9ce6ccb2d3d78eeec8af6e1cf03bc17392b359e4acd677ae9660efedc54e8740

Analysis

max time kernel
149s
max time network
150s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
26/07/2024, 20:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7586767ca002ce283dfc9395f8d42449_JaffaCakes118.exe
Size

381KB
MD5

7586767ca002ce283dfc9395f8d42449
SHA1

1c22953363ca7086af09095972231c8b14fa3d72
SHA256

9ce6ccb2d3d78eeec8af6e1cf03bc17392b359e4acd677ae9660efedc54e8740
SHA512

e0338914276ddfdc9d796c100db022795cb8f0be1c9d41926c0449a284e9611e11e859314904937c644687d36bec0f24690f9ad5d551b758b9effacef527eca1
SSDEEP

6144:XTq+5yQlE60f9Rm1K5yg7DMK+LMygPUH5JrkhqVdDXpBs6/YOs7fGy185jLupoCb:DnyQlE6qnrt7DVHUvrkhqTZBsX51S6pb

Score

7^/10

adware discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2728	WajamUpdater.exe
2644	WajamUpdater.exe

Loads dropped DLL 11 IoCs

pid	Process
2064	7586767ca002ce283dfc9395f8d42449_JaffaCakes118.exe
2064	7586767ca002ce283dfc9395f8d42449_JaffaCakes118.exe
2064	7586767ca002ce283dfc9395f8d42449_JaffaCakes118.exe
2064	7586767ca002ce283dfc9395f8d42449_JaffaCakes118.exe
2064	7586767ca002ce283dfc9395f8d42449_JaffaCakes118.exe
2064	7586767ca002ce283dfc9395f8d42449_JaffaCakes118.exe
2064	7586767ca002ce283dfc9395f8d42449_JaffaCakes118.exe
2064	7586767ca002ce283dfc9395f8d42449_JaffaCakes118.exe
2064	7586767ca002ce283dfc9395f8d42449_JaffaCakes118.exe
2064	7586767ca002ce283dfc9395f8d42449_JaffaCakes118.exe
2064	7586767ca002ce283dfc9395f8d42449_JaffaCakes118.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Installs/modifies Browser Helper Object 2 TTPs 3 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{A7A6995D-6EE1-4FD1-A258-49395D5BF99C}	7586767ca002ce283dfc9395f8d42449_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{A7A6995D-6EE1-4FD1-A258-49395D5BF99C}\ = "Wajam IE BHO"	7586767ca002ce283dfc9395f8d42449_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{A7A6995D-6EE1-4FD1-A258-49395D5BF99C}\NoExplorer = "1"	7586767ca002ce283dfc9395f8d42449_JaffaCakes118.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	WajamUpdater.exe

Drops file in Program Files directory 9 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Wajam\Firefox\firefox_trigger_extension.htm	7586767ca002ce283dfc9395f8d42449_JaffaCakes118.exe
File created	C:\Program Files (x86)\Wajam\IE\priam_bho.dll	7586767ca002ce283dfc9395f8d42449_JaffaCakes118.exe
File created	C:\Program Files (x86)\Wajam\Updater\WajamUpdater.exe	7586767ca002ce283dfc9395f8d42449_JaffaCakes118.exe
File created	C:\Program Files (x86)\Wajam\uninstall.exe	7586767ca002ce283dfc9395f8d42449_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Wajam\install.log	7586767ca002ce283dfc9395f8d42449_JaffaCakes118.exe
File created	C:\Program Files (x86)\Wajam\Firefox\{5a95a9e0-59dd-4314-bd84-4d18ca83a0e2}.xpi	7586767ca002ce283dfc9395f8d42449_JaffaCakes118.exe
File created	C:\Program Files (x86)\Wajam\IE\favicon.ico	7586767ca002ce283dfc9395f8d42449_JaffaCakes118.exe
File created	C:\Program Files (x86)\Wajam\Updater\wajamLogo.bmp	7586767ca002ce283dfc9395f8d42449_JaffaCakes118.exe
File created	C:\Program Files (x86)\Wajam\install.log	7586767ca002ce283dfc9395f8d42449_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7586767ca002ce283dfc9395f8d42449_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WajamUpdater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WajamUpdater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral1/files/0x0005000000019348-50.dat	nsis_installer_1
behavioral1/files/0x0005000000019348-50.dat	nsis_installer_2

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
2744	Taskkill.exe

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{092FE7B1-4BF2-11EF-BB9C-566676D6F1CF} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002aec918cb9fa9248b7812ac80df2e74c00000000020000000000106600000001000020000000b757182acc96f9e47950839c4e5ce7eafaf227d399b6907060ab30b29d2ebe34000000000e80000000020000200000007a7f9515d46a3cdaaf5aa568cc52413e8ab0532e06438698a66092379a2642b0200000000eb780c6ca9b5025c0452ff9ec9a6a4606448bb7ee6559b0f0676d209e06679240000000ae003e9d9dcb6df970bd851c487cee478f023ec7dfa2d82568d670e6eb7750e1c0c4ea59c20da781800faf644f842314a331080e0a3568742579d2057375a261	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 20b5f6e1fedfda01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002aec918cb9fa9248b7812ac80df2e74c00000000020000000000106600000001000020000000c70c8be082ad7150bae91b25a8c427be2c9fc7099290e9f055ab486a37721f76000000000e80000000020000200000007250fb91ab6dbd667d01f5a42b0c72587794c8691978d179c2cbf4e7b778c77b9000000000cc4eaa5183ef4585be3f3ace84ae020030d7c9f8fc4bf4811be1aab4392142dfb33305be2212cfcee0d423dcca2fe3a7a945976ffd5a0253bb5d0b4a2a7fe2227277c10fdbe7ab0b07326c79eb32a88798826fb839212d5ca22253b29603fe3a444e8cee63219e9399dee9867871b2f23bb88878226fef1591cffb4da631266b4f24a33309ad8273dd0bda7e7a1efb40000000c534734615ba1e344a26c5fdb350edb1bcce9405be4c1849d74e94a109bc29cff8dd11569ec300d6a3c91dc54a50c276bf7568cb74aa6ae7a559b58d096fe873	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "428230705"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe

Modifies data under HKEY_USERS 24 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	WajamUpdater.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	WajamUpdater.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\fe-b0-c7-b8-25-9b\WpadDecisionTime = b01f0ccdfedfda01	WajamUpdater.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	WajamUpdater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	WajamUpdater.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	WajamUpdater.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	WajamUpdater.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	WajamUpdater.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{52208B75-703E-40FE-A8BD-5471E580D793}\WpadDecisionTime = b01f0ccdfedfda01	WajamUpdater.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{52208B75-703E-40FE-A8BD-5471E580D793}\fe-b0-c7-b8-25-9b	WajamUpdater.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	WajamUpdater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	WajamUpdater.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{52208B75-703E-40FE-A8BD-5471E580D793}	WajamUpdater.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{52208B75-703E-40FE-A8BD-5471E580D793}\WpadDecisionReason = "1"	WajamUpdater.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{52208B75-703E-40FE-A8BD-5471E580D793}\WpadNetworkName = "Network 3"	WajamUpdater.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\fe-b0-c7-b8-25-9b	WajamUpdater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	WajamUpdater.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f009a000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	WajamUpdater.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	WajamUpdater.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	WajamUpdater.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{52208B75-703E-40FE-A8BD-5471E580D793}\WpadDecision = "0"	WajamUpdater.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\fe-b0-c7-b8-25-9b\WpadDecisionReason = "1"	WajamUpdater.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\fe-b0-c7-b8-25-9b\WpadDecision = "0"	WajamUpdater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	WajamUpdater.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5D64294B-1341-4FE7-B6D8-7C36828D4DD5}\TypeLib	7586767ca002ce283dfc9395f8d42449_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5D64294B-1341-4FE7-B6D8-7C36828D4DD5}\VersionIndependentProgID\ = "wajam.WajamDownloader"	7586767ca002ce283dfc9395f8d42449_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5D64294B-1341-4FE7-B6D8-7C36828D4DD5}\TypeLib\ = "{095BFD3C-4602-4FE1-96F1-AEFAFBFD067D}"	7586767ca002ce283dfc9395f8d42449_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\priam_bho.DLL\AppID = "{1FAEE6D5-34F4-42AA-8025-3FD8F3EC4634}"	7586767ca002ce283dfc9395f8d42449_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\wajam.WajamBHO.1\CLSID	7586767ca002ce283dfc9395f8d42449_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\wajam.WajamDownloader.1	7586767ca002ce283dfc9395f8d42449_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\wajam.WajamBHO	7586767ca002ce283dfc9395f8d42449_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A7A6995D-6EE1-4FD1-A258-49395D5BF99C}\VersionIndependentProgID	7586767ca002ce283dfc9395f8d42449_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{095BFD3C-4602-4FE1-96F1-AEFAFBFD067D}\1.0\ = "wajam 1.0 Type Library"	7586767ca002ce283dfc9395f8d42449_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{095BFD3C-4602-4FE1-96F1-AEFAFBFD067D}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\Wajam\\IE"	7586767ca002ce283dfc9395f8d42449_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{431532BD-0AE1-4ABC-BE8C-919F3D1332E2}\TypeLib\Version = "1.0"	7586767ca002ce283dfc9395f8d42449_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A7A6995D-6EE1-4FD1-A258-49395D5BF99C}\InprocServer32\ThreadingModel = "Apartment"	7586767ca002ce283dfc9395f8d42449_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\wajam.WajamDownloader\CLSID\ = "{5D64294B-1341-4FE7-B6D8-7C36828D4DD5}"	7586767ca002ce283dfc9395f8d42449_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{095BFD3C-4602-4FE1-96F1-AEFAFBFD067D}\1.0\0\win32	7586767ca002ce283dfc9395f8d42449_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{431532BD-0AE1-4ABC-BE8C-919F3D1332E2}\TypeLib\ = "{095BFD3C-4602-4FE1-96F1-AEFAFBFD067D}"	7586767ca002ce283dfc9395f8d42449_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{431532BD-0AE1-4ABC-BE8C-919F3D1332E2}\ProxyStubClsid32	7586767ca002ce283dfc9395f8d42449_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{D616A4A2-7B38-4DBC-9093-6FE7A4A21B17}	WajamUpdater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\wajam.WajamDownloader\ = "WajamDownloader Class"	7586767ca002ce283dfc9395f8d42449_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5D64294B-1341-4FE7-B6D8-7C36828D4DD5}\VersionIndependentProgID	7586767ca002ce283dfc9395f8d42449_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5D64294B-1341-4FE7-B6D8-7C36828D4DD5}\InprocServer32\ = "C:\\Program Files (x86)\\Wajam\\IE\\priam_bho.dll"	7586767ca002ce283dfc9395f8d42449_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{095BFD3C-4602-4FE1-96F1-AEFAFBFD067D}\1.0\0	7586767ca002ce283dfc9395f8d42449_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{431532BD-0AE1-4ABC-BE8C-919F3D1332E2}	7586767ca002ce283dfc9395f8d42449_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A7A6995D-6EE1-4FD1-A258-49395D5BF99C}\InprocServer32	7586767ca002ce283dfc9395f8d42449_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A7A6995D-6EE1-4FD1-A258-49395D5BF99C}\TypeLib	7586767ca002ce283dfc9395f8d42449_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A7A6995D-6EE1-4FD1-A258-49395D5BF99C}\ProgID\ = "wajam.WajamBHO.1"	7586767ca002ce283dfc9395f8d42449_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A7A6995D-6EE1-4FD1-A258-49395D5BF99C}\InprocServer32\ = "C:\\Program Files (x86)\\Wajam\\IE\\priam_bho.dll"	7586767ca002ce283dfc9395f8d42449_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{095BFD3C-4602-4FE1-96F1-AEFAFBFD067D}\1.0\HELPDIR	7586767ca002ce283dfc9395f8d42449_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{431532BD-0AE1-4ABC-BE8C-919F3D1332E2}\TypeLib	7586767ca002ce283dfc9395f8d42449_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface	7586767ca002ce283dfc9395f8d42449_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{1FAEE6D5-34F4-42AA-8025-3FD8F3EC4634}	7586767ca002ce283dfc9395f8d42449_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A7A6995D-6EE1-4FD1-A258-49395D5BF99C}	7586767ca002ce283dfc9395f8d42449_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\wajam.WajamBHO\CLSID	7586767ca002ce283dfc9395f8d42449_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\wajam.WajamDownloader.1\CLSID	7586767ca002ce283dfc9395f8d42449_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{095BFD3C-4602-4FE1-96F1-AEFAFBFD067D}\1.0\FLAGS	7586767ca002ce283dfc9395f8d42449_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{431532BD-0AE1-4ABC-BE8C-919F3D1332E2}\ = "IWajamBHO"	7586767ca002ce283dfc9395f8d42449_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{431532BD-0AE1-4ABC-BE8C-919F3D1332E2}\TypeLib\ = "{095BFD3C-4602-4FE1-96F1-AEFAFBFD067D}"	7586767ca002ce283dfc9395f8d42449_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{431532BD-0AE1-4ABC-BE8C-919F3D1332E2}\ = "PSFactoryBuffer"	7586767ca002ce283dfc9395f8d42449_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{D616A4A2-7B38-4DBC-9093-6FE7A4A21B17}\LocalService = "WajamUpdater"	WajamUpdater.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\priam_bho.DLL	7586767ca002ce283dfc9395f8d42449_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{431532BD-0AE1-4ABC-BE8C-919F3D1332E2}\NumMethods	7586767ca002ce283dfc9395f8d42449_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\wajam.WajamDownloader.1\CLSID\ = "{5D64294B-1341-4FE7-B6D8-7C36828D4DD5}"	7586767ca002ce283dfc9395f8d42449_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\wajam.WajamDownloader\CurVer	7586767ca002ce283dfc9395f8d42449_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{431532BD-0AE1-4ABC-BE8C-919F3D1332E2}	7586767ca002ce283dfc9395f8d42449_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{431532BD-0AE1-4ABC-BE8C-919F3D1332E2}\ = "IWajamBHO"	7586767ca002ce283dfc9395f8d42449_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{431532BD-0AE1-4ABC-BE8C-919F3D1332E2}\ProxyStubClsid32	7586767ca002ce283dfc9395f8d42449_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A7A6995D-6EE1-4FD1-A258-49395D5BF99C}\ = "Wajam"	7586767ca002ce283dfc9395f8d42449_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\wajam.WajamDownloader.1\ = "WajamDownloader Class"	7586767ca002ce283dfc9395f8d42449_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5D64294B-1341-4FE7-B6D8-7C36828D4DD5}\ProgID\ = "wajam.WajamDownloader.1"	7586767ca002ce283dfc9395f8d42449_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{431532BD-0AE1-4ABC-BE8C-919F3D1332E2}\TypeLib\Version = "1.0"	7586767ca002ce283dfc9395f8d42449_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{431532BD-0AE1-4ABC-BE8C-919F3D1332E2}\InProcServer32\ = "C:\\Program Files (x86)\\Wajam\\IE\\priam_bho.dll"	7586767ca002ce283dfc9395f8d42449_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{431532BD-0AE1-4ABC-BE8C-919F3D1332E2}\InProcServer32\ThreadingModel = "Both"	7586767ca002ce283dfc9395f8d42449_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\wajam.WajamBHO\CLSID\ = "{A7A6995D-6EE1-4FD1-A258-49395D5BF99C}"	7586767ca002ce283dfc9395f8d42449_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5D64294B-1341-4FE7-B6D8-7C36828D4DD5}\ProgID	7586767ca002ce283dfc9395f8d42449_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5D64294B-1341-4FE7-B6D8-7C36828D4DD5}	7586767ca002ce283dfc9395f8d42449_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{431532BD-0AE1-4ABC-BE8C-919F3D1332E2}\InProcServer32	7586767ca002ce283dfc9395f8d42449_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A7A6995D-6EE1-4FD1-A258-49395D5BF99C}\ProgID	7586767ca002ce283dfc9395f8d42449_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\wajam.WajamDownloader\CurVer\ = "wajam.WajamDownloader.1"	7586767ca002ce283dfc9395f8d42449_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{095BFD3C-4602-4FE1-96F1-AEFAFBFD067D}	7586767ca002ce283dfc9395f8d42449_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	7586767ca002ce283dfc9395f8d42449_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_Classes\Local Settings	firefox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\wajam.WajamBHO\CurVer\ = "wajam.WajamBHO.1"	7586767ca002ce283dfc9395f8d42449_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5D64294B-1341-4FE7-B6D8-7C36828D4DD5}\ = "WajamDownloader Class"	7586767ca002ce283dfc9395f8d42449_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{431532BD-0AE1-4ABC-BE8C-919F3D1332E2}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	7586767ca002ce283dfc9395f8d42449_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{431532BD-0AE1-4ABC-BE8C-919F3D1332E2}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	7586767ca002ce283dfc9395f8d42449_JaffaCakes118.exe

Runs net.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2744	Taskkill.exe
Token: SeDebugPrivilege	2032	firefox.exe
Token: SeDebugPrivilege	2032	firefox.exe

Suspicious use of FindShellTrayWindow 5 IoCs

pid	Process
468	iexplore.exe
2032	firefox.exe
2032	firefox.exe
2032	firefox.exe
2032	firefox.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
2032	firefox.exe
2032	firefox.exe
2032	firefox.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
468	iexplore.exe
468	iexplore.exe
1672	IEXPLORE.EXE
1672	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2064 wrote to memory of 3004	2064	7586767ca002ce283dfc9395f8d42449_JaffaCakes118.exe	31
PID 2064 wrote to memory of 3004	2064	7586767ca002ce283dfc9395f8d42449_JaffaCakes118.exe	31
PID 2064 wrote to memory of 3004	2064	7586767ca002ce283dfc9395f8d42449_JaffaCakes118.exe	31
PID 2064 wrote to memory of 3004	2064	7586767ca002ce283dfc9395f8d42449_JaffaCakes118.exe	31
PID 3004 wrote to memory of 2996	3004	net.exe	33
PID 3004 wrote to memory of 2996	3004	net.exe	33
PID 3004 wrote to memory of 2996	3004	net.exe	33
PID 3004 wrote to memory of 2996	3004	net.exe	33
PID 2064 wrote to memory of 2744	2064	7586767ca002ce283dfc9395f8d42449_JaffaCakes118.exe	34
PID 2064 wrote to memory of 2744	2064	7586767ca002ce283dfc9395f8d42449_JaffaCakes118.exe	34
PID 2064 wrote to memory of 2744	2064	7586767ca002ce283dfc9395f8d42449_JaffaCakes118.exe	34
PID 2064 wrote to memory of 2744	2064	7586767ca002ce283dfc9395f8d42449_JaffaCakes118.exe	34
PID 2064 wrote to memory of 2728	2064	7586767ca002ce283dfc9395f8d42449_JaffaCakes118.exe	36
PID 2064 wrote to memory of 2728	2064	7586767ca002ce283dfc9395f8d42449_JaffaCakes118.exe	36
PID 2064 wrote to memory of 2728	2064	7586767ca002ce283dfc9395f8d42449_JaffaCakes118.exe	36
PID 2064 wrote to memory of 2728	2064	7586767ca002ce283dfc9395f8d42449_JaffaCakes118.exe	36
PID 2064 wrote to memory of 2728	2064	7586767ca002ce283dfc9395f8d42449_JaffaCakes118.exe	36
PID 2064 wrote to memory of 2728	2064	7586767ca002ce283dfc9395f8d42449_JaffaCakes118.exe	36
PID 2064 wrote to memory of 2728	2064	7586767ca002ce283dfc9395f8d42449_JaffaCakes118.exe	36
PID 2064 wrote to memory of 2656	2064	7586767ca002ce283dfc9395f8d42449_JaffaCakes118.exe	37
PID 2064 wrote to memory of 2656	2064	7586767ca002ce283dfc9395f8d42449_JaffaCakes118.exe	37
PID 2064 wrote to memory of 2656	2064	7586767ca002ce283dfc9395f8d42449_JaffaCakes118.exe	37
PID 2064 wrote to memory of 2656	2064	7586767ca002ce283dfc9395f8d42449_JaffaCakes118.exe	37
PID 2656 wrote to memory of 2624	2656	net.exe	39
PID 2656 wrote to memory of 2624	2656	net.exe	39
PID 2656 wrote to memory of 2624	2656	net.exe	39
PID 2656 wrote to memory of 2624	2656	net.exe	39
PID 2064 wrote to memory of 468	2064	7586767ca002ce283dfc9395f8d42449_JaffaCakes118.exe	41
PID 2064 wrote to memory of 468	2064	7586767ca002ce283dfc9395f8d42449_JaffaCakes118.exe	41
PID 2064 wrote to memory of 468	2064	7586767ca002ce283dfc9395f8d42449_JaffaCakes118.exe	41
PID 2064 wrote to memory of 468	2064	7586767ca002ce283dfc9395f8d42449_JaffaCakes118.exe	41
PID 468 wrote to memory of 1672	468	iexplore.exe	42
PID 468 wrote to memory of 1672	468	iexplore.exe	42
PID 468 wrote to memory of 1672	468	iexplore.exe	42
PID 468 wrote to memory of 1672	468	iexplore.exe	42
PID 2064 wrote to memory of 1772	2064	7586767ca002ce283dfc9395f8d42449_JaffaCakes118.exe	44
PID 2064 wrote to memory of 1772	2064	7586767ca002ce283dfc9395f8d42449_JaffaCakes118.exe	44
PID 2064 wrote to memory of 1772	2064	7586767ca002ce283dfc9395f8d42449_JaffaCakes118.exe	44
PID 2064 wrote to memory of 1772	2064	7586767ca002ce283dfc9395f8d42449_JaffaCakes118.exe	44
PID 1772 wrote to memory of 2032	1772	firefox.exe	45
PID 1772 wrote to memory of 2032	1772	firefox.exe	45
PID 1772 wrote to memory of 2032	1772	firefox.exe	45
PID 1772 wrote to memory of 2032	1772	firefox.exe	45
PID 1772 wrote to memory of 2032	1772	firefox.exe	45
PID 1772 wrote to memory of 2032	1772	firefox.exe	45
PID 1772 wrote to memory of 2032	1772	firefox.exe	45
PID 1772 wrote to memory of 2032	1772	firefox.exe	45
PID 1772 wrote to memory of 2032	1772	firefox.exe	45
PID 1772 wrote to memory of 2032	1772	firefox.exe	45
PID 1772 wrote to memory of 2032	1772	firefox.exe	45
PID 1772 wrote to memory of 2032	1772	firefox.exe	45
PID 2032 wrote to memory of 612	2032	firefox.exe	46
PID 2032 wrote to memory of 612	2032	firefox.exe	46
PID 2032 wrote to memory of 612	2032	firefox.exe	46
PID 2032 wrote to memory of 1520	2032	firefox.exe	47
PID 2032 wrote to memory of 1520	2032	firefox.exe	47
PID 2032 wrote to memory of 1520	2032	firefox.exe	47
PID 2032 wrote to memory of 1520	2032	firefox.exe	47
PID 2032 wrote to memory of 1520	2032	firefox.exe	47
PID 2032 wrote to memory of 1520	2032	firefox.exe	47
PID 2032 wrote to memory of 1520	2032	firefox.exe	47
PID 2032 wrote to memory of 1520	2032	firefox.exe	47
PID 2032 wrote to memory of 1520	2032	firefox.exe	47
PID 2032 wrote to memory of 1520	2032	firefox.exe	47

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\7586767ca002ce283dfc9395f8d42449_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\7586767ca002ce283dfc9395f8d42449_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2064
- C:\Windows\SysWOW64\net.exe
  net stop WajamUpdater
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3004
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop WajamUpdater
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2996
- C:\Windows\SysWOW64\Taskkill.exe
  Taskkill /IM WajamUpdater.exe /F
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2744
- C:\Program Files (x86)\Wajam\Updater\WajamUpdater.exe
  "C:\Program Files (x86)\Wajam\Updater\WajamUpdater.exe" /Service
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  PID:2728
- C:\Windows\SysWOW64\net.exe
  net start WajamUpdater
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2656
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 start WajamUpdater
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2624
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" "http://www.wajam.com/index.php?firstrun=1&unique_id=16EE09F42497AAB57A94F7EFFA917657&aid=5445&aid2=none&enabled=1"
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:468
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:468 CREDAT:275457 /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:1672
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" "C:\Program Files (x86)\Wajam\Firefox\firefox_trigger_extension.htm"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1772
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" "C:\Program Files (x86)\Wajam\Firefox\firefox_trigger_extension.htm"
    3⤵
    - Checks processor information in registry
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:2032
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2032.0.359606010\1684224355" -parentBuildID 20221007134813 -prefsHandle 1276 -prefMapHandle 1132 -prefsLen 20847 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {86c42243-c684-4c20-8c62-e201106b95bb} 2032 "\\.\pipe\gecko-crash-server-pipe.2032" 1352 110ed558 gpu
      4⤵
      PID:612
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2032.1.1345799460\1109536428" -parentBuildID 20221007134813 -prefsHandle 1556 -prefMapHandle 1552 -prefsLen 21708 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e4ba4c63-cb2b-4a0c-8efb-44dde16c9dbe} 2032 "\\.\pipe\gecko-crash-server-pipe.2032" 1568 11004758 socket
      4⤵
      PID:1520
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2032.2.87488309\368776514" -childID 1 -isForBrowser -prefsHandle 2172 -prefMapHandle 2168 -prefsLen 21746 -prefMapSize 233444 -jsInitHandle 848 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b61bcd18-f012-4896-9787-73bb767baa67} 2032 "\\.\pipe\gecko-crash-server-pipe.2032" 1940 1105ed58 tab
      4⤵
      PID:2524
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2032.3.1098276023\892935915" -childID 2 -isForBrowser -prefsHandle 2876 -prefMapHandle 2872 -prefsLen 26216 -prefMapSize 233444 -jsInitHandle 848 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9d2901f2-a61b-4f9b-b8d1-3904e15e2bad} 2032 "\\.\pipe\gecko-crash-server-pipe.2032" 2888 d62b58 tab
      4⤵
      PID:2996
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2032.4.907698947\1574681340" -childID 3 -isForBrowser -prefsHandle 3796 -prefMapHandle 3788 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 848 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6f952b1f-d7b7-419f-871f-ee17855e993e} 2032 "\\.\pipe\gecko-crash-server-pipe.2032" 3812 1db73658 tab
      4⤵
      PID:2240
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2032.5.1248826747\1513285760" -childID 4 -isForBrowser -prefsHandle 3924 -prefMapHandle 3928 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 848 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {76b9ce6b-eaa8-4898-87a0-08a13f9acf25} 2032 "\\.\pipe\gecko-crash-server-pipe.2032" 3916 1efa1e58 tab
      4⤵
      PID:2552
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2032.6.1094212151\516202326" -childID 5 -isForBrowser -prefsHandle 4040 -prefMapHandle 4044 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 848 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0b7d2b82-8484-4887-bc04-108bb78de7c9} 2032 "\\.\pipe\gecko-crash-server-pipe.2032" 4028 1ef9f758 tab
      4⤵
      PID:1844
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2032.7.1001625390\582658031" -childID 6 -isForBrowser -prefsHandle 4240 -prefMapHandle 4276 -prefsLen 26531 -prefMapSize 233444 -jsInitHandle 848 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {287df0a1-478f-436f-bcb3-af6ab42fc4ad} 2032 "\\.\pipe\gecko-crash-server-pipe.2032" 4040 d61f58 tab
      4⤵
      PID:3312

C:\Program Files (x86)\Wajam\Updater\WajamUpdater.exe
"C:\Program Files (x86)\Wajam\Updater\WajamUpdater.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:2644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Wajam\Firefox\firefox_trigger_extension.htm

Filesize
2KB

MD5
ba7197cc8e52161fcdff765697febe37

SHA1
b03b974574d741ec8ba6042f14553886fe45d76b

SHA256
746739c05859db81f472d8bfe0b2f11ab33a3a661f6943e55e2833184f8925fa

SHA512
168fc12fbfcca80c7398636cb5b8ed0388d5d58227b3c2288f031c48ea490e64d09b1e1d0cd8e7bd67e67e4caae0574909db1d5aa36e8a40c421bf25c93ff8f1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
98325c49c20b9d996ca4968b25da9496

SHA1
bf5a61fd9852ece0ae588d713f289965d8ff7022

SHA256
5bba1e945f8b1831312ecef2dcb91afd1f72da1bf4ca8578dd2cea455ad31443

SHA512
49a94086d32c9c85025e9382ba04d24d1d5a7755ed27e8e86f7b4c88fdf151ab21667a5b0430c7e07ff1023072b6c2a8873818255ab5a39f0f332710fc0295e1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
1be9bc6b58220322190d3bd4c34d69d9

SHA1
bf19fda907d4dd3eb901836d35bcae5753ea35a3

SHA256
5d89a3ff44a46f13a39ab188c528060d380a347a5685760f0113be4a0edaba8b

SHA512
5c1837e03349c774fe20af9acf8d4cdfeba13196fc85581571fb6dd3d71349812759c6a19b5006b58288548878d6a7ccbc762720a75a9183996a02275f3a0259

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
8c2447dad89e76841503f3a72c2733ea

SHA1
f18fac83964a4a12f0205b2c63ff68358d376028

SHA256
0c412ae5d146e2f0f0dc6cccc9ed91cf7e62c3cd23371db6912f4e1eb009f050

SHA512
d62086f6040909ab892aac8657e3b2d84c9886c08bad0cb954ad2fbd009b04aa50b71bb9824f4f815e135ecefbade567235b35c479c78ab8ee40309d6570f63b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
ea75be48085ae6dd73b06103e3a256ef

SHA1
fa77ec3a08ac90626c55dcac3f52463e9802102c

SHA256
0a99ffb444d4f720dfae93c0988f4046050b721e4dd49c195d13ee3808d407fd

SHA512
9d7699353798404bd6445113ef5b94bb0927a17fb479cc6a3dcd927d01a6ba7575422f92daeb9aa058b6ec42ceeda8dc543319c2f963633f5959c366065a5d61

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
b0c920aeb07439740515e5c8fbfccf51

SHA1
9ccf958adf0ceae35048f109a4efe9bd688923b6

SHA256
97214aba111580c5d967cf0d03c39edd97760691dd8db620a28fa2f0acb375ca

SHA512
25a18a3c66bbe5c6717880c6d67efebbddab211b6d13acc9f28c9a7ec3b5ffa459a278166be6c5a431c3fb9a5d5ebedef66a4063f412997d70e40c1d854a7be9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
ff60f82f4b60f6b8c8f6904c4f9d0ba8

SHA1
06a62fbf5ea01c3a090bbdfe4d0af759ca8c7893

SHA256
1316b890c5c1914fad4a64876808abc6e32d8973593e52dd6d673679928c0ade

SHA512
76f83b77be4a59c1a4764c20041402ac3d44fcdee57f7f3f59d40240891d3ec808b56bdddd2be95201a45e9c2caea2be3e0af156db329111c265db66a98a3a72

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
5fa85649fcb14a0b60b7001d097f267a

SHA1
dd0dd13573e47567fc0b61b0738c822ad8c51ef4

SHA256
b1ea46e4712082d1b96b01da58155b4059263958d4304c8e18e0d1b3a13ee4ec

SHA512
f6078f68ad6b4a0172a1bfa74d566a479db25861a61034fb6becd83d8e304bf3ef64d1cf9b767eb824b43d19e3d0d1f54e3d83bc95a710834e8433121060e5a3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
dd61b05b178f7105a6de237a9129c853

SHA1
25f711f6f21ab219bef261d1ecf73173eab1dd9d

SHA256
1ee4be40e353f5a95350a58eb953835fee414423ac2db5f33ecc798fe28588c0

SHA512
c8dc0d64184f73f7d02b2fb175fcd93c2d19a5327e78ec278dfe45c5945780bcf7425c72bf5643a1bff4b4c8e71e643d23859da29c637e37e69fbe716b24c168

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
66d8528dbb7cc0454f95590f265e59f2

SHA1
f9ef74287df8bde3c1a44c865c1f8eb1ddc9774e

SHA256
252487f03c6063796d501c9e2a6b06bc92b4a7aad6b890a9e3d0fc0d830005b6

SHA512
46be5df00c9547bd7896d3cc6b9940726fe745f9ee048343303b57d7c994a5d308814607b0816cf5be376b8bbd50d22e30ed8ea4618be067ca8334f388289dbc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
7786e0d6370d73691dd42102cccfbf06

SHA1
95c379d89a56df7539c34f2d63efe8919de4cf4c

SHA256
e5fb6a66afc47ac68cd3aa6f5c6d240c2cf69274bd2f4d1eb61c53456a6d33b1

SHA512
b1a4c6030c56a5db845878afc97faec2cca122f598ad3b550c3a2d64f08284d3ed51b81e65bfa354e3c606298e424bfc98f025102291c35f331847175d7c873f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
294f4e9c004add2b3362c23773aa1261

SHA1
d8f3b37fffbb2f390725ddf0dccde973abb08d3f

SHA256
f993b311469255dec4f0986f457beaf96db4a4377ed45d6d7f51fee1b677f381

SHA512
31f8c80fb1cb8afefb917e2f786dc06dece576c734d97d1f8e9fe433b6dd60fdf481a05dabca4ce4d3717ddfde0ce67bf63d4e09ba4656bc30b90263d34e0110

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
a36079a68a9c301c90ce075da52597c8

SHA1
ad406efc4e420a36f2d931b490dd5da9bcf82c88

SHA256
d3b98177417f52563f28e0e172ef95da49cd5902b21aaa368e1add46340a7138

SHA512
871034f343f0c2ba73526e33eb1c9b7142d069ac9dd24c7d74d190c62e68eed5b1c6ebfa8b5fb0bb19b6daa2fa13f0af0e7a62b623f434a888e49f9848b6f1d7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
386d73b5267e9de6660ff9e455825dc1

SHA1
897ad8cd824df899d8ee4fb2da3d614747c26b5a

SHA256
0cabd51e60f99063e3275c197e337c9eb566245191aa3ff83eaff750dd99f8c6

SHA512
1e371f2056757a5b873adb2cc0d32cb5fc84b1c510cde3660acf4342b13bbb15bf8c3696b39f843ebe7304eac3b6ee88ad233aa7557efb11a86ebdf5f9d5ef60

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
75e1942431be979d1ec52914e8261b09

SHA1
edc933bb6e1497878bea21dec80603525e5d4669

SHA256
b6cde52691266c33d0d0d432f3b0cb79867d420314ecb8f3719e11477262a7a9

SHA512
e5f0edca3d4782002c3b9f973e4433da76afba92623a0115b8fe074e25cc616637e7213fb10f47a6b2619b08e3d25580e132221aeb3afc45e89a364c5b5484c1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
3430ccf320ee87151b17f8e16709eb14

SHA1
7f4ef28f48929135317c290c9346688b2efa8af0

SHA256
bf82ee34c970f10bb7371d4d40c1cc3d5be161cfef754fa9ecbfbf2d50caecb3

SHA512
887c9c32f7768ce9b564e4ebc86c3b527076929b092f240b22ced907cb9b37c46a28f10190a6b7faaece361f1288ac0aac243f5162552a2389b51ecddbc2c60d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
b8cc8b65c2ca1001fa1534d704fb3e54

SHA1
16556e21c1eb743c57c30a26c2f998608a4e516f

SHA256
74e548cf54f901f130dc5db5bb2bc0b885360cc632dc937acb832ee0687a7590

SHA512
ef23c10cdcae7d231ddfee01b6cdffb9516d297aed60db25ff3edf2a92fbacf70b0095392c55478f858ff99e2d2550d296d9d4a1da91aeff48940669edc070f2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
71b38a2b3e9baac8bc7995a5c801e936

SHA1
3556a167e8574538e6963b5a26d0041f868da468

SHA256
d7186a42c862dbb8c7ee8c3674e83fc4aa7039b13523e0e267b80f32d179e1dc

SHA512
1e581d270900cd307f618c06f8a040f5ad46e37b04daec8776d34217dbdc4f2e5438c1fa741d99d4a44c52329c2a20bbfc609ac89d4f0bc3bf88f8264ce5d4d0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
7f187dc67ce2dd55e13c1f2beb23de07

SHA1
1bb096d22123a9ac2b5037a7f6b0bd338d8e5cd8

SHA256
1b3da9179d3f78509bfbbd17836de0d2b7c6efbe82980f3eb7478e1b701a200c

SHA512
98423de8555f6eac1ba60a459a6c5decb5ec1ddd907b0d7f725973ab7b80a4c0644fae05aecb5a5190ee6efe939be977848ce213ea7b1859876243f7c558026d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
e17d7631a47face8dc3800ec09a25f3a

SHA1
b64829e4e3f4c82c6f5f4281619ff51326cdde00

SHA256
a387945c109cccc67d07f8ac6bc7a7267b2203f3efe1b149b27f6790ce5aa791

SHA512
c8c8dc7b74e4113d3d4860f68daf2f64265388dc64ab4bef037bb0c2d0ae249dc171c5b26ddadb29b89650ebd6ccbb9c0d358c98481c69b2a662f0dac9a6fd35

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\i7f18jmm.default-release\activity-stream.discovery_stream.json.tmp

Filesize
23KB

MD5
fcf36c250f3ee8277f69f7c98442400e

SHA1
41673ac86e5bba087370f0c4cbf525922dc95987

SHA256
99a57edf04713c3ea3e24b51f7831fcef1d2ea1bec843a4cf1ce9e56b47f25fc

SHA512
f300ab2a93f12332c7b90b6c16995949c5a3fa2bef60352600c420c927b27ed5d44734da2e375d47758b84a8d6c89d27b6c2eed6b80726c66e9cb62b89bb26bf

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\i7f18jmm.default-release\cache2\entries\8A2034D325DC0B5C9E11EDDA3FC70A54C8DC1C0D

Filesize
13KB

MD5
79c6719c67b61c74221df342bd2862a4

SHA1
85c2efb83e917627b5d7d192d10fc36823c61a43

SHA256
8d6ea72d0ce078c7f3e1f7c7903195b4134c40cb3b15d6bb90e7ab4300ffaf57

SHA512
03f216eec15bb050505122031bf951d95885bb7ead553fba1bcdf33ea6711d98ea91b1478fd0d82b5eebbe3305822755394ed960fbfce87303732479618420b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabE949.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarE9E8.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsoA8B0.tmp\IpConfig.dll

Filesize
114KB

MD5
a3ed6f7ea493b9644125d494fbf9a1e6

SHA1
ebeee67fb0b5b3302c69f47c5e7fca62e1a809d8

SHA256
ec0f85f8a9d6b77081ba0103f967ef6705b547bf27bcd866d77ac909d21a1e08

SHA512
7099e1bc78ba5727661aa49f75523126563a5ebccdff10cabf868ce5335821118384825f037fbf1408c416c0212aa702a5974bc54d1b63c9d0bcade140f9aae1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
442KB

MD5
85430baed3398695717b0263807cf97c

SHA1
fffbee923cea216f50fce5d54219a188a5100f41

SHA256
a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e

SHA512
06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
8.0MB

MD5
a01c5ecd6108350ae23d2cddf0e77c17

SHA1
c6ac28a2cd979f1f9a75d56271821d5ff665e2b6

SHA256
345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42

SHA512
b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\i7f18jmm.default-release\datareporting\glean\db\data.safe.bin

Filesize
2KB

MD5
c725c8f084e6923fd1932975e933a48f

SHA1
594b9d2fb2096fb3d56c9abe82c659dfc175e1ab

SHA256
4a7d387d5db5186c93eb75828eabf5a252f811659b2f1ab3640aadae87069d9f

SHA512
76b16417f11e83f1848298e78ca89ec54c7e91929dd0adce0ede1afce616d5706efc52057ed51310ab81cecc597e8988c0a8a8d44c6c884fb5e6b795cdd8cbb9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\i7f18jmm.default-release\datareporting\glean\pending_pings\0d9055cf-eed5-427a-8576-85b2e7df7eb1

Filesize
745B

MD5
36566dfa9c2491390d63c1082cf6d501

SHA1
cd7c494ca8f39b1b07b3d622c85af2fa6f5248fc

SHA256
61ad5b413dba16d93199d5803cac30b916b715f36b069b70463cf2fd39a545f4

SHA512
385ca23fea79fef707c9751d81f3b8c2d7d2eead3d8e7b5d56e48f646790afaf36e42878d031bfc4984ac8c734af8e33c90abd86967dbc2c50dab3f529617fe2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\i7f18jmm.default-release\datareporting\glean\pending_pings\68bc411d-e278-4880-bf54-26429c6a819e

Filesize
12KB

MD5
33134786dd3cddb05719d24caeb7c0f3

SHA1
66e57b1e78820c01c4d91cc6bf09196886bd0fed

SHA256
2edd5ea990922493c90e59119852b44e2d6e52ce003ec49874f1d984cd65a6fa

SHA512
04af191333c7987cfc2f6e56abba73cd02152dcd69003c77f6c400cea6604ccea71afee0dd1a773bd947cb5a96951ab4a968903f2d0873bdecd2381a71618028

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\i7f18jmm.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll

Filesize
997KB

MD5
fe3355639648c417e8307c6d051e3e37

SHA1
f54602d4b4778da21bc97c7238fc66aa68c8ee34

SHA256
1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e

SHA512
8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\i7f18jmm.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info

Filesize
116B

MD5
3d33cdc0b3d281e67dd52e14435dd04f

SHA1
4db88689282fd4f9e9e6ab95fcbb23df6e6485db

SHA256
f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b

SHA512
a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\i7f18jmm.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt

Filesize
479B

MD5
49ddb419d96dceb9069018535fb2e2fc

SHA1
62aa6fea895a8b68d468a015f6e6ab400d7a7ca6

SHA256
2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539

SHA512
48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\i7f18jmm.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json

Filesize
372B

MD5
8be33af717bb1b67fbd61c3f4b807e9e

SHA1
7cf17656d174d951957ff36810e874a134dd49e0

SHA256
e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd

SHA512
6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\i7f18jmm.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll

Filesize
11.8MB

MD5
33bf7b0439480effb9fb212efce87b13

SHA1
cee50f2745edc6dc291887b6075ca64d716f495a

SHA256
8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e

SHA512
d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\i7f18jmm.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib

Filesize
1KB

MD5
688bed3676d2104e7f17ae1cd2c59404

SHA1
952b2cdf783ac72fcb98338723e9afd38d47ad8e

SHA256
33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237

SHA512
7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\i7f18jmm.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig

Filesize
1KB

MD5
937326fead5fd401f6cca9118bd9ade9

SHA1
4526a57d4ae14ed29b37632c72aef3c408189d91

SHA256
68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81

SHA512
b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\i7f18jmm.default-release\prefs-1.js

Filesize
6KB

MD5
690860db5a30b987261677632407c88b

SHA1
9f8bdf9f454b6f4c841d09ad1c20ca0edeb9b051

SHA256
13f5890c5e474faacfe83fbeabf1f12022215888198383e0d54ea05be8650dfa

SHA512
dd45f03dafec483cc8a1eec27570a6282bcf22a1c196122ccc8336005b2c0483290aef110dac88d019a84d1384f0998d98bd182b7dd393199e7edd44777e5feb

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\i7f18jmm.default-release\prefs-1.js

Filesize
8KB

MD5
6a618ccd7982219bd1e8a632bf27f1de

SHA1
ac231d7bbf84a684d8c6a9e9ad4958d6aee82a2e

SHA256
a4e1e1d005fa798f9b6eae73f472d993434ff6f71121a4f502521837431e2b43

SHA512
6e45c71ac23e3319b7e2b8c3ba3c50efd8ca7b3fead50553ef952df49c0c6142c2168c527e0552f07cfab9b7e97c1f1818fc5f67bbf89fcc967952e9bc1b2648

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\i7f18jmm.default-release\prefs-1.js

Filesize
6KB

MD5
25aa7c3e517df34ff302708eaf182d9c

SHA1
285fb456aeb5e4e7074d80d63f090103eaaa861c

SHA256
456a38b5e2f4f344d02a75ce1aa0343081d9d1913ba2031de58775c6554190d7

SHA512
03cd6d33088893a27f22aeb16686b671b1e96689a655ad062efded6df03e34b912901a2a8155cffb3746d76773732df5743c4c6501a677b3bb0121732d9e518f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\i7f18jmm.default-release\prefs-1.js

Filesize
6KB

MD5
77ce941b0943f728ba03af80eaba3b3a

SHA1
dbed1a3438b735928427bd55d98340fce9e3ff22

SHA256
1584f421a2cbc60e0dab78ded0aaa9a8c7a56548200449a370fedc36379a4670

SHA512
22b869b91fece6b2a057fea522526387eabd4bf842f00bfb7fb13c1311078c954d36e3f9bf11be96eab05e430549b5d0b89d436c1112a388e80aa405ce74c421

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\i7f18jmm.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
c8e3ce04c2dd7b7a556adab9250c9e22

SHA1
d9f67369d8a41309568a2f068148a5a6ce8979bd

SHA256
6861115bebd6b9d51bb03f256cce800c58cd17b29d1f012921e3a94f2fe8cab7

SHA512
809874e46d66207b7302af7f2c93b417c41e348eb3f258637f983d30e955ba24258a0769e635dbb9581f8fc0fea0ffb3704822ad81cc4eef7e245edc7c05765b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\i7f18jmm.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
138d12b82ae5d53379672cf292025080

SHA1
ebbc8b9796c93c7bace8265b10f44c6db8bcd6a1

SHA256
23f703a8ff5c01017d7e2d4ecfda5620498a63930d3266340e39f026c743aa04

SHA512
613907eb9ca02798ad436eab528af8fac48f79bc8631309a6cbeb8b302e0aaf87742c2b7fa1f89a306b8ff73c7b9903ec74ebe1dde6e05b49c798dbe015c4b91

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\i7f18jmm.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
7.7MB

MD5
eb687b238eb8128c723385a8688f9ba3

SHA1
87b70f72b694c98a9bdd132b7db10c1b92bed318

SHA256
365c536dcbbdcc9e32b10d9fb1a13260fff1c14e09777738d070158a6003155a

SHA512
6444613ed29efe57adac28f0e10ac40981ec19e9e267959f6ae59d52da25836f366fed319b03dad237fe48deb61bf9d1df1bd73355f4303c1e6d34127ed92dab

Download Submit
\Program Files (x86)\Wajam\IE\priam_bho.dll

Filesize
254KB

MD5
0228e4457b7a4c4f65b6df2780f3901a

SHA1
668551cc7ff664c1a1ca5a182fbdfdca6faafd14

SHA256
859eb629c4a76bb7d03efb4a4a8151aeda07f73555898249bc301b9dd30d9010

SHA512
2b1218de79eb8391c2cb0f29d18fd3998f708eef5618212d6a13c5dbfdcf5491ba4f261a8502d70a59b08ac43b16859ec532666b06c53640ef2bf3cb6f3d79f9

Download Submit
\Program Files (x86)\Wajam\Updater\WajamUpdater.exe

Filesize
106KB

MD5
4aa2cc5979aff984227364f2c23b04f3

SHA1
a252fedceedca1655d593982040cceed07812def

SHA256
b23112ae291efae80aa7f9b1b119eb0da4e426930a23ee77a6a43288f3c0cbb9

SHA512
f0a3d63a90745f7f8e15e526d1e7998ba29392e3af7f847ed9e2ca5c90f2a5889e32794487e31f4973267b9aec0685bb1b7d6a202208a8885ed0bc613439a481

Download Submit
\Program Files (x86)\Wajam\uninstall.exe

Filesize
61KB

MD5
15d8ee05f0c9c361f29dab60f13683da

SHA1
5a7f9df72dae680a980a30bccf18fed5323861a7

SHA256
a4e267f7210c461266a21e26288865fa7ec753b9b8cc86009d6ee95b3ac604aa

SHA512
545fe243d4b2bf7b264110e6872ff412df8dec76236d95b3a0e0d6300ecf3b44536466b50a0cec35419b9ebad5a7cc599eaed71cb347181db9c1f52d42466768

Download Submit
\Users\Admin\AppData\Local\Temp\nsoA8B0.tmp\DcryptDll.dll

Filesize
14KB

MD5
904beebec2790ee2ca0c90fc448ac7e0

SHA1
40fabf1eb0a3b7168351c4514c5288216cb1566d

SHA256
f730d9385bf72eac5d579bcf1f7e4330f1d239ca1054d4ead48e9e363d9f4222

SHA512
8bdbbaaf73e396cf9fd9866b3e824b7e70c59a2bdefdb3236387e60d0e645d011265fe79fb193f6c0d6abe2e9c01260720c71cd8f068fcc4624760511c54efaa

Download Submit
\Users\Admin\AppData\Local\Temp\nsoA8B0.tmp\MoreInfo.dll

Filesize
7KB

MD5
80e34b7f576b710d100f6e7c0bed0c2e

SHA1
2b5b895034d41ee0d0d01bf650594ad0d1346662

SHA256
569d62345f6c915236772fa2575d1806cd2bfe089505807cb477618f1eeccf99

SHA512
f5970c192b7089040fd1cf26e5cab131879b91722dff0216cdc735f9cfde1eda061409b579eb0f11e3b32e5513e34bbedd4050b75bb1b2acc81be814c2c6c59b

Download Submit
\Users\Admin\AppData\Local\Temp\nsoA8B0.tmp\System.dll

Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
\Users\Admin\AppData\Local\Temp\nsoA8B0.tmp\inetc.dll

Filesize
20KB

MD5
4c01fdfd2b57b32046b3b3635a4f4df8

SHA1
e0af8e418cbe2b2783b5de93279a3b5dcb73490e

SHA256
b98e21645910f82b328f30c644b86c112969b42697e797671647b09eb40ad014

SHA512
cbd354536e2a970d31ba69024208673b1dc56603ad604ff17c5840b4371958fc22bafd90040ae3fb19ae9c248b2cfce08d0bc73cc93481f02c73b86dbc0697b2

Download Submit
\Users\Admin\AppData\Local\Temp\nsoA8B0.tmp\nsExec.dll

Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
\Users\Admin\AppData\Local\Temp\nsoA8B0.tmp\nsisos.dll

Filesize
5KB

MD5
69806691d649ef1c8703fd9e29231d44

SHA1
e2193fcf5b4863605eec2a5eb17bf84c7ac00166

SHA256
ba79ab7f63f02ed5d5d46b82b11d97dac5b7ef7e9b9a4df926b43ceac18483b6

SHA512
5e5e0319e701d15134a01cb6472c624e271e99891058aef4dfe779c29c73899771a5b6f8b1cd61b543a3b3defeaecaa080c9cc4e76e84038ca08e12084f128eb

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads