Analysis Overview
SHA256
68e085f0ff972925746a52b4da1b252728bf8af1f237b8241a8d5c80c03ddf54
Threat Level: Shows suspicious behavior
The file 01e56543f6c7b85323239505ede60e84_JaffaCakes118 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Reads user/profile data of web browsers
Executes dropped EXE
Loads dropped DLL
Checks installed software on the system
Installs/modifies Browser Helper Object
Drops file in System32 directory
Drops file in Program Files directory
Command and Scripting Interpreter: JavaScript
Unsigned PE
Program crash
Enumerates physical storage devices
NSIS installer
Suspicious use of AdjustPrivilegeToken
Uses Task Scheduler COM API
Checks processor information in registry
Modifies Internet Explorer settings
Suspicious use of WriteProcessMemory
Runs net.exe
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Modifies registry class
Kills process with taskkill
Suspicious behavior: EnumeratesProcesses
Modifies data under HKEY_USERS
Enumerates system info in registry
Suspicious use of FindShellTrayWindow
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-22 11:24
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral11
Detonation Overview
Submitted
2024-06-22 11:24
Reported
2024-06-22 11:26
Platform
win7-20240611-en
Max time kernel
120s
Max time network
124s
Command Line
Signatures
Command and Scripting Interpreter: JavaScript
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\content\priam_firefox.js
Network
Files
Analysis: behavioral14
Detonation Overview
Submitted
2024-06-22 11:24
Reported
2024-06-22 11:26
Platform
win10v2004-20240508-en
Max time kernel
147s
Max time network
150s
Command Line
Signatures
Command and Scripting Interpreter: JavaScript
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\defaults\preferences\priam_prefs.js
Network
| Country | Destination | Domain | Proto |
| US | 52.111.229.43:443 | tcp |
Files
Analysis: behavioral16
Detonation Overview
Submitted
2024-06-22 11:24
Reported
2024-06-22 11:26
Platform
win10v2004-20240611-en
Max time kernel
145s
Max time network
140s
Command Line
Signatures
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Processes
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\html\background.html
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffaa00d46f8,0x7ffaa00d4708,0x7ffaa00d4718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,10385116464203205162,9335839655658430729,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2144 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2108,10385116464203205162,9335839655658430729,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2300 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2108,10385116464203205162,9335839655658430729,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2816 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,10385116464203205162,9335839655658430729,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3196 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,10385116464203205162,9335839655658430729,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3228 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,10385116464203205162,9335839655658430729,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5116 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,10385116464203205162,9335839655658430729,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5116 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,10385116464203205162,9335839655658430729,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4124 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,10385116464203205162,9335839655658430729,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4920 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,10385116464203205162,9335839655658430729,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3256 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,10385116464203205162,9335839655658430729,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,10385116464203205162,9335839655658430729,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3980 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| BE | 2.17.107.113:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 113.107.17.2.in-addr.arpa | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 66.112.168.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 56067634f68231081c4bd5bdbfcc202f |
| SHA1 | 5582776da6ffc75bb0973840fc3d15598bc09eb1 |
| SHA256 | 8c08b0cbceb301c8f960aa674c6e7f6dbf40b4a1c2684e6fb0456ec5ff0e56b4 |
| SHA512 | c4657393e0b9ec682570d7e251644a858d33e056ccd0f3eebffd0fde25244b3a699b8d9244bcdac00d6f74b49833629b270e099c2b557f729a9066922583f784 |
\??\pipe\LOCAL\crashpad_3708_DQJOJVNKMQONFRDR
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 81e892ca5c5683efdf9135fe0f2adb15 |
| SHA1 | 39159b30226d98a465ece1da28dc87088b20ecad |
| SHA256 | 830f394548cff6eed3608476190a7ee7d65fe651adc638c5b27ce58639a91e17 |
| SHA512 | c943f4cfe8615ac159cfac13c10b67e6c0c9093851dd3ac6dda3b82e195d3554e3c37962010a2d0ae5074828d376402624f0dda5499c9997e962e4cfd26444c0 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | b5f44a0bd49dafcd53c024c68b9244d8 |
| SHA1 | e23111f18814acfd262afdd93442fb5cd741a925 |
| SHA256 | 278a11ee2a604096bdf7edae53e9fe353b83e9b0a19158e05f606e8532a43579 |
| SHA512 | 645cca9779c581f69a4c7b64f6925041333d7d914f6b3ce0ecd031d95d50a69ef35a1fbc5e24d384ea8512ed17a5d4c9d111a2339da0c6c85a40b1957a15d3aa |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 6752a1d65b201c13b62ea44016eb221f |
| SHA1 | 58ecf154d01a62233ed7fb494ace3c3d4ffce08b |
| SHA256 | 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd |
| SHA512 | 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | ed1f485c44655f3ee753fd5d76433980 |
| SHA1 | de81656cec0dba216ea9a41a69e594eea4bc9f07 |
| SHA256 | debdbc0b95183ed3c1324ea0a8f3c7980812ac97dcc9f6808ef3ce3196e2412e |
| SHA512 | 2f4fc821c2b59ea8b3c9d65a757d9b7d49b2281519718573d12f0e786e523fc5b875f0d469f3dfa4ab069470fa220238032daa61ad5737039b27914e5003655d |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | b6ebe850dbed3edce28f6009ecb9c760 |
| SHA1 | 9d6d1098531ca437b53a2595f28c4c212ef24d95 |
| SHA256 | 0818414b8a9fb8886d429c41482729ef0a9dbd9dcffc6840d17deb6182b57b48 |
| SHA512 | 089d8ee1a6166cf296a78d3f7f99f48022173706c8ca62bb2b4024909f627c0f241cc199249ebf68cf7790ccfe02b37ea53eea832d6ad6ed4d1331f157935f3e |
Analysis: behavioral25
Detonation Overview
Submitted
2024-06-22 11:24
Reported
2024-06-22 11:26
Platform
win7-20240221-en
Max time kernel
121s
Max time network
122s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\plugins\PriamNPAPI.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\plugins\PriamNPAPI.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2012 -s 224
Network
Files
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-22 11:24
Reported
2024-06-22 11:26
Platform
win7-20240611-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Wajam\Updater\WajamUpdater.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Wajam\Updater\WajamUpdater.exe | N/A |
Loads dropped DLL
Reads user/profile data of web browsers
Checks installed software on the system
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{A7A6995D-6EE1-4FD1-A258-49395D5BF99C} | C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{A7A6995D-6EE1-4FD1-A258-49395D5BF99C}\ = "Wajam IE BHO" | C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{A7A6995D-6EE1-4FD1-A258-49395D5BF99C}\NoExplorer = "1" | C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat | C:\Program Files (x86)\Wajam\Updater\WajamUpdater.exe | N/A |
Drops file in Program Files directory
Enumerates physical storage devices
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\Taskkill.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "425217327" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{F7BC4BA1-3089-11EF-AFF9-DA79F2D4D836} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\SearchScopes | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000006fb3d087c4ee9c4bb22550fd83a0390500000000020000000000106600000001000020000000708cc1b7fd6c3539bbf0bbbb58c4094ec7c9bc3c2a4fcc6ca84013a6dff2585c000000000e8000000002000020000000fff63c7899bb9e8e34df7fbfb5ebd1685a52b9e6a6a443159dc61a1f5f925fad900000006119fde4465a87922b93d6abf8450f26d573edb13f69e0c11ca0a65a85035b716136e8ba024034723ef922ebcbb0a6f4b9321213a036d8f8c76594e5f6442f6c877d67d8ae54cf90f98535edfa8b4c4138dbf078f23483883a0c783429e5f6f6fc0e97c8570d4548fe09299ecbc50d65853aec91bd649a0377157e9617f3f9bd791bd618a30d3cb8f67f34e3e4b1202040000000553d4f35c916e98f07e06d08b91e637b0564617082a87863dd64d93bb9b31ffb8f198a9b82779fc7895f8e663fd05f0f4bab18ca5c1e280877c1edf8d4fd9db3 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000006fb3d087c4ee9c4bb22550fd83a0390500000000020000000000106600000001000020000000ebfba11770f73dcc66c2d54ef52b725ac26ed9d37d99e2d44da314331b0cb1cd000000000e8000000002000020000000a43a1e3455f481b0d0fb9b303e09de6dfe9a82ac8f3f25e9e14b77044c4c709c20000000e1d35d7bc0a2d0bc586981f78cfb803050624003fc48f51f68be9e4c569e83b540000000a9a1fd3a7ade42bb8de534bd997ad048afec0447dfb3aa444f4c915f4dc15a10c9c2f43cbf9e6a7c9ec2c2b1b2a1caefcb2e1330c72833788de9005d9bf66187 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 40880dcf96c4da01 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Program Files (x86)\Wajam\Updater\WajamUpdater.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings | C:\Program Files (x86)\Wajam\Updater\WajamUpdater.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f004e000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Program Files (x86)\Wajam\Updater\WajamUpdater.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections | C:\Program Files (x86)\Wajam\Updater\WajamUpdater.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Program Files (x86)\Wajam\Updater\WajamUpdater.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{463F1434-8416-461B-9992-BF87DDBBEBE7}\WpadDecisionTime = a04470b996c4da01 | C:\Program Files (x86)\Wajam\Updater\WajamUpdater.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\36-a4-51-75-91-6e\WpadDecisionReason = "1" | C:\Program Files (x86)\Wajam\Updater\WajamUpdater.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\36-a4-51-75-91-6e\WpadDecisionTime = a04470b996c4da01 | C:\Program Files (x86)\Wajam\Updater\WajamUpdater.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\36-a4-51-75-91-6e\WpadDecision = "0" | C:\Program Files (x86)\Wajam\Updater\WajamUpdater.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Program Files (x86)\Wajam\Updater\WajamUpdater.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" | C:\Program Files (x86)\Wajam\Updater\WajamUpdater.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad | C:\Program Files (x86)\Wajam\Updater\WajamUpdater.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{463F1434-8416-461B-9992-BF87DDBBEBE7}\WpadDecisionReason = "1" | C:\Program Files (x86)\Wajam\Updater\WajamUpdater.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{463F1434-8416-461B-9992-BF87DDBBEBE7}\WpadNetworkName = "Network 3" | C:\Program Files (x86)\Wajam\Updater\WajamUpdater.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" | C:\Program Files (x86)\Wajam\Updater\WajamUpdater.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings | C:\Program Files (x86)\Wajam\Updater\WajamUpdater.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" | C:\Program Files (x86)\Wajam\Updater\WajamUpdater.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" | C:\Program Files (x86)\Wajam\Updater\WajamUpdater.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix | C:\Program Files (x86)\Wajam\Updater\WajamUpdater.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{463F1434-8416-461B-9992-BF87DDBBEBE7} | C:\Program Files (x86)\Wajam\Updater\WajamUpdater.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{463F1434-8416-461B-9992-BF87DDBBEBE7}\WpadDecision = "0" | C:\Program Files (x86)\Wajam\Updater\WajamUpdater.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\36-a4-51-75-91-6e | C:\Program Files (x86)\Wajam\Updater\WajamUpdater.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{463F1434-8416-461B-9992-BF87DDBBEBE7}\36-a4-51-75-91-6e | C:\Program Files (x86)\Wajam\Updater\WajamUpdater.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" | C:\Program Files (x86)\Wajam\Updater\WajamUpdater.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\wajam.WajamDownloader.1\CLSID\ = "{5D64294B-1341-4FE7-B6D8-7C36828D4DD5}" | C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A7A6995D-6EE1-4FD1-A258-49395D5BF99C} | C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A7A6995D-6EE1-4FD1-A258-49395D5BF99C}\TypeLib | C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{431532BD-0AE1-4ABC-BE8C-919F3D1332E2}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\wajam.WajamBHO.1\ = "Wajam" | C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5D64294B-1341-4FE7-B6D8-7C36828D4DD5} | C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{095BFD3C-4602-4FE1-96F1-AEFAFBFD067D}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\Wajam\\IE" | C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{431532BD-0AE1-4ABC-BE8C-919F3D1332E2}\TypeLib | C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{431532BD-0AE1-4ABC-BE8C-919F3D1332E2} | C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\wajam.WajamDownloader | C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5D64294B-1341-4FE7-B6D8-7C36828D4DD5}\ProgID | C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{431532BD-0AE1-4ABC-BE8C-919F3D1332E2}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\wajam.WajamBHO.1 | C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\wajam.WajamDownloader.1 | C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\wajam.WajamDownloader.1\ = "WajamDownloader Class" | C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{095BFD3C-4602-4FE1-96F1-AEFAFBFD067D}\1.0\FLAGS\ = "0" | C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{1FAEE6D5-34F4-42AA-8025-3FD8F3EC4634} | C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{095BFD3C-4602-4FE1-96F1-AEFAFBFD067D}\1.0\0 | C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID | C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5D64294B-1341-4FE7-B6D8-7C36828D4DD5}\ProgID\ = "wajam.WajamDownloader.1" | C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{431532BD-0AE1-4ABC-BE8C-919F3D1332E2}\InProcServer32\ThreadingModel = "Both" | C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface | C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{431532BD-0AE1-4ABC-BE8C-919F3D1332E2}\NumMethods | C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5D64294B-1341-4FE7-B6D8-7C36828D4DD5}\TypeLib | C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{431532BD-0AE1-4ABC-BE8C-919F3D1332E2} | C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\wajam.WajamBHO | C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\wajam.WajamBHO\ = "Wajam" | C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A7A6995D-6EE1-4FD1-A258-49395D5BF99C}\ProgID\ = "wajam.WajamBHO.1" | C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\wajam.WajamDownloader\CLSID | C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5D64294B-1341-4FE7-B6D8-7C36828D4DD5}\ = "WajamDownloader Class" | C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5D64294B-1341-4FE7-B6D8-7C36828D4DD5}\VersionIndependentProgID | C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{431532BD-0AE1-4ABC-BE8C-919F3D1332E2}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{431532BD-0AE1-4ABC-BE8C-919F3D1332E2}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{095BFD3C-4602-4FE1-96F1-AEFAFBFD067D} | C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\wajam.WajamBHO\CurVer | C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\wajam.WajamBHO\CurVer\ = "wajam.WajamBHO.1" | C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A7A6995D-6EE1-4FD1-A258-49395D5BF99C}\InprocServer32\ = "C:\\Program Files (x86)\\Wajam\\IE\\priam_bho.dll" | C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A7A6995D-6EE1-4FD1-A258-49395D5BF99C}\InprocServer32\ThreadingModel = "Apartment" | C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\wajam.WajamDownloader\CurVer | C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5D64294B-1341-4FE7-B6D8-7C36828D4DD5}\TypeLib\ = "{095BFD3C-4602-4FE1-96F1-AEFAFBFD067D}" | C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{431532BD-0AE1-4ABC-BE8C-919F3D1332E2}\NumMethods\ = "18" | C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A7A6995D-6EE1-4FD1-A258-49395D5BF99C}\Programmable | C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A7A6995D-6EE1-4FD1-A258-49395D5BF99C}\InprocServer32 | C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\wajam.WajamDownloader\ = "WajamDownloader Class" | C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5D64294B-1341-4FE7-B6D8-7C36828D4DD5}\VersionIndependentProgID\ = "wajam.WajamDownloader" | C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{095BFD3C-4602-4FE1-96F1-AEFAFBFD067D}\1.0\ = "wajam 1.0 Type Library" | C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{095BFD3C-4602-4FE1-96F1-AEFAFBFD067D}\1.0\HELPDIR | C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{D616A4A2-7B38-4DBC-9093-6FE7A4A21B17} | C:\Program Files (x86)\Wajam\Updater\WajamUpdater.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\wajam.WajamDownloader.1\CLSID | C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\wajam.WajamDownloader\CurVer\ = "wajam.WajamDownloader.1" | C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{095BFD3C-4602-4FE1-96F1-AEFAFBFD067D}\1.0\0\win32\ = "C:\\Program Files (x86)\\Wajam\\IE\\priam_bho.dll" | C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{431532BD-0AE1-4ABC-BE8C-919F3D1332E2}\TypeLib\ = "{095BFD3C-4602-4FE1-96F1-AEFAFBFD067D}" | C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\wajam.WajamBHO.1\CLSID\ = "{A7A6995D-6EE1-4FD1-A258-49395D5BF99C}" | C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{431532BD-0AE1-4ABC-BE8C-919F3D1332E2} | C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_Classes\Local Settings | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{D616A4A2-7B38-4DBC-9093-6FE7A4A21B17}\LocalService = "WajamUpdater" | C:\Program Files (x86)\Wajam\Updater\WajamUpdater.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{1FAEE6D5-34F4-42AA-8025-3FD8F3EC4634}\ = "Wajam" | C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\priam_bho.DLL\AppID = "{1FAEE6D5-34F4-42AA-8025-3FD8F3EC4634}" | C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A7A6995D-6EE1-4FD1-A258-49395D5BF99C}\VersionIndependentProgID\ = "wajam.WajamBHO" | C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5D64294B-1341-4FE7-B6D8-7C36828D4DD5}\InprocServer32 | C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{095BFD3C-4602-4FE1-96F1-AEFAFBFD067D}\1.0 | C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{431532BD-0AE1-4ABC-BE8C-919F3D1332E2}\InProcServer32 | C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{431532BD-0AE1-4ABC-BE8C-919F3D1332E2}\ = "PSFactoryBuffer" | C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\priam_bho.DLL | C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe | N/A |
Runs net.exe
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe"
C:\Windows\SysWOW64\net.exe
net stop WajamUpdater
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop WajamUpdater
C:\Windows\SysWOW64\Taskkill.exe
Taskkill /IM WajamUpdater.exe /F
C:\Program Files (x86)\Wajam\Updater\WajamUpdater.exe
"C:\Program Files (x86)\Wajam\Updater\WajamUpdater.exe" /Service
C:\Windows\SysWOW64\net.exe
net start WajamUpdater
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start WajamUpdater
C:\Program Files (x86)\Wajam\Updater\WajamUpdater.exe
"C:\Program Files (x86)\Wajam\Updater\WajamUpdater.exe"
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" "http://www.wajam.com/index.php?firstrun=1&unique_id=55A9EF60FB61650E48DB9D7F19F956E1&aid=1642&aid2=none&enabled=1"
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2412 CREDAT:275457 /prefetch:2
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" "C:\Program Files (x86)\Wajam\Firefox\firefox_trigger_extension.htm"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" "C:\Program Files (x86)\Wajam\Firefox\firefox_trigger_extension.htm"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1332.0.1347903021\1328612313" -parentBuildID 20221007134813 -prefsHandle 1232 -prefMapHandle 1224 -prefsLen 20769 -prefMapSize 233414 -appDir "C:\Program Files\Mozilla Firefox\browser" - {aca378bc-966d-4530-a6b7-4e8fbe7a4d8e} 1332 "\\.\pipe\gecko-crash-server-pipe.1332" 1296 102efe58 gpu
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1332.1.556569715\702964750" -parentBuildID 20221007134813 -prefsHandle 1500 -prefMapHandle 1496 -prefsLen 21630 -prefMapSize 233414 -appDir "C:\Program Files\Mozilla Firefox\browser" - {cc843a33-d711-45e6-98de-74affd411afa} 1332 "\\.\pipe\gecko-crash-server-pipe.1332" 1512 e72858 socket
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1332.2.146558151\769928201" -childID 1 -isForBrowser -prefsHandle 1900 -prefMapHandle 1788 -prefsLen 21733 -prefMapSize 233414 -jsInitHandle 732 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {76730eeb-d9e5-4170-9c30-5d9554800023} 1332 "\\.\pipe\gecko-crash-server-pipe.1332" 2100 e63258 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1332.3.394073693\694017561" -childID 2 -isForBrowser -prefsHandle 2916 -prefMapHandle 2912 -prefsLen 26138 -prefMapSize 233414 -jsInitHandle 732 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f5864657-3b57-4be8-b806-3c8728328f53} 1332 "\\.\pipe\gecko-crash-server-pipe.1332" 2928 e2f258 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1332.4.1954760981\1768116358" -childID 3 -isForBrowser -prefsHandle 3824 -prefMapHandle 3820 -prefsLen 26197 -prefMapSize 233414 -jsInitHandle 732 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c54c633c-0bc0-4853-b478-3f849ad7fede} 1332 "\\.\pipe\gecko-crash-server-pipe.1332" 3836 1d596e58 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1332.5.745669728\490126610" -childID 4 -isForBrowser -prefsHandle 3944 -prefMapHandle 3948 -prefsLen 26197 -prefMapSize 233414 -jsInitHandle 732 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {62e8bc24-760d-489d-933c-37d9617d8f51} 1332 "\\.\pipe\gecko-crash-server-pipe.1332" 3932 1d594d58 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1332.6.1396478968\887774837" -childID 5 -isForBrowser -prefsHandle 4116 -prefMapHandle 4120 -prefsLen 26197 -prefMapSize 233414 -jsInitHandle 732 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a329c93d-f9ea-4fdb-a3f7-55fbef2a2c5b} 1332 "\\.\pipe\gecko-crash-server-pipe.1332" 4104 1d596b58 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1332.7.50057171\1863795806" -childID 6 -isForBrowser -prefsHandle 4308 -prefMapHandle 4280 -prefsLen 26531 -prefMapSize 233414 -jsInitHandle 732 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {94630327-49f2-4642-b2c0-d19d69fcd5f3} 1332 "\\.\pipe\gecko-crash-server-pipe.1332" 4316 209c0558 tab
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.wajam.com | udp |
| US | 8.8.8.8:53 | contile.services.mozilla.com | udp |
| US | 8.8.8.8:53 | spocs.getpocket.com | udp |
| US | 8.8.8.8:53 | getpocket.cdn.mozilla.net | udp |
| US | 8.8.8.8:53 | content-signature-2.cdn.mozilla.net | udp |
| US | 34.117.188.166:443 | spocs.getpocket.com | tcp |
| US | 8.8.8.8:53 | contile.services.mozilla.com | udp |
| US | 34.117.188.166:443 | contile.services.mozilla.com | udp |
| US | 8.8.8.8:53 | prod.ads.prod.webservices.mozgcp.net | udp |
| US | 34.120.5.221:443 | getpocket.cdn.mozilla.net | tcp |
| US | 8.8.8.8:53 | shavar.services.mozilla.com | udp |
| US | 8.8.8.8:53 | prod.pocket.prod.cloudops.mozgcp.net | udp |
| US | 34.117.188.166:443 | prod.ads.prod.webservices.mozgcp.net | tcp |
| US | 34.160.144.191:443 | content-signature-2.cdn.mozilla.net | tcp |
| US | 8.8.8.8:53 | contile.services.mozilla.com | udp |
| US | 8.8.8.8:53 | prod.ads.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | push.services.mozilla.com | udp |
| US | 8.8.8.8:53 | prod.pocket.prod.cloudops.mozgcp.net | udp |
| US | 52.25.243.81:443 | shavar.services.mozilla.com | tcp |
| US | 8.8.8.8:53 | prod.content-signature-chains.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | shavar.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | autopush.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | prod.content-signature-chains.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | shavar.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | firefox.settings.services.mozilla.com | udp |
| US | 8.8.8.8:53 | autopush.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | prod.remote-settings.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.remote-settings.prod.webservices.mozgcp.net | udp |
| US | 34.107.243.93:443 | autopush.prod.mozaws.net | tcp |
| US | 34.149.100.209:443 | prod.remote-settings.prod.webservices.mozgcp.net | tcp |
| US | 34.149.100.209:443 | prod.remote-settings.prod.webservices.mozgcp.net | tcp |
| US | 8.8.8.8:53 | firefox-settings-attachments.cdn.mozilla.net | udp |
| US | 34.117.121.53:443 | firefox-settings-attachments.cdn.mozilla.net | tcp |
| US | 8.8.8.8:53 | attachments.prod.remote-settings.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | attachments.prod.remote-settings.prod.webservices.mozgcp.net | udp |
| N/A | 127.0.0.1:49279 | tcp | |
| N/A | 127.0.0.1:49287 | tcp | |
| US | 8.8.8.8:53 | tracking-protection.cdn.mozilla.net | udp |
| US | 34.120.158.37:443 | tracking-protection.cdn.mozilla.net | tcp |
| US | 8.8.8.8:53 | tracking-protection.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | tracking-protection.prod.mozaws.net | udp |
| US | 34.120.158.37:443 | tracking-protection.prod.mozaws.net | tcp |
| US | 8.8.8.8:53 | tracking-protection.cdn.mozilla.net | udp |
| US | 8.8.8.8:53 | tracking-protection.cdn.mozilla.net | udp |
| US | 34.120.158.37:443 | tracking-protection.cdn.mozilla.net | tcp |
| US | 34.120.158.37:443 | tracking-protection.cdn.mozilla.net | tcp |
| US | 8.8.8.8:53 | tracking-protection.cdn.mozilla.net | udp |
| US | 34.120.158.37:443 | tracking-protection.cdn.mozilla.net | tcp |
| US | 8.8.8.8:53 | tracking-protection.cdn.mozilla.net | udp |
| US | 34.120.158.37:443 | tracking-protection.cdn.mozilla.net | tcp |
| US | 8.8.8.8:53 | tracking-protection.cdn.mozilla.net | udp |
| US | 8.8.8.8:53 | tracking-protection.cdn.mozilla.net | udp |
| US | 34.120.158.37:443 | tracking-protection.cdn.mozilla.net | tcp |
| US | 8.8.8.8:53 | tracking-protection.cdn.mozilla.net | udp |
| US | 8.8.8.8:53 | tracking-protection.cdn.mozilla.net | udp |
| US | 34.120.158.37:443 | tracking-protection.cdn.mozilla.net | tcp |
| US | 8.8.8.8:53 | tracking-protection.cdn.mozilla.net | udp |
| US | 8.8.8.8:53 | tracking-protection.cdn.mozilla.net | udp |
| US | 34.120.158.37:443 | tracking-protection.cdn.mozilla.net | tcp |
| US | 8.8.8.8:53 | tracking-protection.cdn.mozilla.net | udp |
| US | 8.8.8.8:53 | tracking-protection.cdn.mozilla.net | udp |
| US | 34.120.158.37:443 | tracking-protection.cdn.mozilla.net | tcp |
| US | 8.8.8.8:53 | tracking-protection.cdn.mozilla.net | udp |
| US | 8.8.8.8:53 | tracking-protection.cdn.mozilla.net | udp |
| US | 34.120.158.37:443 | tracking-protection.cdn.mozilla.net | tcp |
| US | 8.8.8.8:53 | tracking-protection.cdn.mozilla.net | udp |
| US | 8.8.8.8:53 | tracking-protection.cdn.mozilla.net | udp |
| US | 34.120.158.37:443 | tracking-protection.cdn.mozilla.net | tcp |
| US | 8.8.8.8:53 | tracking-protection.cdn.mozilla.net | udp |
| US | 8.8.8.8:53 | tracking-protection.cdn.mozilla.net | udp |
| US | 34.120.158.37:443 | tracking-protection.cdn.mozilla.net | tcp |
| US | 8.8.8.8:53 | tracking-protection.cdn.mozilla.net | udp |
| US | 8.8.8.8:53 | support.mozilla.org | udp |
| US | 8.8.8.8:53 | us-west1.prod.sumo.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | us-west1.prod.sumo.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | aus5.mozilla.org | udp |
| US | 35.244.181.201:443 | aus5.mozilla.org | tcp |
| US | 8.8.8.8:53 | prod.balrog.prod.cloudops.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.balrog.prod.cloudops.mozgcp.net | udp |
| US | 34.160.144.191:443 | prod.content-signature-chains.prod.webservices.mozgcp.net | tcp |
| US | 8.8.8.8:53 | ciscobinary.openh264.org | udp |
| NL | 2.18.121.79:80 | ciscobinary.openh264.org | tcp |
| US | 8.8.8.8:53 | a19.dscg10.akamai.net | udp |
| US | 8.8.8.8:53 | a19.dscg10.akamai.net | udp |
| US | 8.8.8.8:53 | redirector.gvt1.com | udp |
| GB | 142.250.187.206:443 | redirector.gvt1.com | tcp |
| US | 8.8.8.8:53 | redirector.gvt1.com | udp |
| US | 8.8.8.8:53 | redirector.gvt1.com | udp |
| GB | 142.250.187.206:443 | redirector.gvt1.com | udp |
| US | 8.8.8.8:53 | r1---sn-aigl6ney.gvt1.com | udp |
| GB | 173.194.183.166:443 | r1---sn-aigl6ney.gvt1.com | tcp |
| US | 8.8.8.8:53 | r1.sn-aigl6ney.gvt1.com | udp |
| US | 8.8.8.8:53 | r1.sn-aigl6ney.gvt1.com | udp |
| GB | 173.194.183.166:443 | r1.sn-aigl6ney.gvt1.com | udp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
Files
\Users\Admin\AppData\Local\Temp\nsi147C.tmp\IpConfig.dll
| MD5 | a3ed6f7ea493b9644125d494fbf9a1e6 |
| SHA1 | ebeee67fb0b5b3302c69f47c5e7fca62e1a809d8 |
| SHA256 | ec0f85f8a9d6b77081ba0103f967ef6705b547bf27bcd866d77ac909d21a1e08 |
| SHA512 | 7099e1bc78ba5727661aa49f75523126563a5ebccdff10cabf868ce5335821118384825f037fbf1408c416c0212aa702a5974bc54d1b63c9d0bcade140f9aae1 |
\Users\Admin\AppData\Local\Temp\nsi147C.tmp\System.dll
| MD5 | c17103ae9072a06da581dec998343fc1 |
| SHA1 | b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d |
| SHA256 | dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f |
| SHA512 | d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f |
\Users\Admin\AppData\Local\Temp\nsi147C.tmp\DcryptDll.dll
| MD5 | 904beebec2790ee2ca0c90fc448ac7e0 |
| SHA1 | 40fabf1eb0a3b7168351c4514c5288216cb1566d |
| SHA256 | f730d9385bf72eac5d579bcf1f7e4330f1d239ca1054d4ead48e9e363d9f4222 |
| SHA512 | 8bdbbaaf73e396cf9fd9866b3e824b7e70c59a2bdefdb3236387e60d0e645d011265fe79fb193f6c0d6abe2e9c01260720c71cd8f068fcc4624760511c54efaa |
\Users\Admin\AppData\Local\Temp\nsi147C.tmp\MoreInfo.dll
| MD5 | 80e34b7f576b710d100f6e7c0bed0c2e |
| SHA1 | 2b5b895034d41ee0d0d01bf650594ad0d1346662 |
| SHA256 | 569d62345f6c915236772fa2575d1806cd2bfe089505807cb477618f1eeccf99 |
| SHA512 | f5970c192b7089040fd1cf26e5cab131879b91722dff0216cdc735f9cfde1eda061409b579eb0f11e3b32e5513e34bbedd4050b75bb1b2acc81be814c2c6c59b |
\Users\Admin\AppData\Local\Temp\nsi147C.tmp\nsExec.dll
| MD5 | acc2b699edfea5bf5aae45aba3a41e96 |
| SHA1 | d2accf4d494e43ceb2cff69abe4dd17147d29cc2 |
| SHA256 | 168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e |
| SHA512 | e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe |
\Program Files (x86)\Wajam\Updater\WajamUpdater.exe
| MD5 | 4aa2cc5979aff984227364f2c23b04f3 |
| SHA1 | a252fedceedca1655d593982040cceed07812def |
| SHA256 | b23112ae291efae80aa7f9b1b119eb0da4e426930a23ee77a6a43288f3c0cbb9 |
| SHA512 | f0a3d63a90745f7f8e15e526d1e7998ba29392e3af7f847ed9e2ca5c90f2a5889e32794487e31f4973267b9aec0685bb1b7d6a202208a8885ed0bc613439a481 |
\Program Files (x86)\Wajam\uninstall.exe
| MD5 | 9979166ac0955d94c8bf996788cc57ed |
| SHA1 | cb00d5aee6612816fdda4aa3f4689792eaadd323 |
| SHA256 | ab25be7739bc0275d13b9689b7355d70b2dd66cc8f0c683871d717853b64cb1b |
| SHA512 | ada0b4431201026c8e776b603e48dce214e6ecb92a356c15f5437f583fb25e57279eab532ac6e5bd247841ecdc2026db00f669877de020cdff8f83eaeed734b7 |
\Program Files (x86)\Wajam\IE\priam_bho.dll
| MD5 | 28f3dcbe89cd9dd06fdee806e418a15c |
| SHA1 | f12443dc84b5ad33247e8ac0b0c0765ba78c6a0d |
| SHA256 | 0a1fa2058197703119745da2b1b58ec0a28612231924ed10c53cb98a71e2dd7f |
| SHA512 | 04eece4f897d620f3669dcfda6e1f6e87e4c428a0021781e7a13f6a0571ba3d15294b8cc16236b62480fd96cb38376f76842471ea7327eb0741d35b15353f32c |
\Users\Admin\AppData\Local\Temp\nsi147C.tmp\nsisos.dll
| MD5 | 69806691d649ef1c8703fd9e29231d44 |
| SHA1 | e2193fcf5b4863605eec2a5eb17bf84c7ac00166 |
| SHA256 | ba79ab7f63f02ed5d5d46b82b11d97dac5b7ef7e9b9a4df926b43ceac18483b6 |
| SHA512 | 5e5e0319e701d15134a01cb6472c624e271e99891058aef4dfe779c29c73899771a5b6f8b1cd61b543a3b3defeaecaa080c9cc4e76e84038ca08e12084f128eb |
\Users\Admin\AppData\Local\Temp\nsi147C.tmp\inetc.dll
| MD5 | 4c01fdfd2b57b32046b3b3635a4f4df8 |
| SHA1 | e0af8e418cbe2b2783b5de93279a3b5dcb73490e |
| SHA256 | b98e21645910f82b328f30c644b86c112969b42697e797671647b09eb40ad014 |
| SHA512 | cbd354536e2a970d31ba69024208673b1dc56603ad604ff17c5840b4371958fc22bafd90040ae3fb19ae9c248b2cfce08d0bc73cc93481f02c73b86dbc0697b2 |
C:\Program Files (x86)\Wajam\Firefox\firefox_trigger_extension.htm
| MD5 | ba7197cc8e52161fcdff765697febe37 |
| SHA1 | b03b974574d741ec8ba6042f14553886fe45d76b |
| SHA256 | 746739c05859db81f472d8bfe0b2f11ab33a3a661f6943e55e2833184f8925fa |
| SHA512 | 168fc12fbfcca80c7398636cb5b8ed0388d5d58227b3c2288f031c48ea490e64d09b1e1d0cd8e7bd67e67e4caae0574909db1d5aa36e8a40c421bf25c93ff8f1 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ckqup08y.default-release\datareporting\glean\pending_pings\70d715c4-5b0c-47bf-b239-4d5b91ee0c8c
| MD5 | 4fce831bbe455704eb1de17ac723eec3 |
| SHA1 | 27743fffbed6d968adcb5f11f13965bdef45ecb0 |
| SHA256 | bb534b5fdadb7e98b171d129999297e70abddb4375d31c1401336045b714263f |
| SHA512 | 9e0eb398d135719fe43914cd145d12821cf36b4fbd25e8a0ba430d1da3eb0aed454fddc2987d8b9850a972882b4d7fbe6dfc997545a6e77367bfef2c8bcacebb |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ckqup08y.default-release\datareporting\glean\pending_pings\e21a7f31-a81e-4c0c-b643-69cf9095411c
| MD5 | ecffaa48abab1afcada28ad9c4710357 |
| SHA1 | 2ad253ee51bcb302fe9d25100ca3b0fa30a436ed |
| SHA256 | 0e1f8b66e68a9d1a25a60e679a5fc97caab6b2ca5214105cc156175da239a69a |
| SHA512 | 996793dc5b68840624d9a7f5e2891ee875107ab16d43657a96ff507b3fe20e8a8fb63538dbfe0cb452ead765a3aa3470831df116ea49e3095dceeb5a15397c97 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ckqup08y.default-release\datareporting\glean\db\data.safe.bin
| MD5 | 2c42f4eb80fa1ea11d213130d98d0510 |
| SHA1 | 7337474e53a86a509e9aeb4470e699c662b684ef |
| SHA256 | 99fc2989b0a58f791f6630d8eb45b0d51e8d7e4193da550ea468b83c802c2fb9 |
| SHA512 | f367974cf16d6d7ea56671138cf123857e5e7982e1ca725f971febf8e3949f14c372b8f11c42dbcb6b7e333c86a610c234ff7ababdb9de90e4f336acf2816bd1 |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ckqup08y.default-release\activity-stream.discovery_stream.json.tmp
| MD5 | 4773cff8e8cfbefefa1680fb4e716ba1 |
| SHA1 | bfd07f4a6a772230a5c425793b74c6c2d47783c2 |
| SHA256 | 49edc117703704018492b9ff6a0e0470bc1f4b51464bad7aae9cef26348aa2c1 |
| SHA512 | 380e13d2107461f7e6702c005ba520edc452d484c50451af582f57937ea44e53d93d18a7e18d251fd7a4bc17496327a9587027de85540216b4c6b45a0a00bfa3 |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ckqup08y.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl
| MD5 | c460716b62456449360b23cf5663f275 |
| SHA1 | 06573a83d88286153066bae7062cc9300e567d92 |
| SHA256 | 0ec0f16f92d876a9c1140d4c11e2b346a9292984d9a854360e54e99fdcd99cc0 |
| SHA512 | 476bc3a333aace4c75d9a971ef202d5889561e10d237792ca89f8d379280262ce98cf3d4728460696f8d7ff429a508237764bf4a9ccb59fd615aee07bdcadf30 |
C:\Users\Admin\AppData\Local\Temp\Cab4FA9.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ckqup08y.default-release\prefs-1.js
| MD5 | dd3f042b066efc0759991207b9222371 |
| SHA1 | 43287c27e714be26a46d2f68835b1c0fe9083799 |
| SHA256 | 0fc2c7c6be716a1d242983319e3890cea71839c74f33b4ade9268b01481ef240 |
| SHA512 | fecc498e0921bf46463fd4b5232ccd1ccbf057bac24a2e487fd6c4f066669a4bd43f7b4add7d5a797ac29980794d66f54d25bc8ae532522b5de529500f37a0d2 |
C:\Users\Admin\AppData\Local\Temp\Tar5019.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 76ef1ae904789494afb720c79e09f4dc |
| SHA1 | 205d7ffb5cd7151a2151de32cb790ad59e627d6b |
| SHA256 | e292229bfdfca60681ad33a2c5bc23474f6f56c19b35250c105228ae1ae865b9 |
| SHA512 | b52347fe4317c54d5bb81dddb18576f909290118d4266312b0cb0afdd23d68f72cd4916ac0223f95074a5164132f44c7c8e6d31c93b4ae354d95e2edda0a7f3e |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | e98c35488900f78fe1b7c16a42bef9f1 |
| SHA1 | 28a6140d981ef6eb312149438fbf50a33e7582bd |
| SHA256 | 5f05e31d4b3b8c08ff2d3d267d904b003c1ed83549dac02e5926599297a7770a |
| SHA512 | dd49493da4de726e802e3cb3c5877acec37995f8c09e42cb294cb3a0b227830ac8950b6f5eaef3e36a3f95f6ce682977c98cb3a71401d6c23bfc4405d6371f87 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | a06e7f5d9ee05b9b74605e218b2facc3 |
| SHA1 | 2094c994bcc25ff9c5425ff4fe5d1a16e0af99da |
| SHA256 | 5fe4402f3cf34e1ef5c4d90a536af329d75d2e3e54dfb7644f0131585fdcb80e |
| SHA512 | 91eee476cdda7bf616504fa8b3c38161b3c95740ad97aab237d14954517c72a3c8230fc22463d4521d74ab246b96f7370ca14871d5da442009f76e7f2bcb7d3e |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 09844fd16d8c0c0e01cc62c73f627e61 |
| SHA1 | bf3481dc2adcb9617eae8caacd41ecf5a9b0c3b4 |
| SHA256 | 60689c383ef57ccf8f47c787dfbd8c05e08291ccaf76834fc3e5e56a65942e9d |
| SHA512 | c58ed05d324fcafee8caae53e3ba3d548f2b6ea90a1cbfe62ccd4cd5c6a2bfabe969dacdb483e34c58e6c6d987c524f5f02bd5a72d44f95665d9b7965fd5364c |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | f3ef655f5225208298ff99e15d060d55 |
| SHA1 | 5b72160804383079f05ce072fa980298dcde9979 |
| SHA256 | 8b0a3fb44d93837684df26255dee2bc67d0e2bf071d60a995f4114273e7b087e |
| SHA512 | 44604b6bc213c6c4bfc647083ebc3626a59b3939638b682f62ca3649999f689bd7a6e498ec4b869c6cd5df709d2042512d5bd46684da17baef038517d7cc5e22 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 334cb7e1e44739b401fbd088845ed245 |
| SHA1 | 4d49d95f7e13bb6c0de18f570f8938fe9869c51d |
| SHA256 | d95a2b8711ed1cd3518f73750992bddafa2505e4428d809c9d44f8254c23574b |
| SHA512 | 3e136ff3c0f565c8f776a65b696bed96c698a4d6dad19a47bda9fcb3e70b51414d48c0e7f860f50e5fe823186829c83c4ad84d6e5e7ab408727285b7e0217e36 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | b986cfcd2d9e7d9e5bd0d2c881d1995e |
| SHA1 | 24efbfdbe4157108d3f9975ce7fac209931ce720 |
| SHA256 | 1773e5be291af4da2b93e490999927590b37458742e4136cd434a4d10adc7009 |
| SHA512 | ef19705ce787bc9355486066233957ba05bc62b88602ed92b3ec82546266a77e432e552eb419bd379146fa235cf72cff34f9ceb2c40fdaa3b48c91940f5d071c |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | fcecde94004964203ca468c23c87cc71 |
| SHA1 | c8135a9d235cb459df1595916cb47dd81673d6c8 |
| SHA256 | ec7266b34495a1deb6c470cea6947535ea440eb120f2a71c2499ff7e5c1f6ae9 |
| SHA512 | 682f2d90a518b1594ff8a8007e88635402ec8265d8d8f3020336354871839d0e28e49091f44c30a79623efc23f3193c44bce35f1548565988ac05dc6468f350d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 448c1c79bea44cee9698c2d6c7f1879e |
| SHA1 | 04b2f244435bca224aed4cf847d5b9d1f2d8a188 |
| SHA256 | 45b08e7673dd729d97218ae577a1947032b5656e7def8a3eea47ce1c67b22658 |
| SHA512 | fc897b5908fe944284971a5ea6b69b022d3803b8875c48872b89173d6e7c1a2683df6e0399fd6888be8138f9a1177a8c9c0c39ff97fd22e6cf60058bde536a2b |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ckqup08y.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | efbaa8180ce46a2688315b505c9369b2 |
| SHA1 | f7eec3b8586d84ec75ad690567ebbe1fec513c83 |
| SHA256 | dc619977ad8698a75019d637ec29ffe74f8f5676d75a1f6547a31017c871afdb |
| SHA512 | 7b7477f12967e50b7f1d999252626f68eabcd7ce0cff2b986467f394d3634e780d2bebed676a28da0708d979c485bf5b3b1e4f3268aff5be6ab3f331652ed003 |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ckqup08y.default-release\cache2\entries\5CD1EBDF6B57F13C7E783CE5E6D8E9C44014FE1A
| MD5 | 13f57aa003dbf179b2ba8640feb9fba0 |
| SHA1 | 2c4779faf7f95e2b19603db4139ba18752704117 |
| SHA256 | 629d670f68d228f89951ccb55165b3df0e0068e6cda7c71f7c531aa840789a04 |
| SHA512 | 35d1b1b3fc3bae2346e088d20051d984d3b89a4ab2116026f46ef59f7a04290bf86aded342c4051bca011a2e674c71bfac305e39ff06f33e61d5068d1849b92a |
C:\Users\Admin\AppData\Local\Temp\tmpaddon
| MD5 | 85430baed3398695717b0263807cf97c |
| SHA1 | fffbee923cea216f50fce5d54219a188a5100f41 |
| SHA256 | a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e |
| SHA512 | 06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ckqup08y.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info
| MD5 | 3d33cdc0b3d281e67dd52e14435dd04f |
| SHA1 | 4db88689282fd4f9e9e6ab95fcbb23df6e6485db |
| SHA256 | f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b |
| SHA512 | a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ckqup08y.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll
| MD5 | fe3355639648c417e8307c6d051e3e37 |
| SHA1 | f54602d4b4778da21bc97c7238fc66aa68c8ee34 |
| SHA256 | 1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e |
| SHA512 | 8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ckqup08y.default-release\prefs-1.js
| MD5 | 7aa59cb7f67b4138cc6cc6ad105231f1 |
| SHA1 | 2f1794a4bafb4b2238c9dbe6dc4d59b1fecb1ba7 |
| SHA256 | 14eb2543f110d94d113a5dfcda25b77fc1c8c73cb4bf3fad5524cf3228b6ba5e |
| SHA512 | b989a187b29f672bdd18341b06cc9f3cf00ecc3f0633abb052287f52473aded04e20e0244b5253b6e751ca0c3c03461ba7e1eec6a134f49c8cdf96495d64d3a4 |
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1
| MD5 | a01c5ecd6108350ae23d2cddf0e77c17 |
| SHA1 | c6ac28a2cd979f1f9a75d56271821d5ff665e2b6 |
| SHA256 | 345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42 |
| SHA512 | b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ckqup08y.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt
| MD5 | 49ddb419d96dceb9069018535fb2e2fc |
| SHA1 | 62aa6fea895a8b68d468a015f6e6ab400d7a7ca6 |
| SHA256 | 2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539 |
| SHA512 | 48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ckqup08y.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json
| MD5 | 8be33af717bb1b67fbd61c3f4b807e9e |
| SHA1 | 7cf17656d174d951957ff36810e874a134dd49e0 |
| SHA256 | e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd |
| SHA512 | 6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ckqup08y.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib
| MD5 | 688bed3676d2104e7f17ae1cd2c59404 |
| SHA1 | 952b2cdf783ac72fcb98338723e9afd38d47ad8e |
| SHA256 | 33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237 |
| SHA512 | 7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ckqup08y.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll
| MD5 | 33bf7b0439480effb9fb212efce87b13 |
| SHA1 | cee50f2745edc6dc291887b6075ca64d716f495a |
| SHA256 | 8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e |
| SHA512 | d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ckqup08y.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig
| MD5 | 937326fead5fd401f6cca9118bd9ade9 |
| SHA1 | 4526a57d4ae14ed29b37632c72aef3c408189d91 |
| SHA256 | 68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81 |
| SHA512 | b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2 |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ckqup08y.default-release\cache2\entries\383A97A57B113BD106DE6984E6DBA5F537327263
| MD5 | 6bb6d12b6b7ef068d7b50436fd7e6641 |
| SHA1 | 8defe6b30170be3e463daecf84a24af4d2bdb2f9 |
| SHA256 | d68f2477c3828aefa955e34f8dcc0a48df279c08ec27202c8db61a6794c3f1e1 |
| SHA512 | f74a30e87ed70eb22679dd1b83f40be824961a99291d44c871c543ec1c4fc06e1227c13ed405d4120d7ebc7604764cb9f0a03d9237ef754d51023cba2c4adaa9 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ckqup08y.default-release\prefs-1.js
| MD5 | 2da594e85bf618a4d5be0205e11d1bd5 |
| SHA1 | 2c69ae3b81c64b21d84592a60177420b09657f01 |
| SHA256 | d838fc3f897597a40443e2b0e94589d21840c711c82f29ce80b63ff2fd9dbe18 |
| SHA512 | 09ab1dedfc6c6c2e347c525a9f063d90a04b9377e45cb1bfce98e6a6374227d479937675a838cd623bd6bfe3a799af7e50247131f38fe9bf032292c42aeddc59 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ckqup08y.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | 7751dd8c64d5d262b8675cb43813941d |
| SHA1 | ca49b0a29fb0323661706cd2b0653699cc3a1995 |
| SHA256 | daa8a54b6da1be5e6b27a58abc845dda0870d480dff7557999059dd870861a87 |
| SHA512 | fb2936695bbdbf66feb292ea52d4ff597a8cf1c591c8f5b227398b057e94a2cf3b2c57ccdab5a7312a10770ca3525c4abdc2b263a063d5ec2e42d42c6d7d9c2e |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ckqup08y.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
| MD5 | 55d8ab0b967c7898266057159edf9f20 |
| SHA1 | 6ced172d6db9277d1fb06a08c0866631d460ebc2 |
| SHA256 | 16ed89e629299ef90f7c34e883e30ee2a586a49cf48ac995ef2688c68bfa73cd |
| SHA512 | 1a90d15b28aefe3584a586fdd3fdf8f64728a3bdaf37188dc7cc3758c46e6853e222ff4f709167c47e2c58cad418b1b571f135aa02be7bbc9a525eed77589518 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | a673be3dc69e83c4cf0e9a2740de2a5b |
| SHA1 | 04d1763d609fbf9f2c0624b056e54c87e70f1f95 |
| SHA256 | 6154b9d9ffca691d31e9b8badb610fd4a0b8aeb07e69490ae8eb2a2ce1bc8723 |
| SHA512 | 034d490d251899cc005777def46d56e5b2fbd789885c1d197a572d7f5e38aad41f56ceca0743971bffa608da9ae1870b3411680f977dd3f698dab405c67adc7d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | f569a543dd0f49749d2c2fb3ae4b5d82 |
| SHA1 | d9c9bc1613a6e64c9ecb1f4bdec20143b35b941d |
| SHA256 | 45ebd880063286cecc87783123060cec1bdedfc9448c15ff56775a2b288c586d |
| SHA512 | 09360168edab2faa78e7521d186fc247cf7eb563d230dd85d347c1ab7309bbb042cb3e33de341240fbd367326e0eab0d2d8ccb310929ab549840be1ed10312ba |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 6f116f6f379bb9bfcc3226ee512ceb1a |
| SHA1 | a40e53cc7a40f849c91cf1b37a752a8519b6f4ed |
| SHA256 | e8c1b458f426e5f611e1e28439f20122a7e1949d49f9950d74e42140de073f97 |
| SHA512 | e56a90e209474792072386bc07c756fd34c9694914d464d404f09fb4fa98c07e67b34f742500746fde6038451a97d630bb27614b313127e52621f281d371a6fb |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 61259e426e88bbb742eedf885716493f |
| SHA1 | 2edec2bfa4d880f8409461b60c5a03dcec05353f |
| SHA256 | 121f75951f9cb447de5bf2da0a676e530d191c2dedf5c9ef57c19f6d96164eea |
| SHA512 | f11f895bb5a015aaca72440cd3df3cc9ab9b32480aa540d26c7688a64e46aeef1943624364fdf26b9fa3f2ee9569767601adf7f1e5bba047700710d31b1543f2 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 2aff1434cbe5b968e255937d45b381a9 |
| SHA1 | 5b2a8cf2650c27b8dee1b1fce7a4cf959045f600 |
| SHA256 | 116dcf24caab03db33511211e11700782e0c956040439aedc31a94ab0cfdec29 |
| SHA512 | ccc2696d51f766a494d3e9f9d66f34e818c69311a8119e8938b4d7733dcff6d4e349cc8b4a1e734e3ade15d28c358997b9d88daf71241f4b7d458e2b1e14aacc |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | c7e5fee3093e203e35db10d3240d26ef |
| SHA1 | d640b60ec1ca94cfa409e7a16abff61aa3d9854e |
| SHA256 | aa7e9b48c3baa15e67722256109c87fb04bb573454ebe49f4c24a0b18eabf256 |
| SHA512 | c940c335f7787d8cc9bfd255b7b82b2caf9e6df865e2361f4e7e2887fd2cbcfb9d31ed37e856c7455e566af8b803f06d031b90f55ce00ef84d1986372f67aa0b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 9f9f96d26f3753c203a10ef7c3f4a708 |
| SHA1 | a3f0168c163591f8794abe98195b402045fde669 |
| SHA256 | 6033fcd4d638067f958b127d1ef3ad85702f75fa21f5f6a2c1d8ca8615d71a4b |
| SHA512 | 93702c5ecc0fe7d2a60d5490831ba8239d8cde3cdf45d91d53e7a288636ab1764219175994496746c397ffaddafb94823147ac8a10d6d96f9a9f194ac1e58af9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | f4441b8b3fd4db6658f74863a90c5952 |
| SHA1 | aac404a9f0e43fbdfbbb5cded127a762e4054886 |
| SHA256 | de7460eb05e72721ee1dfb8373295dc04d7846e2ba79843ed802f71eeebbdcd9 |
| SHA512 | 5eac94b9fb78adc32392637bd324fc19a80faa53f818af52e579550c8933d651eac0cfabbba8dc64869151c7235d174e388a65c9a3b37fc706f8f11a2d5d5447 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 78a0bed4d75059c370cba41c231256f7 |
| SHA1 | 2344f9ef4ef37ec0783d4add72503aa7e6a06dfd |
| SHA256 | 0bb6b047b7b7177e419b648439db5bfaced12df30d32c473e492a795a2915646 |
| SHA512 | 3b511f4e82dcff41fedb8a493bde40ebb9cf2cfe3b63a39c82324d0d186bc32f50274fe9a33cb74b5c86819cf9b0b350d493ca7317cd5998581ae8c1dca777e3 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 70264d88e9fceb13c02e8bf4b35cface |
| SHA1 | 53f8718b6e839a62e0b7897dd37ad003f5f77932 |
| SHA256 | 260ed2c0a35edc4eee86956fa8e853acca837e0c0e93c8d502e69a339aa7faf0 |
| SHA512 | 6900e0800cc8e096bfe3904fb033d54b4267a74c43955fc73e67e1b55e637b790631fbbc3051bde9f07b4c5cc32d6ee4ac987535e2054bc84f09ccf674219d48 |
Analysis: behavioral7
Detonation Overview
Submitted
2024-06-22 11:24
Reported
2024-06-22 11:26
Platform
win7-20240611-en
Max time kernel
120s
Max time network
121s
Command Line
Signatures
Command and Scripting Interpreter: JavaScript
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\content\priam_background.js
Network
Files
Analysis: behavioral15
Detonation Overview
Submitted
2024-06-22 11:24
Reported
2024-06-22 11:26
Platform
win7-20240220-en
Max time kernel
117s
Max time network
127s
Command Line
Signatures
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000c73afa9d00624b4e88a89a1476f1719600000000020000000000106600000001000020000000e98be9c83373ead73729e95ba6551f261325fd723e3c7c2b95542d76e0302817000000000e8000000002000020000000d174c1ac177341e544c9bf3a4e5f18708bf05859e14214fde4e235e75a28223620000000d9296ee39a41f83251fd5316f3ed4387abdcafa27dacf6fcbfcdbf883c24b475400000007182f20a2850a2bb1ca91d355b00d8a6ed85c1b66963cae56d70f00590af57b14a289e2671ae872efab6cc5efb3b86c6da6ef5dbe106ec0bafe7f9e17eccc6ec | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{F524A901-3089-11EF-8554-DE288D05BF47} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\SearchScopes | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000c73afa9d00624b4e88a89a1476f1719600000000020000000000106600000001000020000000c029bb72af826bf6eff2db388b92d8d9ee3abbf2908232658dd55eef889f269d000000000e8000000002000020000000fe449eba54ddbcdf01a691edeb383401b77c1b1dbe910ec164b8d51adb542024900000000980b88c031429cc7d3af0dc5185d5a4cc3ac6609b83bd59ebf42716a2466bc59a7d6f68996919abddea03b9190cd34cd8233b40869fc8119840fb285c80bbc1937923641083b07f003bb8608ddd35e4db76825e8c871df62ba1c8100dd263a786d3bafd0124bf8435a3e685261b1f8dcae25abb8820255d0c9c9f96d13596033bbf8518c1c0088d5e5ab98a4e4fb0b44000000002ebb6e0584a0e26add771ebeef94d5c67a753d9e55f827c9603717355bea8253bdecc38c22199a6c74e8fdfc67e531e881e059e39abf197d5a60df0868dc3be | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "425217322" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 2028b1c996c4da01 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1684 wrote to memory of 2260 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 1684 wrote to memory of 2260 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 1684 wrote to memory of 2260 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 1684 wrote to memory of 2260 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
Processes
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\html\background.html
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1684 CREDAT:275457 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\Cab20BD.tmp
| MD5 | ac05d27423a85adc1622c714f2cb6184 |
| SHA1 | b0fe2b1abddb97837ea0195be70ab2ff14d43198 |
| SHA256 | c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d |
| SHA512 | 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Local\Temp\Tar219E.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 94d4c08f5e99e4ed883178c4d7d83ced |
| SHA1 | b0896f1758aee37c1462041b91401769efeefc65 |
| SHA256 | bfc31cced088c4b209d1fd4cf4ac15c0e317b51cc3f7634da7ec2b15812cc3ee |
| SHA512 | d62d5a816bb38f16928f0a2a52aa6640480b78981377eb591618ced94b268b28b7ea2397cfaa7f200355756a2278d373bb4069a01247245a5bfeb66094672df3 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | ab68caeb43ee9a2d4d9c27d94ce473e8 |
| SHA1 | ea38542fbf3d27c419286698b4273415cdc27073 |
| SHA256 | 156994f1bc93f873ad7f2b73cf3b37fc1daaf1a5e073a7f983d817cb27c07546 |
| SHA512 | f6de7cb333bce6e2b72662c74e2a41e53ccc3087bc3f64ed7fd7dd7a45097302c0abfca8fed3bd1f37027a2881596f7f399a77857d8ba97e8eb0c9ad6623edb9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 7cd888bfcaa1fd51b91887d2ba76d2f9 |
| SHA1 | 1c3a243dfa852a7c2dc988c51b9f4a971e678282 |
| SHA256 | 3837fc5ef68a4f5682f7216bf1d0ab7fd992e9cd0b795a90ff6c358605429e22 |
| SHA512 | 7c6895b9f84081292a85b67aedb3f0af4dae50d247b85d58857f2200b65e739e4cf3ac25eb4b75678864c47284f700ea167b25b3e4c49de174bbe801868601b5 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 6e445e4fa6a0efadaf563bf70381d337 |
| SHA1 | 2d3aa0f9eb31939855f28cbc495ba4dbb6a07c3f |
| SHA256 | a3a842d728ef855c39bb43fc2890e810a1a79c4c0d9f02704b828ff15786ad53 |
| SHA512 | 868f62e19b0b7b5c8e277f0fd117def6e90fb9476f449f0c83cd63560d31f8ed66a230c03084a4d8adfc77cbefa6eff2ae9193652eaf0f4693fd853a632e9d13 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | bfb4fa813754efd560310ff380bccfc6 |
| SHA1 | 2c90c88e66217a5a72df2cfff18111d0e3dc78ae |
| SHA256 | 4181ef9f5718920f187dd8a79689d735cd6d6ecf219df2e5a166880d546c754e |
| SHA512 | 9f9cb0292b3c2a19c326605b099f9aaa3548f9f51ba463ff56d1fd5361aae7d5899d2d27d81b38f118fac8d418e7e73ddbc5d4944170aa3e6bff2349449cbbb6 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | a5afb4dbd12dc8f23156475ecae253bc |
| SHA1 | 83b25d8de1948a4c5abd26c365a96c48c0594bb0 |
| SHA256 | 83f4c9bee2875a8b083ea2b001a20e3fd39c9fadc4b8ac893181c9ec97d1f78d |
| SHA512 | c556d4559899c1a362224872e90552a2c8d6fcb3a25c71d9264f905b8c4a9ffda4b9556170b3f21c9c2e0c3133a5cb5dd2571b682fd6b3d1500bc816fb7addf9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 1b2d8ae6aed823c861f4c312a0777f9b |
| SHA1 | 47c301b3cf99a90abef0718f35e2b7882a62730e |
| SHA256 | c038c3e04f05b206cce73918819cdbe72a3997b429c93dcb504c12baa4a53cc5 |
| SHA512 | d0e936002eef19eb96884cc6faf3dff60c4056bba34f024fea981ccd40dcaced3517c5441a907855da781de722f6e8348dab0e0ce71de031950a7f3d9e9c67c9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | abd12133e6775c314eec2f293290c1ff |
| SHA1 | dc870b729424a421c5f40d0e8eab6fed86d77a14 |
| SHA256 | cf3eb2d0db5b92ab52fadb71325066ae0f8285f930f678636d25d64ea6c68922 |
| SHA512 | 928ed0c08eb1326f42311cc76953e36fc9c2e2a59cdcf596a6acc592af77f0b493e0a68fbf5d8d4ba7bc5c811483b1c05e989d806aab2c17e86037077557f94e |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | ad71c77ced8849b47a0c0c6077f43ed9 |
| SHA1 | 569d7d770b142235fba9d5a833c0f905d9c1d790 |
| SHA256 | 129a3699352d88692b408c4d682c7cc012fb9ab3d754d0dd8ac05c1b96110ba3 |
| SHA512 | 9d3c48173d4be731b4ecf588ceb1ce2c9b07acf270c780e956177db4c6426a321ccee86c0dd8a0092d8779b03e45af8ec4ede13e792a5e65736d8766262b4cc6 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | cfcd0ae098605754275cb216d0dd98aa |
| SHA1 | 3c548c415315b176ffd8bdd404b059cfc2f98183 |
| SHA256 | e04d2251027093bd06c7bf08f49a834a23a9db548e3e4b6fc5632699c48ab121 |
| SHA512 | 96fad298d74a4b7b49d247c85c2e912957d43b5e2b8e1ab694f9d3258e448ffaabdc399f9614d31534c32f8bfa508f7e467e8bf9d08d009dbe15b70dc0415ccf |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 8e0b19b6a39e9267617d601362c017cf |
| SHA1 | c5e16ce151b97a3604be5c004a2148cc52a85f10 |
| SHA256 | d197ca87efff911b01a14c514cb04a50c7a0f8f9afe9b5a1ec749e50d58b20ae |
| SHA512 | 3f1b3ec6af74ebc77369f979541ed9c59a4f1a3bceed3ab27fd2fd60d5ab0e016cbbf98358a57c1282a5ec7ad98f18d93a6ce91ceb1fa564d0a5c6380c9fac64 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 4a205b8662ad7b2464d94a62ef32dd3f |
| SHA1 | 1b5507224538979b4290ae9f4405f5f4d89206f3 |
| SHA256 | 8985c837c742ed2ca54cf63f4e9f1488f27ff41e15e99b0eca173715d6503878 |
| SHA512 | 78617198a5812b719fd3c693aa61e752ee24d28302c67f56136785b5a2ba59bf39952b951fe612808ab36dbe2bd6737d4720ec580d17084ba187b5e9fa861546 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 57f31d528b54aa57802376403e5af940 |
| SHA1 | 1145c2aa6d1e61756d7ab05c16f4d230dc46b256 |
| SHA256 | 8da05e84412eb9d67b50a94cf2e56804d3ce359ca5c961d41ee216be236e5530 |
| SHA512 | 392d048caa9cca70c0cd14f090af95212f589400a2023f7727c2c133913dc24b9e9e82f5caa5f2c36ad05a8b616b3b42b77668776c535df8177d77ad57feb531 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | b8727880cf31b4b4270077085816b1ca |
| SHA1 | e75df58676da070b9b40f534ac092c34afd170d1 |
| SHA256 | fea348c236b6396fdb092cccd169ed1efa9f8ca9cd96e78e99114c9e4d15d322 |
| SHA512 | db59f61deabeec8c93cdae3ab25493ee784f77b0200c3ae723752e1fe6882bd78605472dc132238bfe1bf8c518c90f9575cae2bbdcaec3a4739cfc94460587af |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 7d8d90c10b4c5889f1d7cdfc8fc9d01d |
| SHA1 | dda6b730527b65f94d49678a26e9b43573a65e1d |
| SHA256 | b75957761bbc704e2114d93091501c0bfb45ead2794b5f7f42771274a987044a |
| SHA512 | 45b7baaa26181b8a8b43f08308c057f48e3d72af9c636283f18c52cfab47214d3e326dd3f7809121f682c9272bfd9eadf24fb5a9da826910ca9cd042bdcc390b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | fdd077d19c3a577d44f2af73d0881b2d |
| SHA1 | 51cc725e095aa8bfc94325515017832f3e256be1 |
| SHA256 | 2bceed18cf766335747de0b2732f953068bc10ab812f0c02e2f2cc5a840fd81e |
| SHA512 | a9b7e9ffb75aa34637dd7c1cf011a9e198c45479cd7afe075536e783a4c21ce709e846e05ddc3e11310e07c4c9cda701a1c3a5d224d8019a99d26d1280e00c5d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 4d8ff1689e6160dcaf1e848d62aa950f |
| SHA1 | 8bea0fc4504885ab8fe86ef6e8749517af25baee |
| SHA256 | 2d0449878c896436faafbb82e7222377efed66754011c594ed6bf6f9e3b6527e |
| SHA512 | 647eb154722be132d15c7820c89b9c805d4771caafeafa8a9569577dee3233f40b6de3d62ebb2356d6fb98bc2cf0d68962f6369cff045c5e56b83d50de56094e |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 99be575a270582b0812ce2081643ae71 |
| SHA1 | 56cea5b9c53f35b71f465ce9682e5a1be80c24b2 |
| SHA256 | dcbdce4b16d8b02a8415a7005e6db20a4f6ac8c2c7e6f787abbfca3a59f26ef1 |
| SHA512 | e0f1acc7cc17cb26f9ae724cba2ac43322347ca26fb3ef345ae84ff24f475e7042e601374850fb47f39ed6a6d34df602d941f981b9a057d7296b4f05a32e42b3 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | a02f58b76ea9e1a42f36bcbb989df26d |
| SHA1 | 048f2dbfb5d48f4e939513013d730ae3bbf1ca7a |
| SHA256 | 9e7b5b6a4379f44479453c119119872ed3e8cf5d8550d1e8c4004d44e58ebd9a |
| SHA512 | be714061f33ba022b0e4d1184846952112a7672ef21b3802de1c2607733e11c444d8c341fa134a465b427763412fec3b971612767079b1d165b647f83252ecd8 |
Analysis: behavioral19
Detonation Overview
Submitted
2024-06-22 11:24
Reported
2024-06-22 11:26
Platform
win7-20240611-en
Max time kernel
120s
Max time network
121s
Command Line
Signatures
Command and Scripting Interpreter: JavaScript
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\js\priam.js
Network
Files
Analysis: behavioral23
Detonation Overview
Submitted
2024-06-22 11:24
Reported
2024-06-22 11:26
Platform
win7-20231129-en
Max time kernel
121s
Max time network
122s
Command Line
Signatures
Command and Scripting Interpreter: JavaScript
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\js\priam_chrome.js
Network
Files
Analysis: behavioral9
Detonation Overview
Submitted
2024-06-22 11:24
Reported
2024-06-22 11:26
Platform
win7-20240221-en
Max time kernel
117s
Max time network
119s
Command Line
Signatures
Command and Scripting Interpreter: JavaScript
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\content\priam_background_firefox.js
Network
Files
Analysis: behavioral10
Detonation Overview
Submitted
2024-06-22 11:24
Reported
2024-06-22 11:26
Platform
win10v2004-20240226-en
Max time kernel
142s
Max time network
151s
Command Line
Signatures
Command and Scripting Interpreter: JavaScript
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\content\priam_background_firefox.js
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4092 --field-trial-handle=2280,i,716736634476467098,11449718822158202904,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.173.189.20.in-addr.arpa | udp |
Files
Analysis: behavioral13
Detonation Overview
Submitted
2024-06-22 11:24
Reported
2024-06-22 11:26
Platform
win7-20240419-en
Max time kernel
117s
Max time network
118s
Command Line
Signatures
Command and Scripting Interpreter: JavaScript
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\defaults\preferences\priam_prefs.js
Network
Files
Analysis: behavioral4
Detonation Overview
Submitted
2024-06-22 11:24
Reported
2024-06-22 11:26
Platform
win10v2004-20240508-en
Max time kernel
51s
Max time network
51s
Command Line
Signatures
Command and Scripting Interpreter: JavaScript
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\content\browserLoad.js
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
Files
Analysis: behavioral8
Detonation Overview
Submitted
2024-06-22 11:24
Reported
2024-06-22 11:26
Platform
win10v2004-20240508-en
Max time kernel
51s
Max time network
51s
Command Line
Signatures
Command and Scripting Interpreter: JavaScript
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\content\priam_background.js
Network
Files
Analysis: behavioral20
Detonation Overview
Submitted
2024-06-22 11:24
Reported
2024-06-22 11:26
Platform
win10v2004-20240611-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
Command and Scripting Interpreter: JavaScript
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\js\priam.js
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| BE | 88.221.83.185:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 185.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.99.105.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
Files
Analysis: behavioral24
Detonation Overview
Submitted
2024-06-22 11:24
Reported
2024-06-22 11:26
Platform
win10v2004-20240508-en
Max time kernel
149s
Max time network
149s
Command Line
Signatures
Command and Scripting Interpreter: JavaScript
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\js\priam_chrome.js
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | udp |
Files
Analysis: behavioral3
Detonation Overview
Submitted
2024-06-22 11:24
Reported
2024-06-22 11:26
Platform
win7-20231129-en
Max time kernel
119s
Max time network
120s
Command Line
Signatures
Command and Scripting Interpreter: JavaScript
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\content\browserLoad.js
Network
Files
Analysis: behavioral12
Detonation Overview
Submitted
2024-06-22 11:24
Reported
2024-06-22 11:26
Platform
win10v2004-20240508-en
Max time kernel
125s
Max time network
126s
Command Line
Signatures
Command and Scripting Interpreter: JavaScript
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\content\priam_firefox.js
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4612,i,16710585221322798697,8586257254049248207,262144 --variations-seed-version --mojo-platform-channel-handle=1300 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral21
Detonation Overview
Submitted
2024-06-22 11:24
Reported
2024-06-22 11:26
Platform
win7-20240611-en
Max time kernel
119s
Max time network
119s
Command Line
Signatures
Command and Scripting Interpreter: JavaScript
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\js\priam_background.js
Network
Files
Analysis: behavioral22
Detonation Overview
Submitted
2024-06-22 11:24
Reported
2024-06-22 11:26
Platform
win10v2004-20240508-en
Max time kernel
147s
Max time network
149s
Command Line
Signatures
Command and Scripting Interpreter: JavaScript
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\js\priam_background.js
Network
Files
Analysis: behavioral26
Detonation Overview
Submitted
2024-06-22 11:24
Reported
2024-06-22 11:26
Platform
win10v2004-20240508-en
Max time kernel
51s
Max time network
52s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4572 wrote to memory of 636 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4572 wrote to memory of 636 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4572 wrote to memory of 636 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\plugins\PriamNPAPI.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\plugins\PriamNPAPI.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 636 -ip 636
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 636 -s 620
Network
Files
Analysis: behavioral17
Detonation Overview
Submitted
2024-06-22 11:24
Reported
2024-06-22 11:26
Platform
win7-20240508-en
Max time kernel
118s
Max time network
118s
Command Line
Signatures
Command and Scripting Interpreter: JavaScript
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\js\background.js
Network
Files
Analysis: behavioral29
Detonation Overview
Submitted
2024-06-22 11:24
Reported
2024-06-22 11:26
Platform
win7-20240221-en
Max time kernel
119s
Max time network
120s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\IpConfig.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\IpConfig.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2968 -s 224
Network
Files
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-22 11:24
Reported
2024-06-22 11:26
Platform
win10v2004-20240611-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Wajam\Updater\WajamUpdater.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Wajam\Updater\WajamUpdater.exe | N/A |
Loads dropped DLL
Reads user/profile data of web browsers
Checks installed software on the system
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A7A6995D-6EE1-4FD1-A258-49395D5BF99C}\NoExplorer = "1" | C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A7A6995D-6EE1-4FD1-A258-49395D5BF99C} | C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A7A6995D-6EE1-4FD1-A258-49395D5BF99C}\ = "Wajam IE BHO" | C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe | N/A |
Drops file in Program Files directory
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\Taskkill.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" | C:\Program Files (x86)\Wajam\Updater\WajamUpdater.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Program Files (x86)\Wajam\Updater\WajamUpdater.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" | C:\Program Files (x86)\Wajam\Updater\WajamUpdater.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" | C:\Program Files (x86)\Wajam\Updater\WajamUpdater.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" | C:\Program Files (x86)\Wajam\Updater\WajamUpdater.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\priam_bho.DLL | C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\wajam.WajamDownloader\CLSID\ = "{5D64294B-1341-4FE7-B6D8-7C36828D4DD5}" | C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{095BFD3C-4602-4FE1-96F1-AEFAFBFD067D}\1.0\FLAGS\ = "0" | C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{431532BD-0AE1-4ABC-BE8C-919F3D1332E2}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{431532BD-0AE1-4ABC-BE8C-919F3D1332E2}\TypeLib\ = "{095BFD3C-4602-4FE1-96F1-AEFAFBFD067D}" | C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\WOW6432Node\CLSID | C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{431532BD-0AE1-4ABC-BE8C-919F3D1332E2} | C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\priam_bho.DLL\AppID = "{1FAEE6D5-34F4-42AA-8025-3FD8F3EC4634}" | C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\wajam.WajamBHO\CurVer | C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A7A6995D-6EE1-4FD1-A258-49395D5BF99C}\ = "Wajam" | C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A7A6995D-6EE1-4FD1-A258-49395D5BF99C}\ProgID | C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{431532BD-0AE1-4ABC-BE8C-919F3D1332E2}\TypeLib\ = "{095BFD3C-4602-4FE1-96F1-AEFAFBFD067D}" | C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{431532BD-0AE1-4ABC-BE8C-919F3D1332E2}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Local Settings | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A7A6995D-6EE1-4FD1-A258-49395D5BF99C}\Programmable | C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\wajam.WajamDownloader\ = "WajamDownloader Class" | C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\wajam.WajamDownloader\CurVer | C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5D64294B-1341-4FE7-B6D8-7C36828D4DD5}\ProgID | C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\WOW6432Node\Interface | C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\wajam.WajamBHO.1\ = "Wajam" | C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A7A6995D-6EE1-4FD1-A258-49395D5BF99C}\ProgID\ = "wajam.WajamBHO.1" | C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5D64294B-1341-4FE7-B6D8-7C36828D4DD5}\ProgID\ = "wajam.WajamDownloader.1" | C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5D64294B-1341-4FE7-B6D8-7C36828D4DD5}\TypeLib\ = "{095BFD3C-4602-4FE1-96F1-AEFAFBFD067D}" | C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{431532BD-0AE1-4ABC-BE8C-919F3D1332E2}\InProcServer32\ = "C:\\Program Files (x86)\\Wajam\\IE\\priam_bho.dll" | C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{431532BD-0AE1-4ABC-BE8C-919F3D1332E2}\ProxyStubClsid32\ = "{431532BD-0AE1-4ABC-BE8C-919F3D1332E2}" | C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5D64294B-1341-4FE7-B6D8-7C36828D4DD5}\TypeLib | C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{095BFD3C-4602-4FE1-96F1-AEFAFBFD067D}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\Wajam\\IE" | C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{431532BD-0AE1-4ABC-BE8C-919F3D1332E2}\TypeLib | C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{431532BD-0AE1-4ABC-BE8C-919F3D1332E2}\InProcServer32\ThreadingModel = "Both" | C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{1FAEE6D5-34F4-42AA-8025-3FD8F3EC4634} | C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\wajam.WajamBHO.1\CLSID | C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\wajam.WajamBHO | C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\wajam.WajamDownloader.1\ = "WajamDownloader Class" | C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{095BFD3C-4602-4FE1-96F1-AEFAFBFD067D} | C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{095BFD3C-4602-4FE1-96F1-AEFAFBFD067D}\1.0 | C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{431532BD-0AE1-4ABC-BE8C-919F3D1332E2}\InProcServer32 | C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{1FAEE6D5-34F4-42AA-8025-3FD8F3EC4634}\ = "Wajam" | C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\wajam.WajamBHO.1 | C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\wajam.WajamBHO\CLSID\ = "{A7A6995D-6EE1-4FD1-A258-49395D5BF99C}" | C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\wajam.WajamDownloader | C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5D64294B-1341-4FE7-B6D8-7C36828D4DD5}\ = "WajamDownloader Class" | C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{431532BD-0AE1-4ABC-BE8C-919F3D1332E2}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{431532BD-0AE1-4ABC-BE8C-919F3D1332E2}\NumMethods\ = "18" | C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\wajam.WajamBHO\CurVer\ = "wajam.WajamBHO.1" | C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\wajam.WajamDownloader\CLSID | C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{095BFD3C-4602-4FE1-96F1-AEFAFBFD067D}\1.0\ = "wajam 1.0 Type Library" | C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{095BFD3C-4602-4FE1-96F1-AEFAFBFD067D}\1.0\FLAGS | C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{095BFD3C-4602-4FE1-96F1-AEFAFBFD067D}\1.0\0\win32\ = "C:\\Program Files (x86)\\Wajam\\IE\\priam_bho.dll" | C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{431532BD-0AE1-4ABC-BE8C-919F3D1332E2}\ = "IWajamBHO" | C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\wajam.WajamBHO.1\CLSID\ = "{A7A6995D-6EE1-4FD1-A258-49395D5BF99C}" | C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5D64294B-1341-4FE7-B6D8-7C36828D4DD5}\InprocServer32\ = "C:\\Program Files (x86)\\Wajam\\IE\\priam_bho.dll" | C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A7A6995D-6EE1-4FD1-A258-49395D5BF99C} | C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5D64294B-1341-4FE7-B6D8-7C36828D4DD5}\InprocServer32 | C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{431532BD-0AE1-4ABC-BE8C-919F3D1332E2}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{D616A4A2-7B38-4DBC-9093-6FE7A4A21B17}\LocalService = "WajamUpdater" | C:\Program Files (x86)\Wajam\Updater\WajamUpdater.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A7A6995D-6EE1-4FD1-A258-49395D5BF99C}\InprocServer32 | C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\wajam.WajamDownloader.1\CLSID | C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5D64294B-1341-4FE7-B6D8-7C36828D4DD5} | C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{431532BD-0AE1-4ABC-BE8C-919F3D1332E2}\ = "IWajamBHO" | C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{431532BD-0AE1-4ABC-BE8C-919F3D1332E2}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A7A6995D-6EE1-4FD1-A258-49395D5BF99C}\InprocServer32\ThreadingModel = "Apartment" | C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\wajam.WajamDownloader.1 | C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\wajam.WajamDownloader.1\CLSID\ = "{5D64294B-1341-4FE7-B6D8-7C36828D4DD5}" | C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5D64294B-1341-4FE7-B6D8-7C36828D4DD5}\VersionIndependentProgID\ = "wajam.WajamDownloader" | C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe | N/A |
Runs net.exe
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\01e56543f6c7b85323239505ede60e84_JaffaCakes118.exe"
C:\Windows\SysWOW64\net.exe
net stop WajamUpdater
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop WajamUpdater
C:\Windows\SysWOW64\Taskkill.exe
Taskkill /IM WajamUpdater.exe /F
C:\Program Files (x86)\Wajam\Updater\WajamUpdater.exe
"C:\Program Files (x86)\Wajam\Updater\WajamUpdater.exe" /Service
C:\Windows\SysWOW64\net.exe
net start WajamUpdater
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start WajamUpdater
C:\Program Files (x86)\Wajam\Updater\WajamUpdater.exe
"C:\Program Files (x86)\Wajam\Updater\WajamUpdater.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" "http://www.wajam.com/index.php?firstrun=1&unique_id=F1F7A19E9E7803837C104D984C14D59D&aid=1642&aid2=none&enabled=1"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9ef3646f8,0x7ff9ef364708,0x7ff9ef364718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2196,3970704516331860001,3812238806686696303,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2208 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2196,3970704516331860001,3812238806686696303,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2260 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2196,3970704516331860001,3812238806686696303,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2888 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,3970704516331860001,3812238806686696303,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,3970704516331860001,3812238806686696303,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,3970704516331860001,3812238806686696303,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4060 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,3970704516331860001,3812238806686696303,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3644 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2196,3970704516331860001,3812238806686696303,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4180 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2196,3970704516331860001,3812238806686696303,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4180 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,3970704516331860001,3812238806686696303,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4172 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,3970704516331860001,3812238806686696303,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4124 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,3970704516331860001,3812238806686696303,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5004 /prefetch:1
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" "C:\Program Files (x86)\Wajam\Firefox\firefox_trigger_extension.htm"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" "C:\Program Files (x86)\Wajam\Firefox\firefox_trigger_extension.htm"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2320.0.494472232\1940736246" -parentBuildID 20230214051806 -prefsHandle 1764 -prefMapHandle 1756 -prefsLen 22076 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {dab20276-64a2-4706-9999-1784aaa02882} 2320 "\\.\pipe\gecko-crash-server-pipe.2320" 1848 137adab5a58 gpu
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2320.1.1306188036\1748083410" -parentBuildID 20230214051806 -prefsHandle 2428 -prefMapHandle 2424 -prefsLen 22927 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1ba58636-b720-4b7b-969c-5ee722acdcc5} 2320 "\\.\pipe\gecko-crash-server-pipe.2320" 2440 1379978a558 socket
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2320.2.2080517659\310577629" -childID 1 -isForBrowser -prefsHandle 3012 -prefMapHandle 3008 -prefsLen 22965 -prefMapSize 235121 -jsInitHandle 1236 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f9f46bf1-493d-45af-b053-8046563dad06} 2320 "\\.\pipe\gecko-crash-server-pipe.2320" 2812 137b0b5fe58 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2320.3.1399669908\273857418" -childID 2 -isForBrowser -prefsHandle 3592 -prefMapHandle 3588 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1236 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9419d3bf-890d-4b70-8c5b-727f641acdb8} 2320 "\\.\pipe\gecko-crash-server-pipe.2320" 1132 13799779c58 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2320.4.842268717\1188912657" -childID 3 -isForBrowser -prefsHandle 5028 -prefMapHandle 5024 -prefsLen 27692 -prefMapSize 235121 -jsInitHandle 1236 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b61d4a1f-4fdb-46aa-b847-71d60835812d} 2320 "\\.\pipe\gecko-crash-server-pipe.2320" 4952 137b3395658 tab
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,3970704516331860001,3812238806686696303,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3784 /prefetch:1
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2320.5.747260500\1163965461" -childID 4 -isForBrowser -prefsHandle 5428 -prefMapHandle 5420 -prefsLen 27697 -prefMapSize 235121 -jsInitHandle 1236 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {09f489dc-dd2d-4b98-84a8-dee04abe3578} 2320 "\\.\pipe\gecko-crash-server-pipe.2320" 5440 137b4389958 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2320.6.52997322\1702476953" -childID 5 -isForBrowser -prefsHandle 5576 -prefMapHandle 5580 -prefsLen 27697 -prefMapSize 235121 -jsInitHandle 1236 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b6b23e1d-063b-49aa-89da-3e05d0363fc4} 2320 "\\.\pipe\gecko-crash-server-pipe.2320" 5568 137b438a858 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2320.7.1835802284\1762263680" -childID 6 -isForBrowser -prefsHandle 5856 -prefMapHandle 5852 -prefsLen 27697 -prefMapSize 235121 -jsInitHandle 1236 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8647509a-cb47-4973-b054-8a31548a34b7} 2320 "\\.\pipe\gecko-crash-server-pipe.2320" 5772 137b4388a58 tab
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,3970704516331860001,3812238806686696303,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3124 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,3970704516331860001,3812238806686696303,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2592 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2196,3970704516331860001,3812238806686696303,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3884 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| BE | 2.17.107.131:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 131.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.wajam.com | udp |
| US | 8.8.8.8:53 | google.com | udp |
| US | 8.8.8.8:53 | google.com | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | www.wajam.com | udp |
| US | 8.8.8.8:53 | contile.services.mozilla.com | udp |
| US | 8.8.8.8:53 | spocs.getpocket.com | udp |
| US | 8.8.8.8:53 | getpocket.cdn.mozilla.net | udp |
| US | 8.8.8.8:53 | content-signature-2.cdn.mozilla.net | udp |
| US | 34.117.188.166:443 | spocs.getpocket.com | tcp |
| US | 8.8.8.8:53 | contile.services.mozilla.com | udp |
| US | 34.160.144.191:443 | content-signature-2.cdn.mozilla.net | tcp |
| US | 34.117.188.166:443 | contile.services.mozilla.com | udp |
| US | 8.8.8.8:53 | prod.content-signature-chains.prod.webservices.mozgcp.net | udp |
| US | 34.120.5.221:443 | getpocket.cdn.mozilla.net | tcp |
| US | 8.8.8.8:53 | contile.services.mozilla.com | udp |
| US | 34.117.188.166:443 | contile.services.mozilla.com | tcp |
| N/A | 127.0.0.1:51271 | tcp | |
| US | 8.8.8.8:53 | prod.ads.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | shavar.services.mozilla.com | udp |
| US | 8.8.8.8:53 | push.services.mozilla.com | udp |
| US | 8.8.8.8:53 | prod.content-signature-chains.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.pocket.prod.cloudops.mozgcp.net | udp |
| US | 52.33.96.36:443 | shavar.services.mozilla.com | tcp |
| US | 8.8.8.8:53 | firefox.settings.services.mozilla.com | udp |
| US | 8.8.8.8:53 | prod.ads.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.pocket.prod.cloudops.mozgcp.net | udp |
| US | 8.8.8.8:53 | shavar.prod.mozaws.net | udp |
| US | 34.107.243.93:443 | push.services.mozilla.com | tcp |
| US | 8.8.8.8:53 | shavar.prod.mozaws.net | udp |
| US | 34.149.100.209:443 | firefox.settings.services.mozilla.com | tcp |
| US | 8.8.8.8:53 | autopush.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | prod.remote-settings.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | autopush.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | prod.remote-settings.prod.webservices.mozgcp.net | udp |
| US | 34.107.243.93:443 | autopush.prod.mozaws.net | tcp |
| US | 8.8.8.8:53 | www.wajam.com | udp |
| US | 8.8.8.8:53 | 36.96.33.52.in-addr.arpa | udp |
| N/A | 127.0.0.1:51300 | tcp | |
| US | 8.8.8.8:53 | support.mozilla.org | udp |
| US | 8.8.8.8:53 | us-west1.prod.sumo.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | us-west1.prod.sumo.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | aus5.mozilla.org | udp |
| US | 35.244.181.201:443 | aus5.mozilla.org | tcp |
| US | 8.8.8.8:53 | prod.balrog.prod.cloudops.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.balrog.prod.cloudops.mozgcp.net | udp |
| US | 34.149.100.209:443 | prod.remote-settings.prod.webservices.mozgcp.net | tcp |
| US | 8.8.8.8:53 | prod.content-signature-chains.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | ciscobinary.openh264.org | udp |
| NL | 2.18.121.73:80 | ciscobinary.openh264.org | tcp |
| US | 8.8.8.8:53 | a19.dscg10.akamai.net | udp |
| US | 8.8.8.8:53 | a19.dscg10.akamai.net | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 201.181.244.35.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.121.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | redirector.gvt1.com | udp |
| GB | 142.250.187.206:443 | redirector.gvt1.com | tcp |
| US | 8.8.8.8:53 | redirector.gvt1.com | udp |
| US | 8.8.8.8:53 | redirector.gvt1.com | udp |
| GB | 142.250.187.206:443 | redirector.gvt1.com | udp |
| US | 8.8.8.8:53 | r1---sn-aigl6ney.gvt1.com | udp |
| GB | 173.194.183.166:443 | r1---sn-aigl6ney.gvt1.com | tcp |
| US | 8.8.8.8:53 | r1.sn-aigl6ney.gvt1.com | udp |
| US | 8.8.8.8:53 | r1.sn-aigl6ney.gvt1.com | udp |
| GB | 173.194.183.166:443 | r1.sn-aigl6ney.gvt1.com | udp |
| US | 8.8.8.8:53 | 206.187.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 166.183.194.173.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | firefox-settings-attachments.cdn.mozilla.net | udp |
| US | 34.117.121.53:443 | firefox-settings-attachments.cdn.mozilla.net | tcp |
| US | 34.117.121.53:443 | firefox-settings-attachments.cdn.mozilla.net | tcp |
| US | 34.117.121.53:443 | firefox-settings-attachments.cdn.mozilla.net | tcp |
| US | 34.117.121.53:443 | firefox-settings-attachments.cdn.mozilla.net | tcp |
| US | 34.117.121.53:443 | firefox-settings-attachments.cdn.mozilla.net | tcp |
| US | 34.117.121.53:443 | firefox-settings-attachments.cdn.mozilla.net | tcp |
| US | 8.8.8.8:53 | attachments.prod.remote-settings.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | attachments.prod.remote-settings.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | 53.121.117.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.wajam.com | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | www.wajam.com | udp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\nsd4E51.tmp\IpConfig.dll
| MD5 | a3ed6f7ea493b9644125d494fbf9a1e6 |
| SHA1 | ebeee67fb0b5b3302c69f47c5e7fca62e1a809d8 |
| SHA256 | ec0f85f8a9d6b77081ba0103f967ef6705b547bf27bcd866d77ac909d21a1e08 |
| SHA512 | 7099e1bc78ba5727661aa49f75523126563a5ebccdff10cabf868ce5335821118384825f037fbf1408c416c0212aa702a5974bc54d1b63c9d0bcade140f9aae1 |
C:\Users\Admin\AppData\Local\Temp\nsd4E51.tmp\System.dll
| MD5 | c17103ae9072a06da581dec998343fc1 |
| SHA1 | b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d |
| SHA256 | dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f |
| SHA512 | d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f |
C:\Users\Admin\AppData\Local\Temp\nsd4E51.tmp\DcryptDll.dll
| MD5 | 904beebec2790ee2ca0c90fc448ac7e0 |
| SHA1 | 40fabf1eb0a3b7168351c4514c5288216cb1566d |
| SHA256 | f730d9385bf72eac5d579bcf1f7e4330f1d239ca1054d4ead48e9e363d9f4222 |
| SHA512 | 8bdbbaaf73e396cf9fd9866b3e824b7e70c59a2bdefdb3236387e60d0e645d011265fe79fb193f6c0d6abe2e9c01260720c71cd8f068fcc4624760511c54efaa |
C:\Users\Admin\AppData\Local\Temp\nsd4E51.tmp\MoreInfo.dll
| MD5 | 80e34b7f576b710d100f6e7c0bed0c2e |
| SHA1 | 2b5b895034d41ee0d0d01bf650594ad0d1346662 |
| SHA256 | 569d62345f6c915236772fa2575d1806cd2bfe089505807cb477618f1eeccf99 |
| SHA512 | f5970c192b7089040fd1cf26e5cab131879b91722dff0216cdc735f9cfde1eda061409b579eb0f11e3b32e5513e34bbedd4050b75bb1b2acc81be814c2c6c59b |
C:\Users\Admin\AppData\Local\Temp\nsd4E51.tmp\nsExec.dll
| MD5 | acc2b699edfea5bf5aae45aba3a41e96 |
| SHA1 | d2accf4d494e43ceb2cff69abe4dd17147d29cc2 |
| SHA256 | 168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e |
| SHA512 | e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe |
C:\Program Files (x86)\Wajam\Updater\WajamUpdater.exe
| MD5 | 4aa2cc5979aff984227364f2c23b04f3 |
| SHA1 | a252fedceedca1655d593982040cceed07812def |
| SHA256 | b23112ae291efae80aa7f9b1b119eb0da4e426930a23ee77a6a43288f3c0cbb9 |
| SHA512 | f0a3d63a90745f7f8e15e526d1e7998ba29392e3af7f847ed9e2ca5c90f2a5889e32794487e31f4973267b9aec0685bb1b7d6a202208a8885ed0bc613439a481 |
C:\Program Files (x86)\Wajam\IE\priam_bho.dll
| MD5 | 28f3dcbe89cd9dd06fdee806e418a15c |
| SHA1 | f12443dc84b5ad33247e8ac0b0c0765ba78c6a0d |
| SHA256 | 0a1fa2058197703119745da2b1b58ec0a28612231924ed10c53cb98a71e2dd7f |
| SHA512 | 04eece4f897d620f3669dcfda6e1f6e87e4c428a0021781e7a13f6a0571ba3d15294b8cc16236b62480fd96cb38376f76842471ea7327eb0741d35b15353f32c |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | b4a74bc775caf3de7fc9cde3c30ce482 |
| SHA1 | c6ed3161390e5493f71182a6cb98d51c9063775d |
| SHA256 | dfad4e020a946f85523604816a0a9781091ee4669c870db2cabab027f8b6f280 |
| SHA512 | 55578e254444a645f455ea38480c9e02599ebf9522c32aca50ff37aad33976db30e663d35ebe31ff0ecafb4007362261716f756b3a0d67ac3937ca62ff10e25f |
\??\pipe\LOCAL\crashpad_4996_VSHZLJQJAFCVRBQE
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | c5abc082d9d9307e797b7e89a2f755f4 |
| SHA1 | 54c442690a8727f1d3453b6452198d3ec4ec13df |
| SHA256 | a055d69c6aba59e97e632d118b7960a5fdfbe35cfdfaa0de14f194fc6f874716 |
| SHA512 | ad765cddbf89472988de5356db5e0ee254ca3475491c6034fba1897c373702ab7cfa4bd21662ab862eebb48a757c3eb86b1f8ed58629751f71863822a59cd26c |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | c3d2db35751461b1cf5d1b40c0af7d6f |
| SHA1 | 523149837ddf0205a94efb2efa43abf29c76d1be |
| SHA256 | d3a422d03e72583f196ddb9af01602ae4f46416dff8a4e2a9cc6d70a01261a8c |
| SHA512 | d6da6d1acda9771800721d7e3076d8f51bbe529a7413d8ca5696d42ddb022ac049c8b6b65deb7536f3f1106e091ec9ec3a9641a9a04f7f477dc600f0892d6d8a |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 206702161f94c5cd39fadd03f4014d98 |
| SHA1 | bd8bfc144fb5326d21bd1531523d9fb50e1b600a |
| SHA256 | 1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167 |
| SHA512 | 0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 46295cac801e5d4857d09837238a6394 |
| SHA1 | 44e0fa1b517dbf802b18faf0785eeea6ac51594b |
| SHA256 | 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443 |
| SHA512 | 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23 |
C:\Users\Admin\AppData\Local\Temp\nsd4E51.tmp\nsisos.dll
| MD5 | 69806691d649ef1c8703fd9e29231d44 |
| SHA1 | e2193fcf5b4863605eec2a5eb17bf84c7ac00166 |
| SHA256 | ba79ab7f63f02ed5d5d46b82b11d97dac5b7ef7e9b9a4df926b43ceac18483b6 |
| SHA512 | 5e5e0319e701d15134a01cb6472c624e271e99891058aef4dfe779c29c73899771a5b6f8b1cd61b543a3b3defeaecaa080c9cc4e76e84038ca08e12084f128eb |
memory/1472-118-0x00000000031B0000-0x00000000031D7000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nsd4E51.tmp\inetc.dll
| MD5 | 4c01fdfd2b57b32046b3b3635a4f4df8 |
| SHA1 | e0af8e418cbe2b2783b5de93279a3b5dcb73490e |
| SHA256 | b98e21645910f82b328f30c644b86c112969b42697e797671647b09eb40ad014 |
| SHA512 | cbd354536e2a970d31ba69024208673b1dc56603ad604ff17c5840b4371958fc22bafd90040ae3fb19ae9c248b2cfce08d0bc73cc93481f02c73b86dbc0697b2 |
C:\Program Files (x86)\Wajam\Firefox\firefox_trigger_extension.htm
| MD5 | ba7197cc8e52161fcdff765697febe37 |
| SHA1 | b03b974574d741ec8ba6042f14553886fe45d76b |
| SHA256 | 746739c05859db81f472d8bfe0b2f11ab33a3a661f6943e55e2833184f8925fa |
| SHA512 | 168fc12fbfcca80c7398636cb5b8ed0388d5d58227b3c2288f031c48ea490e64d09b1e1d0cd8e7bd67e67e4caae0574909db1d5aa36e8a40c421bf25c93ff8f1 |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\jhlyxaos.default-release\activity-stream.discovery_stream.json.tmp
| MD5 | 44eb71383c265709727780d517795f0f |
| SHA1 | d604df128350e87abcb52adc17c321d330608482 |
| SHA256 | bf81140ca37cb3a1851b43617489794f5da8b19a42cf28710a08f0f77881f1dc |
| SHA512 | e2170cd6ef65d5b2bac06ff9352c7db2edc86d7ab35ff78b9d819f7592c2278800a8f8d51c743d00681cef29a7cda8d946ffb210fed4e4521a331ee1f81f3510 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jhlyxaos.default-release\prefs.js
| MD5 | 04d722dbec4da09fedd972cf2bd9aff2 |
| SHA1 | 4b59f3ee9ead0a37f17b75d9ec3cb7b6ad38e953 |
| SHA256 | 86ca22c9246d6ed14a342c9a55c8ee9f48f91e75b651ad5bf2e5129f6d5ab154 |
| SHA512 | baeaa8de7a5089d875a604c3559b133e1f56808729d807e9e91bc84833c361f440cdb8afacc838dd8847140edf99da66f28b81e11f9f26fd3c1326bc3329f0b0 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 8fa5d2e905a9c6a80d5b719f30390360 |
| SHA1 | fab174fc40cd24e7d1c253c3234eef90542079c3 |
| SHA256 | 1906f9d7d74ce74165bc6d310a7825b91b1f60e39384f21cde73105d1bbef3c2 |
| SHA512 | 5dfc9f9f95890a1554bcd0cda5435a0e12ec1c77d33c295679553f0791c1bbed392c1c87f693e74fd504242bdf32604914b8c46e343ee14705b51b054c426493 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 2ca9924d5dd27a6997a9e3b5a3464c23 |
| SHA1 | 778fee69e05b9d0204e063e943e8ecf05b0a985f |
| SHA256 | 989a712c7622e64622b1e066037acf06375d21749505fadde53997e024c6415d |
| SHA512 | 675f0c6b595e28247f44723f3cf058aebcb960c0fd5301ae32675ed6e6a89d2f3440aeb64cdb60527d8dff817a09eb9ce089f80efef7f9dd8f8a48cf8c65b6fe |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jhlyxaos.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | 8e454139f2db4bc6cfb3e932a5ee9b6a |
| SHA1 | d4971a896ae3b0057300e06fca7f1bce3b414315 |
| SHA256 | e31f11202ebb433b5578f48b3779c3758245082685920bc1ff952dabe8dd4463 |
| SHA512 | f99629471413228cca0b3ae0e30608fa5265125dda5eae6aceeccc29ef31359851af76a4d6b5f64f8e0e09341bce940902d44775e710f677ec935ac62d5670ba |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\jhlyxaos.default-release\cache2\entries\5CD1EBDF6B57F13C7E783CE5E6D8E9C44014FE1A
| MD5 | 4ea3d77b2833bfc3583fedc366cf4b10 |
| SHA1 | d56ae86d464fc96086f5d0c8b73e167694a03b9a |
| SHA256 | 651535701b3a28d8357589e66d5a4ac8cbcbbd63b6b5126adf720f26c40b32aa |
| SHA512 | b7abe9aa3a1bc4816da3b1b3803970bc234d0edad7492d13ada315aeaf3b9387199a242ea1d7659e74995cb8998c5554d3399a0c4b367e0fe60df423dd5391c9 |
C:\Users\Admin\AppData\Local\Temp\tmpaddon
| MD5 | 85430baed3398695717b0263807cf97c |
| SHA1 | fffbee923cea216f50fce5d54219a188a5100f41 |
| SHA256 | a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e |
| SHA512 | 06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jhlyxaos.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll
| MD5 | fe3355639648c417e8307c6d051e3e37 |
| SHA1 | f54602d4b4778da21bc97c7238fc66aa68c8ee34 |
| SHA256 | 1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e |
| SHA512 | 8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jhlyxaos.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info
| MD5 | 3d33cdc0b3d281e67dd52e14435dd04f |
| SHA1 | 4db88689282fd4f9e9e6ab95fcbb23df6e6485db |
| SHA256 | f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b |
| SHA512 | a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jhlyxaos.default-release\prefs-1.js
| MD5 | 1af42e5a202d5cb6805ea66817b3f27e |
| SHA1 | e395c8666a13653d20b6e60efd5f6a098af509e8 |
| SHA256 | eb15b06ebe08c38f07ed48db625ad9cb7808bbaa9ec3df6af7930d7a60bd399d |
| SHA512 | 1290236949615614987c483ad81eec23364d8844aca8fd2c29e3d50f0df727b3cb03a3983e38280890938b6c3eaecdfd28ebde0bf3107be6ad69ae8cdc70c4c7 |
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1
| MD5 | a01c5ecd6108350ae23d2cddf0e77c17 |
| SHA1 | c6ac28a2cd979f1f9a75d56271821d5ff665e2b6 |
| SHA256 | 345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42 |
| SHA512 | b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jhlyxaos.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt
| MD5 | 49ddb419d96dceb9069018535fb2e2fc |
| SHA1 | 62aa6fea895a8b68d468a015f6e6ab400d7a7ca6 |
| SHA256 | 2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539 |
| SHA512 | 48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jhlyxaos.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json
| MD5 | 8be33af717bb1b67fbd61c3f4b807e9e |
| SHA1 | 7cf17656d174d951957ff36810e874a134dd49e0 |
| SHA256 | e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd |
| SHA512 | 6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jhlyxaos.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig
| MD5 | 937326fead5fd401f6cca9118bd9ade9 |
| SHA1 | 4526a57d4ae14ed29b37632c72aef3c408189d91 |
| SHA256 | 68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81 |
| SHA512 | b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jhlyxaos.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib
| MD5 | 688bed3676d2104e7f17ae1cd2c59404 |
| SHA1 | 952b2cdf783ac72fcb98338723e9afd38d47ad8e |
| SHA256 | 33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237 |
| SHA512 | 7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jhlyxaos.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll
| MD5 | 33bf7b0439480effb9fb212efce87b13 |
| SHA1 | cee50f2745edc6dc291887b6075ca64d716f495a |
| SHA256 | 8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e |
| SHA512 | d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275 |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\jhlyxaos.default-release\cache2\entries\383A97A57B113BD106DE6984E6DBA5F537327263
| MD5 | 15bcc07b9b0b83103d01648215128e64 |
| SHA1 | 2a09f0284372be8ba4c3923d49e78b4185788800 |
| SHA256 | ab8e647affb19150c49eecad8409b5783df2bd04d1b6ba90c88df6807d9f61d1 |
| SHA512 | 210264b7ab6f0db0c08c2d9ccd9127dfb2890ddee4ff686e2bdf565a541a435411c176edbc6bc54add09c4ff58b65a0a73ce45f43c23cb726f632e49d4984ecc |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jhlyxaos.default-release\prefs-1.js
| MD5 | 0a5f3d753217356910a9047a52f127da |
| SHA1 | 6abb56bc73da6719a7e817d8f3e0949ee246c9ca |
| SHA256 | e74416af38e81fe45dc25a0be3b02d6a46fe274b62f79295ef670d11821ca38a |
| SHA512 | 3c056243ea379d32d822f666dfa36bf78f2cd77afeedc063a6fa08c9127d7ea434dc8eec918050f658d695a5ae0706f920e521cb1f34c1dcce2ac48f66258b8e |
Analysis: behavioral6
Detonation Overview
Submitted
2024-06-22 11:24
Reported
2024-06-22 11:26
Platform
win10v2004-20240611-en
Max time kernel
150s
Max time network
149s
Command Line
Signatures
Command and Scripting Interpreter: JavaScript
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\content\priam.js
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.21.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | udp |
Files
Analysis: behavioral18
Detonation Overview
Submitted
2024-06-22 11:24
Reported
2024-06-22 11:26
Platform
win10v2004-20240508-en
Max time kernel
51s
Max time network
59s
Command Line
Signatures
Command and Scripting Interpreter: JavaScript
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\js\background.js
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
Files
Analysis: behavioral27
Detonation Overview
Submitted
2024-06-22 11:24
Reported
2024-06-22 11:26
Platform
win7-20240508-en
Max time kernel
120s
Max time network
120s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\DcryptDll.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\DcryptDll.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1188 -s 224
Network
Files
Analysis: behavioral30
Detonation Overview
Submitted
2024-06-22 11:24
Reported
2024-06-22 11:26
Platform
win10v2004-20240226-en
Max time kernel
136s
Max time network
157s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3588 wrote to memory of 1504 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3588 wrote to memory of 1504 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3588 wrote to memory of 1504 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\IpConfig.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\IpConfig.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 200 -p 1504 -ip 1504
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1504 -s 612
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3972 --field-trial-handle=2276,i,11674642242468042059,14711253743544118298,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.117.168.52.in-addr.arpa | udp |
Files
Analysis: behavioral31
Detonation Overview
Submitted
2024-06-22 11:24
Reported
2024-06-22 11:26
Platform
win7-20240611-en
Max time kernel
117s
Max time network
121s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\MoreInfo.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\MoreInfo.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1896 -s 228
Network
Files
Analysis: behavioral5
Detonation Overview
Submitted
2024-06-22 11:24
Reported
2024-06-22 11:26
Platform
win7-20240611-en
Max time kernel
121s
Max time network
122s
Command Line
Signatures
Command and Scripting Interpreter: JavaScript
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\content\priam.js
Network
Files
Analysis: behavioral28
Detonation Overview
Submitted
2024-06-22 11:24
Reported
2024-06-22 11:26
Platform
win10v2004-20240508-en
Max time kernel
125s
Max time network
127s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4620 wrote to memory of 1556 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4620 wrote to memory of 1556 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4620 wrote to memory of 1556 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\DcryptDll.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\DcryptDll.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1556 -ip 1556
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1556 -s 600
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4356,i,5047420736443372512,9747851268033796534,262144 --variations-seed-version --mojo-platform-channel-handle=4292 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.193.132.51.in-addr.arpa | udp |
Files
Analysis: behavioral32
Detonation Overview
Submitted
2024-06-22 11:24
Reported
2024-06-22 11:26
Platform
win10v2004-20240508-en
Max time kernel
147s
Max time network
154s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1332 wrote to memory of 4220 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1332 wrote to memory of 4220 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1332 wrote to memory of 4220 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\MoreInfo.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\MoreInfo.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4220 -ip 4220
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4220 -s 604
Network
| Country | Destination | Domain | Proto |
| US | 52.111.229.43:443 | tcp |