernel

142s

Max time network

151s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\content\priam_background_firefox.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\content\priam_background_firefox.js

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4092 --field-trial-handle=2280,i,716736634476467098,11449718822158202904,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 134.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 26.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral13

Detonation Overview

Submitted

2024-06-22 11:24

Reported

2024-06-22 11:26

Platform

win7-20240419-en

Max time kernel

117s

Max time network

118s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\defaults\preferences\priam_prefs.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\defaults\preferences\priam_prefs.js

Network

N/A

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-06-22 11:24

Reported

2024-06-22 11:26

Platform

win10v2004-20240508-en

Max time kernel

51s

Max time network

51s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\content\browserLoad.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\content\browserLoad.js

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-06-22 11:24

Reported

2024-06-22 11:26

Platform

win10v2004-20240508-en

Max time kernel

51s

Max time network

51s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\content\priam_background.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\content\priam_background.js

Network

Files

N/A

Analysis: behavioral20

Detonation Overview

Submitted

2024-06-22 11:24

Reported

2024-06-22 11:26

Platform

win10v2004-20240611-en

Max time kernel

149s

Max time network

150s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\js\priam.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\js\priam.js

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
BE 88.221.83.185:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 185.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 140.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 58.99.105.20.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp

Files

N/A

Analysis: behavioral24

Detonation Overview

Submitted

2024-06-22 11:24

Reported

2024-06-22 11:26

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

149s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\js\priam_chrome.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\js\priam_chrome.js

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 134.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 udp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-22 11:24

Reported

2024-06-22 11:26

Platform

win7-20231129-en

Max time kernel

119s

Max time network

120s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\content\browserLoad.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\content\browserLoad.js

Network

N/A

Files

N/A

Analysis: behavioral12

Detonation Overview

Submitted

2024-06-22 11:24

Reported

2024-06-22 11:26

Platform

win10v2004-20240508-en

Max time kernel

125s

Max time network

126s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\content\priam_firefox.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\content\priam_firefox.js

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4612,i,16710585221322798697,8586257254049248207,262144 --variations-seed-version --mojo-platform-channel-handle=1300 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral21

Detonation Overview

Submitted

2024-06-22 11:24

Reported

2024-06-22 11:26

Platform

win7-20240611-en

Max time kernel

119s

Max time network

119s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\js\priam_background.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\js\priam_background.js

Network

N/A

Files

N/A

Analysis: behavioral22

Detonation Overview

Submitted

2024-06-22 11:24

Reported

2024-06-22 11:26

Platform

win10v2004-20240508-en

Max time kernel

147s

Max time network

149s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\js\priam_background.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\js\priam_background.js

Network

Files

N/A

Analysis: behavioral26

Detonation Overview

Submitted

2024-06-22 11:24

Reported

2024-06-22 11:26

Platform

win10v2004-20240508-en

Max time kernel

51s

Max time network

52s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\plugins\PriamNPAPI.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4572 wrote to memory of 636 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4572 wrote to memory of 636 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4572 wrote to memory of 636 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\plugins\PriamNPAPI.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\plugins\PriamNPAPI.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 636 -ip 636

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 636 -s 620

Network

Files

N/A

Analysis: behavioral17

Detonation Overview

Submitted

2024-06-22 11:24

Reported

2024-06-22 11:26

Platform

win7-20240508-en

Max time kernel

118s

Max time network

118s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\js\background.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\js\background.js

Network

N/A

Files

N/A

Analysis: behavioral29

Detonation Overview

Submitted

2024-06-22 11:24

Reported

2024-06-22 11:26

Platform

win7-20240221-en

Max time kernel

119s

Max time network

120s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\IpConfig.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\IpConfig.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\IpConfig.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2968 -s 224

Network

N/A

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-22 11:24

Reported

2024-06-22 11:26

Platform

win10v2004-20240611-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Wajam\Updater\WajamUpdater.exe N/A
N/A N/A C:\Program Files (x86)\Wajam\Updater\WajamUpdater.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe N/A

Reads user/profile data of web browsers

spyware stealer

Checks installed software on the system

discovery

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A7A6995D-6EE1-4FD1-A258-49395D5BF99C}\NoExplorer = "1" C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A7A6995D-6EE1-4FD1-A258-49395D5BF99C} C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A7A6995D-6EE1-4FD1-A258-49395D5BF99C}\ = "Wajam IE BHO" C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Wajam\Updater\WajamUpdater.exe C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Wajam\uninstall.exe C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Wajam\install.log C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Wajam\IE\favicon.ico C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Wajam\Updater\wajamLogo.bmp C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Wajam\IE\priam_bho.dll C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Wajam\install.log C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Wajam\Firefox\{5a95a9e0-59dd-4314-bd84-4d18ca83a0e2}.xpi C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Wajam\Firefox\firefox_trigger_extension.htm C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Taskkill.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Program Files (x86)\Wajam\Updater\WajamUpdater.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Program Files (x86)\Wajam\Updater\WajamUpdater.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Program Files (x86)\Wajam\Updater\WajamUpdater.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Program Files (x86)\Wajam\Updater\WajamUpdater.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Program Files (x86)\Wajam\Updater\WajamUpdater.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\priam_bho.DLL C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\wajam.WajamDownloader\CLSID\ = "{5D64294B-1341-4FE7-B6D8-7C36828D4DD5}" C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{095BFD3C-4602-4FE1-96F1-AEFAFBFD067D}\1.0\FLAGS\ = "0" C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{431532BD-0AE1-4ABC-BE8C-919F3D1332E2}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{431532BD-0AE1-4ABC-BE8C-919F3D1332E2}\TypeLib\ = "{095BFD3C-4602-4FE1-96F1-AEFAFBFD067D}" C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\WOW6432Node\CLSID C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{431532BD-0AE1-4ABC-BE8C-919F3D1332E2} C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\priam_bho.DLL\AppID = "{1FAEE6D5-34F4-42AA-8025-3FD8F3EC4634}" C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\wajam.WajamBHO\CurVer C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A7A6995D-6EE1-4FD1-A258-49395D5BF99C}\ = "Wajam" C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A7A6995D-6EE1-4FD1-A258-49395D5BF99C}\ProgID C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{431532BD-0AE1-4ABC-BE8C-919F3D1332E2}\TypeLib\ = "{095BFD3C-4602-4FE1-96F1-AEFAFBFD067D}" C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{431532BD-0AE1-4ABC-BE8C-919F3D1332E2}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A7A6995D-6EE1-4FD1-A258-49395D5BF99C}\Programmable C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\wajam.WajamDownloader\ = "WajamDownloader Class" C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\wajam.WajamDownloader\CurVer C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5D64294B-1341-4FE7-B6D8-7C36828D4DD5}\ProgID C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\WOW6432Node\Interface C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\wajam.WajamBHO.1\ = "Wajam" C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A7A6995D-6EE1-4FD1-A258-49395D5BF99C}\ProgID\ = "wajam.WajamBHO.1" C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5D64294B-1341-4FE7-B6D8-7C36828D4DD5}\ProgID\ = "wajam.WajamDownloader.1" C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5D64294B-1341-4FE7-B6D8-7C36828D4DD5}\TypeLib\ = "{095BFD3C-4602-4FE1-96F1-AEFAFBFD067D}" C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{431532BD-0AE1-4ABC-BE8C-919F3D1332E2}\InProcServer32\ = "C:\\Program Files (x86)\\Wajam\\IE\\priam_bho.dll" C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{431532BD-0AE1-4ABC-BE8C-919F3D1332E2}\ProxyStubClsid32\ = "{431532BD-0AE1-4ABC-BE8C-919F3D1332E2}" C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5D64294B-1341-4FE7-B6D8-7C36828D4DD5}\TypeLib C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{095BFD3C-4602-4FE1-96F1-AEFAFBFD067D}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\Wajam\\IE" C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{431532BD-0AE1-4ABC-BE8C-919F3D1332E2}\TypeLib C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{431532BD-0AE1-4ABC-BE8C-919F3D1332E2}\InProcServer32\ThreadingModel = "Both" C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{1FAEE6D5-34F4-42AA-8025-3FD8F3EC4634} C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\wajam.WajamBHO.1\CLSID C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\wajam.WajamBHO C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\wajam.WajamDownloader.1\ = "WajamDownloader Class" C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{095BFD3C-4602-4FE1-96F1-AEFAFBFD067D} C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{095BFD3C-4602-4FE1-96F1-AEFAFBFD067D}\1.0 C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{431532BD-0AE1-4ABC-BE8C-919F3D1332E2}\InProcServer32 C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{1FAEE6D5-34F4-42AA-8025-3FD8F3EC4634}\ = "Wajam" C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\wajam.WajamBHO.1 C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\wajam.WajamBHO\CLSID\ = "{A7A6995D-6EE1-4FD1-A258-49395D5BF99C}" C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\wajam.WajamDownloader C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5D64294B-1341-4FE7-B6D8-7C36828D4DD5}\ = "WajamDownloader Class" C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{431532BD-0AE1-4ABC-BE8C-919F3D1332E2}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{431532BD-0AE1-4ABC-BE8C-919F3D1332E2}\NumMethods\ = "18" C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\wajam.WajamBHO\CurVer\ = "wajam.WajamBHO.1" C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\wajam.WajamDownloader\CLSID C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{095BFD3C-4602-4FE1-96F1-AEFAFBFD067D}\1.0\ = "wajam 1.0 Type Library" C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{095BFD3C-4602-4FE1-96F1-AEFAFBFD067D}\1.0\FLAGS C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{095BFD3C-4602-4FE1-96F1-AEFAFBFD067D}\1.0\0\win32\ = "C:\\Program Files (x86)\\Wajam\\IE\\priam_bho.dll" C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{431532BD-0AE1-4ABC-BE8C-919F3D1332E2}\ = "IWajamBHO" C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\wajam.WajamBHO.1\CLSID\ = "{A7A6995D-6EE1-4FD1-A258-49395D5BF99C}" C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5D64294B-1341-4FE7-B6D8-7C36828D4DD5}\InprocServer32\ = "C:\\Program Files (x86)\\Wajam\\IE\\priam_bho.dll" C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A7A6995D-6EE1-4FD1-A258-49395D5BF99C} C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5D64294B-1341-4FE7-B6D8-7C36828D4DD5}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{431532BD-0AE1-4ABC-BE8C-919F3D1332E2}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{D616A4A2-7B38-4DBC-9093-6FE7A4A21B17}\LocalService = "WajamUpdater" C:\Program Files (x86)\Wajam\Updater\WajamUpdater.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A7A6995D-6EE1-4FD1-A258-49395D5BF99C}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\wajam.WajamDownloader.1\CLSID C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5D64294B-1341-4FE7-B6D8-7C36828D4DD5} C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{431532BD-0AE1-4ABC-BE8C-919F3D1332E2}\ = "IWajamBHO" C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{431532BD-0AE1-4ABC-BE8C-919F3D1332E2}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A7A6995D-6EE1-4FD1-A258-49395D5BF99C}\InprocServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\wajam.WajamDownloader.1 C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\wajam.WajamDownloader.1\CLSID\ = "{5D64294B-1341-4FE7-B6D8-7C36828D4DD5}" C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5D64294B-1341-4FE7-B6D8-7C36828D4DD5}\VersionIndependentProgID\ = "wajam.WajamDownloader" C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe N/A

Runs net.exe

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1472 wrote to memory of 4088 N/A C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe C:\Windows\SysWOW64\net.exe
PID 1472 wrote to memory of 4088 N/A C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe C:\Windows\SysWOW64\net.exe
PID 1472 wrote to memory of 4088 N/A C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe C:\Windows\SysWOW64\net.exe
PID 4088 wrote to memory of 1664 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 4088 wrote to memory of 1664 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 4088 wrote to memory of 1664 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1472 wrote to memory of 5036 N/A C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe C:\Windows\SysWOW64\Taskkill.exe
PID 1472 wrote to memory of 5036 N/A C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe C:\Windows\SysWOW64\Taskkill.exe
PID 1472 wrote to memory of 5036 N/A C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe C:\Windows\SysWOW64\Taskkill.exe
PID 1472 wrote to memory of 4860 N/A C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe C:\Program Files (x86)\Wajam\Updater\WajamUpdater.exe
PID 1472 wrote to memory of 4860 N/A C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe C:\Program Files (x86)\Wajam\Updater\WajamUpdater.exe
PID 1472 wrote to memory of 4860 N/A C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe C:\Program Files (x86)\Wajam\Updater\WajamUpdater.exe
PID 1472 wrote to memory of 648 N/A C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe C:\Windows\SysWOW64\net.exe
PID 1472 wrote to memory of 648 N/A C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe C:\Windows\SysWOW64\net.exe
PID 1472 wrote to memory of 648 N/A C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe C:\Windows\SysWOW64\net.exe
PID 648 wrote to memory of 532 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 648 wrote to memory of 532 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 648 wrote to memory of 532 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1472 wrote to memory of 4996 N/A C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1472 wrote to memory of 4996 N/A C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4996 wrote to memory of 4584 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4996 wrote to memory of 4584 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4996 wrote to memory of 2936 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4996 wrote to memory of 2936 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4996 wrote to memory of 2936 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4996 wrote to memory of 2936 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4996 wrote to memory of 2936 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4996 wrote to memory of 2936 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4996 wrote to memory of 2936 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4996 wrote to memory of 2936 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4996 wrote to memory of 2936 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4996 wrote to memory of 2936 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4996 wrote to memory of 2936 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4996 wrote to memory of 2936 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4996 wrote to memory of 2936 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4996 wrote to memory of 2936 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4996 wrote to memory of 2936 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4996 wrote to memory of 2936 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4996 wrote to memory of 2936 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4996 wrote to memory of 2936 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4996 wrote to memory of 2936 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4996 wrote to memory of 2936 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4996 wrote to memory of 2936 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4996 wrote to memory of 2936 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4996 wrote to memory of 2936 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4996 wrote to memory of 2936 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4996 wrote to memory of 2936 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4996 wrote to memory of 2936 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4996 wrote to memory of 2936 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4996 wrote to memory of 2936 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4996 wrote to memory of 2936 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4996 wrote to memory of 2936 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4996 wrote to memory of 2936 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4996 wrote to memory of 2936 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4996 wrote to memory of 2936 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4996 wrote to memory of 2936 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4996 wrote to memory of 2936 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4996 wrote to memory of 2936 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4996 wrote to memory of 2936 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4996 wrote to memory of 2936 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4996 wrote to memory of 2936 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4996 wrote to memory of 2936 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4996 wrote to memory of 3704 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4996 wrote to memory of 3704 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe"

C:\Windows\SysWOW64\net.exe

net stop WajamUpdater

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop WajamUpdater

C:\Windows\SysWOW64\Taskkill.exe

Taskkill /IM WajamUpdater.exe /F

C:\Program Files (x86)\Wajam\Updater\WajamUpdater.exe

"C:\Program Files (x86)\Wajam\Updater\WajamUpdater.exe" /Service

C:\Windows\SysWOW64\net.exe

net start WajamUpdater

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 start WajamUpdater

C:\Program Files (x86)\Wajam\Updater\WajamUpdater.exe

"C:\Program Files (x86)\Wajam\Updater\WajamUpdater.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" "http://www.wajam.com/index.php?firstrun=1&unique_id=F1F7A19E9E7803837C104D984C14D59D&aid=1642&aid2=none&enabled=1"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9ef3646f8,0x7ff9ef364708,0x7ff9ef364718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2196,3970704516331860001,3812238806686696303,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2208 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2196,3970704516331860001,3812238806686696303,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2260 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2196,3970704516331860001,3812238806686696303,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2888 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,3970704516331860001,3812238806686696303,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,3970704516331860001,3812238806686696303,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,3970704516331860001,3812238806686696303,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4060 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,3970704516331860001,3812238806686696303,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3644 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2196,3970704516331860001,3812238806686696303,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4180 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2196,3970704516331860001,3812238806686696303,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4180 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,3970704516331860001,3812238806686696303,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4172 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,3970704516331860001,3812238806686696303,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4124 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,3970704516331860001,3812238806686696303,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5004 /prefetch:1

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" "C:\Program Files (x86)\Wajam\Firefox\firefox_trigger_extension.htm"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" "C:\Program Files (x86)\Wajam\Firefox\firefox_trigger_extension.htm"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2320.0.494472232\1940736246" -parentBuildID 20230214051806 -prefsHandle 1764 -prefMapHandle 1756 -prefsLen 22076 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {dab20276-64a2-4706-9999-1784aaa02882} 2320 "\\.\pipe\gecko-crash-server-pipe.2320" 1848 137adab5a58 gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2320.1.1306188036\1748083410" -parentBuildID 20230214051806 -prefsHandle 2428 -prefMapHandle 2424 -prefsLen 22927 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1ba58636-b720-4b7b-969c-5ee722acdcc5} 2320 "\\.\pipe\gecko-crash-server-pipe.2320" 2440 1379978a558 socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2320.2.2080517659\310577629" -childID 1 -isForBrowser -prefsHandle 3012 -prefMapHandle 3008 -prefsLen 22965 -prefMapSize 235121 -jsInitHandle 1236 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f9f46bf1-493d-45af-b053-8046563dad06} 2320 "\\.\pipe\gecko-crash-server-pipe.2320" 2812 137b0b5fe58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2320.3.1399669908\273857418" -childID 2 -isForBrowser -prefsHandle 3592 -prefMapHandle 3588 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1236 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9419d3bf-890d-4b70-8c5b-727f641acdb8} 2320 "\\.\pipe\gecko-crash-server-pipe.2320" 1132 13799779c58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2320.4.842268717\1188912657" -childID 3 -isForBrowser -prefsHandle 5028 -prefMapHandle 5024 -prefsLen 27692 -prefMapSize 235121 -jsInitHandle 1236 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b61d4a1f-4fdb-46aa-b847-71d60835812d} 2320 "\\.\pipe\gecko-crash-server-pipe.2320" 4952 137b3395658 tab

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,3970704516331860001,3812238806686696303,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3784 /prefetch:1

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2320.5.747260500\1163965461" -childID 4 -isForBrowser -prefsHandle 5428 -prefMapHandle 5420 -prefsLen 27697 -prefMapSize 235121 -jsInitHandle 1236 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {09f489dc-dd2d-4b98-84a8-dee04abe3578} 2320 "\\.\pipe\gecko-crash-server-pipe.2320" 5440 137b4389958 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2320.6.52997322\1702476953" -childID 5 -isForBrowser -prefsHandle 5576 -prefMapHandle 5580 -prefsLen 27697 -prefMapSize 235121 -jsInitHandle 1236 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b6b23e1d-063b-49aa-89da-3e05d0363fc4} 2320 "\\.\pipe\gecko-crash-server-pipe.2320" 5568 137b438a858 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2320.7.1835802284\1762263680" -childID 6 -isForBrowser -prefsHandle 5856 -prefMapHandle 5852 -prefsLen 27697 -prefMapSize 235121 -jsInitHandle 1236 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8647509a-cb47-4973-b054-8a31548a34b7} 2320 "\\.\pipe\gecko-crash-server-pipe.2320" 5772 137b4388a58 tab

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,3970704516331860001,3812238806686696303,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3124 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,3970704516331860001,3812238806686696303,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2592 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2196,3970704516331860001,3812238806686696303,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3884 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
BE 2.17.107.131:443 www.bing.com tcp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 131.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 www.wajam.com udp
US 8.8.8.8:53 google.com udp
US 8.8.8.8:53 google.com udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 www.wajam.com udp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 8.8.8.8:53 spocs.getpocket.com udp
US 8.8.8.8:53 getpocket.cdn.mozilla.net udp
US 8.8.8.8:53 content-signature-2.cdn.mozilla.net udp
US 34.117.188.166:443 spocs.getpocket.com tcp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 34.160.144.191:443 content-signature-2.cdn.mozilla.net tcp
US 34.117.188.166:443 contile.services.mozilla.com udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 34.120.5.221:443 getpocket.cdn.mozilla.net tcp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 34.117.188.166:443 contile.services.mozilla.com tcp
N/A 127.0.0.1:51271 tcp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 shavar.services.mozilla.com udp
US 8.8.8.8:53 push.services.mozilla.com udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.pocket.prod.cloudops.mozgcp.net udp
US 52.33.96.36:443 shavar.services.mozilla.com tcp
US 8.8.8.8:53 firefox.settings.services.mozilla.com udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 34.107.243.93:443 push.services.mozilla.com tcp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 34.149.100.209:443 firefox.settings.services.mozilla.com tcp
US 8.8.8.8:53 autopush.prod.mozaws.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 autopush.prod.mozaws.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 34.107.243.93:443 autopush.prod.mozaws.net tcp
US 8.8.8.8:53 www.wajam.com udp
US 8.8.8.8:53 36.96.33.52.in-addr.arpa udp
N/A 127.0.0.1:51300 tcp
US 8.8.8.8:53 support.mozilla.org udp
US 8.8.8.8:53 us-west1.prod.sumo.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 us-west1.prod.sumo.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 aus5.mozilla.org udp
US 35.244.181.201:443 aus5.mozilla.org tcp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 34.149.100.209:443 prod.remote-settings.prod.webservices.mozgcp.net tcp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 ciscobinary.openh264.org udp
NL 2.18.121.73:80 ciscobinary.openh264.org tcp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 201.181.244.35.in-addr.arpa udp
US 8.8.8.8:53 73.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 redirector.gvt1.com udp
GB 142.250.187.206:443 redirector.gvt1.com tcp
US 8.8.8.8:53 redirector.gvt1.com udp
US 8.8.8.8:53 redirector.gvt1.com udp
GB 142.250.187.206:443 redirector.gvt1.com udp
US 8.8.8.8:53 r1---sn-aigl6ney.gvt1.com udp
GB 173.194.183.166:443 r1---sn-aigl6ney.gvt1.com tcp
US 8.8.8.8:53 r1.sn-aigl6ney.gvt1.com udp
US 8.8.8.8:53 r1.sn-aigl6ney.gvt1.com udp
GB 173.194.183.166:443 r1.sn-aigl6ney.gvt1.com udp
US 8.8.8.8:53 206.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 166.183.194.173.in-addr.arpa udp
US 8.8.8.8:53 134.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 firefox-settings-attachments.cdn.mozilla.net udp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 53.121.117.34.in-addr.arpa udp
US 8.8.8.8:53 www.wajam.com udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 www.wajam.com udp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\nsd4E51.tmp\IpConfig.dll

MD5 a3ed6f7ea493b9644125d494fbf9a1e6
SHA1 ebeee67fb0b5b3302c69f47c5e7fca62e1a809d8
SHA256 ec0f85f8a9d6b77081ba0103f967ef6705b547bf27bcd866d77ac909d21a1e08
SHA512 7099e1bc78ba5727661aa49f75523126563a5ebccdff10cabf868ce5335821118384825f037fbf1408c416c0212aa702a5974bc54d1b63c9d0bcade140f9aae1

C:\Users\Admin\AppData\Local\Temp\nsd4E51.tmp\System.dll

MD5 c17103ae9072a06da581dec998343fc1
SHA1 b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d
SHA256 dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f
SHA512 d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

C:\Users\Admin\AppData\Local\Temp\nsd4E51.tmp\DcryptDll.dll

MD5 904beebec2790ee2ca0c90fc448ac7e0
SHA1 40fabf1eb0a3b7168351c4514c5288216cb1566d
SHA256 f730d9385bf72eac5d579bcf1f7e4330f1d239ca1054d4ead48e9e363d9f4222
SHA512 8bdbbaaf73e396cf9fd9866b3e824b7e70c59a2bdefdb3236387e60d0e645d011265fe79fb193f6c0d6abe2e9c01260720c71cd8f068fcc4624760511c54efaa

C:\Users\Admin\AppData\Local\Temp\nsd4E51.tmp\MoreInfo.dll

MD5 80e34b7f576b710d100f6e7c0bed0c2e
SHA1 2b5b895034d41ee0d0d01bf650594ad0d1346662
SHA256 569d62345f6c915236772fa2575d1806cd2bfe089505807cb477618f1eeccf99
SHA512 f5970c192b7089040fd1cf26e5cab131879b91722dff0216cdc735f9cfde1eda061409b579eb0f11e3b32e5513e34bbedd4050b75bb1b2acc81be814c2c6c59b

C:\Users\Admin\AppData\Local\Temp\nsd4E51.tmp\nsExec.dll

MD5 acc2b699edfea5bf5aae45aba3a41e96
SHA1 d2accf4d494e43ceb2cff69abe4dd17147d29cc2
SHA256 168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e
SHA512 e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

C:\Program Files (x86)\Wajam\Updater\WajamUpdater.exe

MD5 4aa2cc5979aff984227364f2c23b04f3
SHA1 a252fedceedca1655d593982040cceed07812def
SHA256 b23112ae291efae80aa7f9b1b119eb0da4e426930a23ee77a6a43288f3c0cbb9
SHA512 f0a3d63a90745f7f8e15e526d1e7998ba29392e3af7f847ed9e2ca5c90f2a5889e32794487e31f4973267b9aec0685bb1b7d6a202208a8885ed0bc613439a481

C:\Program Files (x86)\Wajam\IE\priam_bho.dll

MD5 28f3dcbe89cd9dd06fdee806e418a15c
SHA1 f12443dc84b5ad33247e8ac0b0c0765ba78c6a0d
SHA256 0a1fa2058197703119745da2b1b58ec0a28612231924ed10c53cb98a71e2dd7f
SHA512 04eece4f897d620f3669dcfda6e1f6e87e4c428a0021781e7a13f6a0571ba3d15294b8cc16236b62480fd96cb38376f76842471ea7327eb0741d35b15353f32c

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 b4a74bc775caf3de7fc9cde3c30ce482
SHA1 c6ed3161390e5493f71182a6cb98d51c9063775d
SHA256 dfad4e020a946f85523604816a0a9781091ee4669c870db2cabab027f8b6f280
SHA512 55578e254444a645f455ea38480c9e02599ebf9522c32aca50ff37aad33976db30e663d35ebe31ff0ecafb4007362261716f756b3a0d67ac3937ca62ff10e25f

\??\pipe\LOCAL\crashpad_4996_VSHZLJQJAFCVRBQE

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 c5abc082d9d9307e797b7e89a2f755f4
SHA1 54c442690a8727f1d3453b6452198d3ec4ec13df
SHA256 a055d69c6aba59e97e632d118b7960a5fdfbe35cfdfaa0de14f194fc6f874716
SHA512 ad765cddbf89472988de5356db5e0ee254ca3475491c6034fba1897c373702ab7cfa4bd21662ab862eebb48a757c3eb86b1f8ed58629751f71863822a59cd26c

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 c3d2db35751461b1cf5d1b40c0af7d6f
SHA1 523149837ddf0205a94efb2efa43abf29c76d1be
SHA256 d3a422d03e72583f196ddb9af01602ae4f46416dff8a4e2a9cc6d70a01261a8c
SHA512 d6da6d1acda9771800721d7e3076d8f51bbe529a7413d8ca5696d42ddb022ac049c8b6b65deb7536f3f1106e091ec9ec3a9641a9a04f7f477dc600f0892d6d8a

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 206702161f94c5cd39fadd03f4014d98
SHA1 bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA256 1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA512 0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Users\Admin\AppData\Local\Temp\nsd4E51.tmp\nsisos.dll

MD5 69806691d649ef1c8703fd9e29231d44
SHA1 e2193fcf5b4863605eec2a5eb17bf84c7ac00166
SHA256 ba79ab7f63f02ed5d5d46b82b11d97dac5b7ef7e9b9a4df926b43ceac18483b6
SHA512 5e5e0319e701d15134a01cb6472c624e271e99891058aef4dfe779c29c73899771a5b6f8b1cd61b543a3b3defeaecaa080c9cc4e76e84038ca08e12084f128eb

memory/1472-118-0x00000000031B0000-0x00000000031D7000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nsd4E51.tmp\inetc.dll

MD5 4c01fdfd2b57b32046b3b3635a4f4df8
SHA1 e0af8e418cbe2b2783b5de93279a3b5dcb73490e
SHA256 b98e21645910f82b328f30c644b86c112969b42697e797671647b09eb40ad014
SHA512 cbd354536e2a970d31ba69024208673b1dc56603ad604ff17c5840b4371958fc22bafd90040ae3fb19ae9c248b2cfce08d0bc73cc93481f02c73b86dbc0697b2

C:\Program Files (x86)\Wajam\Firefox\firefox_trigger_extension.htm

MD5 ba7197cc8e52161fcdff765697febe37
SHA1 b03b974574d741ec8ba6042f14553886fe45d76b
SHA256 746739c05859db81f472d8bfe0b2f11ab33a3a661f6943e55e2833184f8925fa
SHA512 168fc12fbfcca80c7398636cb5b8ed0388d5d58227b3c2288f031c48ea490e64d09b1e1d0cd8e7bd67e67e4caae0574909db1d5aa36e8a40c421bf25c93ff8f1

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\jhlyxaos.default-release\activity-stream.discovery_stream.json.tmp

MD5 44eb71383c265709727780d517795f0f
SHA1 d604df128350e87abcb52adc17c321d330608482
SHA256 bf81140ca37cb3a1851b43617489794f5da8b19a42cf28710a08f0f77881f1dc
SHA512 e2170cd6ef65d5b2bac06ff9352c7db2edc86d7ab35ff78b9d819f7592c2278800a8f8d51c743d00681cef29a7cda8d946ffb210fed4e4521a331ee1f81f3510

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jhlyxaos.default-release\prefs.js

MD5 04d722dbec4da09fedd972cf2bd9aff2
SHA1 4b59f3ee9ead0a37f17b75d9ec3cb7b6ad38e953
SHA256 86ca22c9246d6ed14a342c9a55c8ee9f48f91e75b651ad5bf2e5129f6d5ab154
SHA512 baeaa8de7a5089d875a604c3559b133e1f56808729d807e9e91bc84833c361f440cdb8afacc838dd8847140edf99da66f28b81e11f9f26fd3c1326bc3329f0b0

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 8fa5d2e905a9c6a80d5b719f30390360
SHA1 fab174fc40cd24e7d1c253c3234eef90542079c3
SHA256 1906f9d7d74ce74165bc6d310a7825b91b1f60e39384f21cde73105d1bbef3c2
SHA512 5dfc9f9f95890a1554bcd0cda5435a0e12ec1c77d33c295679553f0791c1bbed392c1c87f693e74fd504242bdf32604914b8c46e343ee14705b51b054c426493

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 2ca9924d5dd27a6997a9e3b5a3464c23
SHA1 778fee69e05b9d0204e063e943e8ecf05b0a985f
SHA256 989a712c7622e64622b1e066037acf06375d21749505fadde53997e024c6415d
SHA512 675f0c6b595e28247f44723f3cf058aebcb960c0fd5301ae32675ed6e6a89d2f3440aeb64cdb60527d8dff817a09eb9ce089f80efef7f9dd8f8a48cf8c65b6fe

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jhlyxaos.default-release\sessionstore-backups\recovery.jsonlz4

MD5 8e454139f2db4bc6cfb3e932a5ee9b6a
SHA1 d4971a896ae3b0057300e06fca7f1bce3b414315
SHA256 e31f11202ebb433b5578f48b3779c3758245082685920bc1ff952dabe8dd4463
SHA512 f99629471413228cca0b3ae0e30608fa5265125dda5eae6aceeccc29ef31359851af76a4d6b5f64f8e0e09341bce940902d44775e710f677ec935ac62d5670ba

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\jhlyxaos.default-release\cache2\entries\5CD1EBDF6B57F13C7E783CE5E6D8E9C44014FE1A

MD5 4ea3d77b2833bfc3583fedc366cf4b10
SHA1 d56ae86d464fc96086f5d0c8b73e167694a03b9a
SHA256 651535701b3a28d8357589e66d5a4ac8cbcbbd63b6b5126adf720f26c40b32aa
SHA512 b7abe9aa3a1bc4816da3b1b3803970bc234d0edad7492d13ada315aeaf3b9387199a242ea1d7659e74995cb8998c5554d3399a0c4b367e0fe60df423dd5391c9

C:\Users\Admin\AppData\Local\Temp\tmpaddon

MD5 85430baed3398695717b0263807cf97c
SHA1 fffbee923cea216f50fce5d54219a188a5100f41
SHA256 a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e
SHA512 06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jhlyxaos.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll

MD5 fe3355639648c417e8307c6d051e3e37
SHA1 f54602d4b4778da21bc97c7238fc66aa68c8ee34
SHA256 1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e
SHA512 8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jhlyxaos.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info

MD5 3d33cdc0b3d281e67dd52e14435dd04f
SHA1 4db88689282fd4f9e9e6ab95fcbb23df6e6485db
SHA256 f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b
SHA512 a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jhlyxaos.default-release\prefs-1.js

MD5 1af42e5a202d5cb6805ea66817b3f27e
SHA1 e395c8666a13653d20b6e60efd5f6a098af509e8
SHA256 eb15b06ebe08c38f07ed48db625ad9cb7808bbaa9ec3df6af7930d7a60bd399d
SHA512 1290236949615614987c483ad81eec23364d8844aca8fd2c29e3d50f0df727b3cb03a3983e38280890938b6c3eaecdfd28ebde0bf3107be6ad69ae8cdc70c4c7

C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

MD5 a01c5ecd6108350ae23d2cddf0e77c17
SHA1 c6ac28a2cd979f1f9a75d56271821d5ff665e2b6
SHA256 345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42
SHA512 b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jhlyxaos.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt

MD5 49ddb419d96dceb9069018535fb2e2fc
SHA1 62aa6fea895a8b68d468a015f6e6ab400d7a7ca6
SHA256 2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539
SHA512 48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jhlyxaos.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json

MD5 8be33af717bb1b67fbd61c3f4b807e9e
SHA1 7cf17656d174d951957ff36810e874a134dd49e0
SHA256 e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd
SHA512 6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jhlyxaos.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig

MD5 937326fead5fd401f6cca9118bd9ade9
SHA1 4526a57d4ae14ed29b37632c72aef3c408189d91
SHA256 68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81
SHA512 b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jhlyxaos.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib

MD5 688bed3676d2104e7f17ae1cd2c59404
SHA1 952b2cdf783ac72fcb98338723e9afd38d47ad8e
SHA256 33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237
SHA512 7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jhlyxaos.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll

MD5 33bf7b0439480effb9fb212efce87b13
SHA1 cee50f2745edc6dc291887b6075ca64d716f495a
SHA256 8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e
SHA512 d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\jhlyxaos.default-release\cache2\entries\383A97A57B113BD106DE6984E6DBA5F537327263

MD5 15bcc07b9b0b83103d01648215128e64
SHA1 2a09f0284372be8ba4c3923d49e78b4185788800
SHA256 ab8e647affb19150c49eecad8409b5783df2bd04d1b6ba90c88df6807d9f61d1
SHA512 210264b7ab6f0db0c08c2d9ccd9127dfb2890ddee4ff686e2bdf565a541a435411c176edbc6bc54add09c4ff58b65a0a73ce45f43c23cb726f632e49d4984ecc

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jhlyxaos.default-release\prefs-1.js

MD5 0a5f3d753217356910a9047a52f127da
SHA1 6abb56bc73da6719a7e817d8f3e0949ee246c9ca
SHA256 e74416af38e81fe45dc25a0be3b02d6a46fe274b62f79295ef670d11821ca38a
SHA512 3c056243ea379d32d822f666dfa36bf78f2cd77afeedc063a6fa08c9127d7ea434dc8eec918050f658d695a5ae0706f920e521cb1f34c1dcce2ac48f66258b8e

Analysis: behavioral6

Detonation Overview

Submitted

2024-06-22 11:24

Reported

2024-06-22 11:26

Platform

win10v2004-20240611-en

Max time kernel

150s

Max time network

149s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\content\priam.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\content\priam.js

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 134.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 udp

Files

N/A

Analysis: behavioral18

Detonation Overview

Submitted

2024-06-22 11:24

Reported

2024-06-22 11:26

Platform

win10v2004-20240508-en

Max time kernel

51s

Max time network

59s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\js\background.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\js\background.js

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

N/A

Analysis: behavioral27

Detonation Overview

Submitted

2024-06-22 11:24

Reported

2024-06-22 11:26

Platform

win7-20240508-en

Max time kernel

120s

Max time network

120s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\DcryptDll.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\DcryptDll.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\DcryptDll.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1188 -s 224

Network

N/A

Files

N/A

Analysis: behavioral30

Detonation Overview

Submitted

2024-06-22 11:24

Reported

2024-06-22 11:26

Platform

win10v2004-20240226-en

Max time kernel

136s

Max time network

157s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\IpConfig.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3588 wrote to memory of 1504 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3588 wrote to memory of 1504 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3588 wrote to memory of 1504 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\IpConfig.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\IpConfig.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 200 -p 1504 -ip 1504

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1504 -s 612

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3972 --field-trial-handle=2276,i,11674642242468042059,14711253743544118298,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 134.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 171.117.168.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral31

Detonation Overview

Submitted

2024-06-22 11:24

Reported

2024-06-22 11:26

Platform

win7-20240611-en

Max time kernel

117s

Max time network

121s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\MoreInfo.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\MoreInfo.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\MoreInfo.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1896 -s 228

Network

N/A

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-06-22 11:24

Reported

2024-06-22 11:26

Platform

win7-20240611-en

Max time kernel

121s

Max time network

122s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\content\priam.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\content\priam.js

Network

N/A

Files

N/A

Analysis: behavioral28

Detonation Overview

Submitted

2024-06-22 11:24

Reported

2024-06-22 11:26

Platform

win10v2004-20240508-en

Max time kernel

125s

Max time network

127s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\DcryptDll.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4620 wrote to memory of 1556 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4620 wrote to memory of 1556 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4620 wrote to memory of 1556 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\DcryptDll.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\DcryptDll.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1556 -ip 1556

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1556 -s 600

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4356,i,5047420736443372512,9747851268033796534,262144 --variations-seed-version --mojo-platform-channel-handle=4292 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 104.193.132.51.in-addr.arpa udp

Files

N/A

Analysis: behavioral32

Detonation Overview

Submitted

2024-06-22 11:24

Reported

2024-06-22 11:26

Platform

win10v2004-20240508-en

Max time kernel

147s

Max time network

154s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\MoreInfo.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1332 wrote to memory of 4220 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1332 wrote to memory of 4220 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1332 wrote to memory of 4220 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\MoreInfo.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\MoreInfo.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4220 -ip 4220

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4220 -s 604

Network

Country Destination Domain Proto
US 52.111.229.43:443 tcp

Files

N/A