9ce6ccb2d3d78eeec8af6e1cf03bc17392b359e4acd677ae9660efedc54e8740

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
26-07-2024 20:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7586767ca002ce283dfc9395f8d42449_JaffaCakes118.exe
Size

381KB
MD5

7586767ca002ce283dfc9395f8d42449
SHA1

1c22953363ca7086af09095972231c8b14fa3d72
SHA256

9ce6ccb2d3d78eeec8af6e1cf03bc17392b359e4acd677ae9660efedc54e8740
SHA512

e0338914276ddfdc9d796c100db022795cb8f0be1c9d41926c0449a284e9611e11e859314904937c644687d36bec0f24690f9ad5d551b758b9effacef527eca1
SSDEEP

6144:XTq+5yQlE60f9Rm1K5yg7DMK+LMygPUH5JrkhqVdDXpBs6/YOs7fGy185jLupoCb:DnyQlE6qnrt7DVHUvrkhqTZBsX51S6pb

Score

7^/10

adware discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4820	WajamUpdater.exe
808	WajamUpdater.exe

Loads dropped DLL 16 IoCs

pid	Process
3740	7586767ca002ce283dfc9395f8d42449_JaffaCakes118.exe
3740	7586767ca002ce283dfc9395f8d42449_JaffaCakes118.exe
3740	7586767ca002ce283dfc9395f8d42449_JaffaCakes118.exe
3740	7586767ca002ce283dfc9395f8d42449_JaffaCakes118.exe
3740	7586767ca002ce283dfc9395f8d42449_JaffaCakes118.exe
3740	7586767ca002ce283dfc9395f8d42449_JaffaCakes118.exe
3740	7586767ca002ce283dfc9395f8d42449_JaffaCakes118.exe
3740	7586767ca002ce283dfc9395f8d42449_JaffaCakes118.exe
3740	7586767ca002ce283dfc9395f8d42449_JaffaCakes118.exe
3740	7586767ca002ce283dfc9395f8d42449_JaffaCakes118.exe
3740	7586767ca002ce283dfc9395f8d42449_JaffaCakes118.exe
3740	7586767ca002ce283dfc9395f8d42449_JaffaCakes118.exe
3740	7586767ca002ce283dfc9395f8d42449_JaffaCakes118.exe
3740	7586767ca002ce283dfc9395f8d42449_JaffaCakes118.exe
3740	7586767ca002ce283dfc9395f8d42449_JaffaCakes118.exe
3740	7586767ca002ce283dfc9395f8d42449_JaffaCakes118.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Installs/modifies Browser Helper Object 2 TTPs 3 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A7A6995D-6EE1-4FD1-A258-49395D5BF99C}\ = "Wajam IE BHO"	7586767ca002ce283dfc9395f8d42449_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A7A6995D-6EE1-4FD1-A258-49395D5BF99C}\NoExplorer = "1"	7586767ca002ce283dfc9395f8d42449_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A7A6995D-6EE1-4FD1-A258-49395D5BF99C}	7586767ca002ce283dfc9395f8d42449_JaffaCakes118.exe

Drops file in Program Files directory 9 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Wajam\IE\priam_bho.dll	7586767ca002ce283dfc9395f8d42449_JaffaCakes118.exe
File created	C:\Program Files (x86)\Wajam\Updater\WajamUpdater.exe	7586767ca002ce283dfc9395f8d42449_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Wajam\install.log	7586767ca002ce283dfc9395f8d42449_JaffaCakes118.exe
File created	C:\Program Files (x86)\Wajam\Firefox\{5a95a9e0-59dd-4314-bd84-4d18ca83a0e2}.xpi	7586767ca002ce283dfc9395f8d42449_JaffaCakes118.exe
File created	C:\Program Files (x86)\Wajam\Firefox\firefox_trigger_extension.htm	7586767ca002ce283dfc9395f8d42449_JaffaCakes118.exe
File created	C:\Program Files (x86)\Wajam\IE\favicon.ico	7586767ca002ce283dfc9395f8d42449_JaffaCakes118.exe
File created	C:\Program Files (x86)\Wajam\Updater\wajamLogo.bmp	7586767ca002ce283dfc9395f8d42449_JaffaCakes118.exe
File created	C:\Program Files (x86)\Wajam\uninstall.exe	7586767ca002ce283dfc9395f8d42449_JaffaCakes118.exe
File created	C:\Program Files (x86)\Wajam\install.log	7586767ca002ce283dfc9395f8d42449_JaffaCakes118.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WajamUpdater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WajamUpdater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7586767ca002ce283dfc9395f8d42449_JaffaCakes118.exe

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
2268	Taskkill.exe

Modifies data under HKEY_USERS 5 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	WajamUpdater.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	WajamUpdater.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	WajamUpdater.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	WajamUpdater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	WajamUpdater.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\priam_bho.DLL	7586767ca002ce283dfc9395f8d42449_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A7A6995D-6EE1-4FD1-A258-49395D5BF99C}\InprocServer32\ = "C:\\Program Files (x86)\\Wajam\\IE\\priam_bho.dll"	7586767ca002ce283dfc9395f8d42449_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\wajam.WajamDownloader.1	7586767ca002ce283dfc9395f8d42449_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\wajam.WajamDownloader\CLSID\ = "{5D64294B-1341-4FE7-B6D8-7C36828D4DD5}"	7586767ca002ce283dfc9395f8d42449_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5D64294B-1341-4FE7-B6D8-7C36828D4DD5}\TypeLib\ = "{095BFD3C-4602-4FE1-96F1-AEFAFBFD067D}"	7586767ca002ce283dfc9395f8d42449_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{095BFD3C-4602-4FE1-96F1-AEFAFBFD067D}\1.0\FLAGS	7586767ca002ce283dfc9395f8d42449_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{431532BD-0AE1-4ABC-BE8C-919F3D1332E2}\TypeLib\Version = "1.0"	7586767ca002ce283dfc9395f8d42449_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\wajam.WajamBHO\CLSID	7586767ca002ce283dfc9395f8d42449_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\wajam.WajamBHO\CLSID\ = "{A7A6995D-6EE1-4FD1-A258-49395D5BF99C}"	7586767ca002ce283dfc9395f8d42449_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\wajam.WajamBHO\CurVer\ = "wajam.WajamBHO.1"	7586767ca002ce283dfc9395f8d42449_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A7A6995D-6EE1-4FD1-A258-49395D5BF99C}\ = "Wajam"	7586767ca002ce283dfc9395f8d42449_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A7A6995D-6EE1-4FD1-A258-49395D5BF99C}\InprocServer32	7586767ca002ce283dfc9395f8d42449_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\WOW6432Node\Interface	7586767ca002ce283dfc9395f8d42449_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\priam_bho.DLL\AppID = "{1FAEE6D5-34F4-42AA-8025-3FD8F3EC4634}"	7586767ca002ce283dfc9395f8d42449_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\wajam.WajamBHO	7586767ca002ce283dfc9395f8d42449_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A7A6995D-6EE1-4FD1-A258-49395D5BF99C}\ProgID	7586767ca002ce283dfc9395f8d42449_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\wajam.WajamDownloader\CurVer\ = "wajam.WajamDownloader.1"	7586767ca002ce283dfc9395f8d42449_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{1FAEE6D5-34F4-42AA-8025-3FD8F3EC4634}\ = "Wajam"	7586767ca002ce283dfc9395f8d42449_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\wajam.WajamBHO.1\CLSID	7586767ca002ce283dfc9395f8d42449_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A7A6995D-6EE1-4FD1-A258-49395D5BF99C}\ProgID\ = "wajam.WajamBHO.1"	7586767ca002ce283dfc9395f8d42449_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\wajam.WajamDownloader.1\ = "WajamDownloader Class"	7586767ca002ce283dfc9395f8d42449_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\wajam.WajamDownloader	7586767ca002ce283dfc9395f8d42449_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5D64294B-1341-4FE7-B6D8-7C36828D4DD5}\InprocServer32\ThreadingModel = "Apartment"	7586767ca002ce283dfc9395f8d42449_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{431532BD-0AE1-4ABC-BE8C-919F3D1332E2}\ProxyStubClsid32	7586767ca002ce283dfc9395f8d42449_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A7A6995D-6EE1-4FD1-A258-49395D5BF99C}\InprocServer32\ThreadingModel = "Apartment"	7586767ca002ce283dfc9395f8d42449_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\wajam.WajamDownloader\CurVer	7586767ca002ce283dfc9395f8d42449_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5D64294B-1341-4FE7-B6D8-7C36828D4DD5}\ = "WajamDownloader Class"	7586767ca002ce283dfc9395f8d42449_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5D64294B-1341-4FE7-B6D8-7C36828D4DD5}\VersionIndependentProgID	7586767ca002ce283dfc9395f8d42449_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{095BFD3C-4602-4FE1-96F1-AEFAFBFD067D}\1.0\FLAGS\ = "0"	7586767ca002ce283dfc9395f8d42449_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{431532BD-0AE1-4ABC-BE8C-919F3D1332E2}\ = "IWajamBHO"	7586767ca002ce283dfc9395f8d42449_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\wajam.WajamBHO\ = "Wajam"	7586767ca002ce283dfc9395f8d42449_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\wajam.WajamDownloader\ = "WajamDownloader Class"	7586767ca002ce283dfc9395f8d42449_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{095BFD3C-4602-4FE1-96F1-AEFAFBFD067D}\1.0\HELPDIR	7586767ca002ce283dfc9395f8d42449_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{431532BD-0AE1-4ABC-BE8C-919F3D1332E2}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	7586767ca002ce283dfc9395f8d42449_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{431532BD-0AE1-4ABC-BE8C-919F3D1332E2}\TypeLib\ = "{095BFD3C-4602-4FE1-96F1-AEFAFBFD067D}"	7586767ca002ce283dfc9395f8d42449_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{431532BD-0AE1-4ABC-BE8C-919F3D1332E2}\NumMethods	7586767ca002ce283dfc9395f8d42449_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5D64294B-1341-4FE7-B6D8-7C36828D4DD5}\TypeLib	7586767ca002ce283dfc9395f8d42449_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{095BFD3C-4602-4FE1-96F1-AEFAFBFD067D}	7586767ca002ce283dfc9395f8d42449_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{095BFD3C-4602-4FE1-96F1-AEFAFBFD067D}\1.0\ = "wajam 1.0 Type Library"	7586767ca002ce283dfc9395f8d42449_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{431532BD-0AE1-4ABC-BE8C-919F3D1332E2}	7586767ca002ce283dfc9395f8d42449_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{431532BD-0AE1-4ABC-BE8C-919F3D1332E2}	7586767ca002ce283dfc9395f8d42449_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{431532BD-0AE1-4ABC-BE8C-919F3D1332E2}\ = "IWajamBHO"	7586767ca002ce283dfc9395f8d42449_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{431532BD-0AE1-4ABC-BE8C-919F3D1332E2}\TypeLib	7586767ca002ce283dfc9395f8d42449_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\wajam.WajamBHO.1	7586767ca002ce283dfc9395f8d42449_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A7A6995D-6EE1-4FD1-A258-49395D5BF99C}\TypeLib	7586767ca002ce283dfc9395f8d42449_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{095BFD3C-4602-4FE1-96F1-AEFAFBFD067D}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\Wajam\\IE"	7586767ca002ce283dfc9395f8d42449_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{431532BD-0AE1-4ABC-BE8C-919F3D1332E2}\InProcServer32\ThreadingModel = "Both"	7586767ca002ce283dfc9395f8d42449_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\wajam.WajamDownloader.1\CLSID	7586767ca002ce283dfc9395f8d42449_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\wajam.WajamDownloader\CLSID	7586767ca002ce283dfc9395f8d42449_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{431532BD-0AE1-4ABC-BE8C-919F3D1332E2}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	7586767ca002ce283dfc9395f8d42449_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5D64294B-1341-4FE7-B6D8-7C36828D4DD5}\VersionIndependentProgID\ = "wajam.WajamDownloader"	7586767ca002ce283dfc9395f8d42449_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{431532BD-0AE1-4ABC-BE8C-919F3D1332E2}\TypeLib\ = "{095BFD3C-4602-4FE1-96F1-AEFAFBFD067D}"	7586767ca002ce283dfc9395f8d42449_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{431532BD-0AE1-4ABC-BE8C-919F3D1332E2}\ProxyStubClsid32	7586767ca002ce283dfc9395f8d42449_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{D616A4A2-7B38-4DBC-9093-6FE7A4A21B17}	WajamUpdater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\wajam.WajamDownloader.1\CLSID\ = "{5D64294B-1341-4FE7-B6D8-7C36828D4DD5}"	7586767ca002ce283dfc9395f8d42449_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5D64294B-1341-4FE7-B6D8-7C36828D4DD5}\ProgID	7586767ca002ce283dfc9395f8d42449_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings	firefox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{D616A4A2-7B38-4DBC-9093-6FE7A4A21B17}\LocalService = "WajamUpdater"	WajamUpdater.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{1FAEE6D5-34F4-42AA-8025-3FD8F3EC4634}	7586767ca002ce283dfc9395f8d42449_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\wajam.WajamBHO.1\CLSID\ = "{A7A6995D-6EE1-4FD1-A258-49395D5BF99C}"	7586767ca002ce283dfc9395f8d42449_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5D64294B-1341-4FE7-B6D8-7C36828D4DD5}\ProgID\ = "wajam.WajamDownloader.1"	7586767ca002ce283dfc9395f8d42449_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{095BFD3C-4602-4FE1-96F1-AEFAFBFD067D}\1.0	7586767ca002ce283dfc9395f8d42449_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{095BFD3C-4602-4FE1-96F1-AEFAFBFD067D}\1.0\0\win32	7586767ca002ce283dfc9395f8d42449_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{431532BD-0AE1-4ABC-BE8C-919F3D1332E2}\InProcServer32\ = "C:\\Program Files (x86)\\Wajam\\IE\\priam_bho.dll"	7586767ca002ce283dfc9395f8d42449_JaffaCakes118.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
544	msedge.exe
544	msedge.exe
4932	msedge.exe
4932	msedge.exe
4504	identity_helper.exe
4504	identity_helper.exe
1516	msedge.exe
1516	msedge.exe
1516	msedge.exe
1516	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

pid	Process
4932	msedge.exe
4932	msedge.exe
4932	msedge.exe
4932	msedge.exe
4932	msedge.exe
4932	msedge.exe
4932	msedge.exe
4932	msedge.exe
4932	msedge.exe
4932	msedge.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	2268	Taskkill.exe
Token: SeDebugPrivilege	3724	firefox.exe
Token: SeDebugPrivilege	3724	firefox.exe
Token: SeDebugPrivilege	3724	firefox.exe
Token: SeDebugPrivilege	3724	firefox.exe
Token: SeDebugPrivilege	3724	firefox.exe

Suspicious use of FindShellTrayWindow 46 IoCs

pid	Process
4932	msedge.exe
4932	msedge.exe
4932	msedge.exe
4932	msedge.exe
4932	msedge.exe
4932	msedge.exe
4932	msedge.exe
4932	msedge.exe
4932	msedge.exe
4932	msedge.exe
4932	msedge.exe
4932	msedge.exe
4932	msedge.exe
4932	msedge.exe
4932	msedge.exe
4932	msedge.exe
4932	msedge.exe
4932	msedge.exe
4932	msedge.exe
4932	msedge.exe
4932	msedge.exe
4932	msedge.exe
4932	msedge.exe
4932	msedge.exe
4932	msedge.exe
3724	firefox.exe
3724	firefox.exe
3724	firefox.exe
3724	firefox.exe
3724	firefox.exe
3724	firefox.exe
3724	firefox.exe
3724	firefox.exe
3724	firefox.exe
3724	firefox.exe
3724	firefox.exe
3724	firefox.exe
3724	firefox.exe
3724	firefox.exe
3724	firefox.exe
3724	firefox.exe
3724	firefox.exe
3724	firefox.exe
3724	firefox.exe
3724	firefox.exe
3724	firefox.exe

Suspicious use of SendNotifyMessage 44 IoCs

pid	Process
4932	msedge.exe
4932	msedge.exe
4932	msedge.exe
4932	msedge.exe
4932	msedge.exe
4932	msedge.exe
4932	msedge.exe
4932	msedge.exe
4932	msedge.exe
4932	msedge.exe
4932	msedge.exe
4932	msedge.exe
4932	msedge.exe
4932	msedge.exe
4932	msedge.exe
4932	msedge.exe
4932	msedge.exe
4932	msedge.exe
4932	msedge.exe
4932	msedge.exe
4932	msedge.exe
4932	msedge.exe
4932	msedge.exe
4932	msedge.exe
3724	firefox.exe
3724	firefox.exe
3724	firefox.exe
3724	firefox.exe
3724	firefox.exe
3724	firefox.exe
3724	firefox.exe
3724	firefox.exe
3724	firefox.exe
3724	firefox.exe
3724	firefox.exe
3724	firefox.exe
3724	firefox.exe
3724	firefox.exe
3724	firefox.exe
3724	firefox.exe
3724	firefox.exe
3724	firefox.exe
3724	firefox.exe
3724	firefox.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3724	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3740 wrote to memory of 3936	3740	7586767ca002ce283dfc9395f8d42449_JaffaCakes118.exe	85
PID 3740 wrote to memory of 3936	3740	7586767ca002ce283dfc9395f8d42449_JaffaCakes118.exe	85
PID 3740 wrote to memory of 3936	3740	7586767ca002ce283dfc9395f8d42449_JaffaCakes118.exe	85
PID 3936 wrote to memory of 1760	3936	net.exe	88
PID 3936 wrote to memory of 1760	3936	net.exe	88
PID 3936 wrote to memory of 1760	3936	net.exe	88
PID 3740 wrote to memory of 2268	3740	7586767ca002ce283dfc9395f8d42449_JaffaCakes118.exe	89
PID 3740 wrote to memory of 2268	3740	7586767ca002ce283dfc9395f8d42449_JaffaCakes118.exe	89
PID 3740 wrote to memory of 2268	3740	7586767ca002ce283dfc9395f8d42449_JaffaCakes118.exe	89
PID 3740 wrote to memory of 4820	3740	7586767ca002ce283dfc9395f8d42449_JaffaCakes118.exe	91
PID 3740 wrote to memory of 4820	3740	7586767ca002ce283dfc9395f8d42449_JaffaCakes118.exe	91
PID 3740 wrote to memory of 4820	3740	7586767ca002ce283dfc9395f8d42449_JaffaCakes118.exe	91
PID 3740 wrote to memory of 3208	3740	7586767ca002ce283dfc9395f8d42449_JaffaCakes118.exe	92
PID 3740 wrote to memory of 3208	3740	7586767ca002ce283dfc9395f8d42449_JaffaCakes118.exe	92
PID 3740 wrote to memory of 3208	3740	7586767ca002ce283dfc9395f8d42449_JaffaCakes118.exe	92
PID 3208 wrote to memory of 2744	3208	net.exe	94
PID 3208 wrote to memory of 2744	3208	net.exe	94
PID 3208 wrote to memory of 2744	3208	net.exe	94
PID 3740 wrote to memory of 4932	3740	7586767ca002ce283dfc9395f8d42449_JaffaCakes118.exe	98
PID 3740 wrote to memory of 4932	3740	7586767ca002ce283dfc9395f8d42449_JaffaCakes118.exe	98
PID 4932 wrote to memory of 5080	4932	msedge.exe	99
PID 4932 wrote to memory of 5080	4932	msedge.exe	99
PID 4932 wrote to memory of 5016	4932	msedge.exe	100
PID 4932 wrote to memory of 5016	4932	msedge.exe	100
PID 4932 wrote to memory of 5016	4932	msedge.exe	100
PID 4932 wrote to memory of 5016	4932	msedge.exe	100
PID 4932 wrote to memory of 5016	4932	msedge.exe	100
PID 4932 wrote to memory of 5016	4932	msedge.exe	100
PID 4932 wrote to memory of 5016	4932	msedge.exe	100
PID 4932 wrote to memory of 5016	4932	msedge.exe	100
PID 4932 wrote to memory of 5016	4932	msedge.exe	100
PID 4932 wrote to memory of 5016	4932	msedge.exe	100
PID 4932 wrote to memory of 5016	4932	msedge.exe	100
PID 4932 wrote to memory of 5016	4932	msedge.exe	100
PID 4932 wrote to memory of 5016	4932	msedge.exe	100
PID 4932 wrote to memory of 5016	4932	msedge.exe	100
PID 4932 wrote to memory of 5016	4932	msedge.exe	100
PID 4932 wrote to memory of 5016	4932	msedge.exe	100
PID 4932 wrote to memory of 5016	4932	msedge.exe	100
PID 4932 wrote to memory of 5016	4932	msedge.exe	100
PID 4932 wrote to memory of 5016	4932	msedge.exe	100
PID 4932 wrote to memory of 5016	4932	msedge.exe	100
PID 4932 wrote to memory of 5016	4932	msedge.exe	100
PID 4932 wrote to memory of 5016	4932	msedge.exe	100
PID 4932 wrote to memory of 5016	4932	msedge.exe	100
PID 4932 wrote to memory of 5016	4932	msedge.exe	100
PID 4932 wrote to memory of 5016	4932	msedge.exe	100
PID 4932 wrote to memory of 5016	4932	msedge.exe	100
PID 4932 wrote to memory of 5016	4932	msedge.exe	100
PID 4932 wrote to memory of 5016	4932	msedge.exe	100
PID 4932 wrote to memory of 5016	4932	msedge.exe	100
PID 4932 wrote to memory of 5016	4932	msedge.exe	100
PID 4932 wrote to memory of 5016	4932	msedge.exe	100
PID 4932 wrote to memory of 5016	4932	msedge.exe	100
PID 4932 wrote to memory of 5016	4932	msedge.exe	100
PID 4932 wrote to memory of 5016	4932	msedge.exe	100
PID 4932 wrote to memory of 5016	4932	msedge.exe	100
PID 4932 wrote to memory of 5016	4932	msedge.exe	100
PID 4932 wrote to memory of 5016	4932	msedge.exe	100
PID 4932 wrote to memory of 5016	4932	msedge.exe	100
PID 4932 wrote to memory of 5016	4932	msedge.exe	100
PID 4932 wrote to memory of 5016	4932	msedge.exe	100
PID 4932 wrote to memory of 544	4932	msedge.exe	101
PID 4932 wrote to memory of 544	4932	msedge.exe	101

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\7586767ca002ce283dfc9395f8d42449_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\7586767ca002ce283dfc9395f8d42449_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3740
- C:\Windows\SysWOW64\net.exe
  net stop WajamUpdater
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3936
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop WajamUpdater
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1760
- C:\Windows\SysWOW64\Taskkill.exe
  Taskkill /IM WajamUpdater.exe /F
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2268
- C:\Program Files (x86)\Wajam\Updater\WajamUpdater.exe
  "C:\Program Files (x86)\Wajam\Updater\WajamUpdater.exe" /Service
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  PID:4820
- C:\Windows\SysWOW64\net.exe
  net start WajamUpdater
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3208
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 start WajamUpdater
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2744
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" "http://www.wajam.com/index.php?firstrun=1&unique_id=9CEAB8418BC257037B3210DAD38ECE82&aid=5445&aid2=none&enabled=1"
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:4932
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffda6f646f8,0x7ffda6f64708,0x7ffda6f64718
    3⤵
    PID:5080
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2200,8206010430766641914,1120966730444899334,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2212 /prefetch:2
    3⤵
    PID:5016
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2200,8206010430766641914,1120966730444899334,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2264 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:544
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2200,8206010430766641914,1120966730444899334,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2828 /prefetch:8
    3⤵
    PID:2912
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,8206010430766641914,1120966730444899334,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3276 /prefetch:1
    3⤵
    PID:5040
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,8206010430766641914,1120966730444899334,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:1
    3⤵
    PID:3860
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,8206010430766641914,1120966730444899334,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4020 /prefetch:1
    3⤵
    PID:3180
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,8206010430766641914,1120966730444899334,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3616 /prefetch:1
    3⤵
    PID:2456
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2200,8206010430766641914,1120966730444899334,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4116 /prefetch:8
    3⤵
    PID:3308
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2200,8206010430766641914,1120966730444899334,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4116 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4504
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,8206010430766641914,1120966730444899334,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4124 /prefetch:1
    3⤵
    PID:2464
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,8206010430766641914,1120966730444899334,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4136 /prefetch:1
    3⤵
    PID:1716
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,8206010430766641914,1120966730444899334,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5520 /prefetch:1
    3⤵
    PID:3060
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,8206010430766641914,1120966730444899334,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3736 /prefetch:1
    3⤵
    PID:6516
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,8206010430766641914,1120966730444899334,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2344 /prefetch:1
    3⤵
    PID:5428
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,8206010430766641914,1120966730444899334,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1412 /prefetch:1
    3⤵
    PID:860
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2200,8206010430766641914,1120966730444899334,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5740 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1516
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" "C:\Program Files (x86)\Wajam\Firefox\firefox_trigger_extension.htm"
  2⤵
  PID:3612
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" "C:\Program Files (x86)\Wajam\Firefox\firefox_trigger_extension.htm"
    3⤵
    - Checks processor information in registry
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    PID:3724
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2028 -parentBuildID 20240401114208 -prefsHandle 1960 -prefMapHandle 1956 -prefsLen 25753 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {906548b6-7b96-4e07-84f0-7cf0e99a0602} 3724 "\\.\pipe\gecko-crash-server-pipe.3724" gpu
      4⤵
      PID:4044
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2464 -parentBuildID 20240401114208 -prefsHandle 2448 -prefMapHandle 2444 -prefsLen 26673 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f9942c2c-af6a-4239-8919-c95c99b7abb1} 3724 "\\.\pipe\gecko-crash-server-pipe.3724" socket
      4⤵
      PID:5236
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3184 -childID 1 -isForBrowser -prefsHandle 3152 -prefMapHandle 3160 -prefsLen 26814 -prefMapSize 244658 -jsInitHandle 1040 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {49883197-2222-4c3c-b6eb-902f64040aef} 3724 "\\.\pipe\gecko-crash-server-pipe.3724" tab
      4⤵
      PID:5476
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3956 -childID 2 -isForBrowser -prefsHandle 3988 -prefMapHandle 3984 -prefsLen 31163 -prefMapSize 244658 -jsInitHandle 1040 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {991783e2-88e6-4bbd-961e-8f6c92abc457} 3724 "\\.\pipe\gecko-crash-server-pipe.3724" tab
      4⤵
      PID:5648
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4684 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4676 -prefMapHandle 4668 -prefsLen 31163 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9693d920-8df2-4a08-aac9-6e35f72f6748} 3724 "\\.\pipe\gecko-crash-server-pipe.3724" utility
      4⤵
      Checks processor information in registry
      PID:5836
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5076 -childID 3 -isForBrowser -prefsHandle 5100 -prefMapHandle 5096 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1040 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {313f1d62-7fb4-4de7-8e6d-52d351f9da58} 3724 "\\.\pipe\gecko-crash-server-pipe.3724" tab
      4⤵
      PID:6536
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5436 -childID 4 -isForBrowser -prefsHandle 5476 -prefMapHandle 5472 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1040 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4d9c14d4-bc31-4227-8278-b6db46cc563a} 3724 "\\.\pipe\gecko-crash-server-pipe.3724" tab
      4⤵
      PID:7068
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5100 -childID 5 -isForBrowser -prefsHandle 5124 -prefMapHandle 5260 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1040 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9d67d86c-d799-4e01-b45b-a44ee8843b3a} 3724 "\\.\pipe\gecko-crash-server-pipe.3724" tab
      4⤵
      PID:7096
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5856 -childID 6 -isForBrowser -prefsHandle 5776 -prefMapHandle 5784 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1040 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {700e401f-1148-4164-a618-67e8244641a9} 3724 "\\.\pipe\gecko-crash-server-pipe.3724" tab
      4⤵
      PID:7108

C:\Program Files (x86)\Wajam\Updater\WajamUpdater.exe
"C:\Program Files (x86)\Wajam\Updater\WajamUpdater.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:808

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2292

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4172

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Wajam\Firefox\firefox_trigger_extension.htm

Filesize
2KB

MD5
ba7197cc8e52161fcdff765697febe37

SHA1
b03b974574d741ec8ba6042f14553886fe45d76b

SHA256
746739c05859db81f472d8bfe0b2f11ab33a3a661f6943e55e2833184f8925fa

SHA512
168fc12fbfcca80c7398636cb5b8ed0388d5d58227b3c2288f031c48ea490e64d09b1e1d0cd8e7bd67e67e4caae0574909db1d5aa36e8a40c421bf25c93ff8f1

Download Submit
C:\Program Files (x86)\Wajam\IE\priam_bho.dll

Filesize
254KB

MD5
0228e4457b7a4c4f65b6df2780f3901a

SHA1
668551cc7ff664c1a1ca5a182fbdfdca6faafd14

SHA256
859eb629c4a76bb7d03efb4a4a8151aeda07f73555898249bc301b9dd30d9010

SHA512
2b1218de79eb8391c2cb0f29d18fd3998f708eef5618212d6a13c5dbfdcf5491ba4f261a8502d70a59b08ac43b16859ec532666b06c53640ef2bf3cb6f3d79f9

Download Submit
C:\Program Files (x86)\Wajam\Updater\WajamUpdater.exe

Filesize
106KB

MD5
4aa2cc5979aff984227364f2c23b04f3

SHA1
a252fedceedca1655d593982040cceed07812def

SHA256
b23112ae291efae80aa7f9b1b119eb0da4e426930a23ee77a6a43288f3c0cbb9

SHA512
f0a3d63a90745f7f8e15e526d1e7998ba29392e3af7f847ed9e2ca5c90f2a5889e32794487e31f4973267b9aec0685bb1b7d6a202208a8885ed0bc613439a481

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a499254d6b5d91f97eb7a86e5f8ca573

SHA1
03dbfebfec8c94a9c06f9b0cd81ebe0a2b8be3d1

SHA256
fb87b758c2b98989df851380293ff6786cb9a5cf2b3a384cec70d9f3eb064499

SHA512
d7adcc76d0470bcd68d7644de3c8d2b6d61df8485979a4752ceea3df4d85bd1c290f72b3d8d5c8d639d5a10afa48d80e457f76b44dd8107ac97eb80fd98c7b0c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
bafce9e4c53a0cb85310891b6b21791b

SHA1
5d70027cc137a7cbb38f5801b15fd97b05e89ee2

SHA256
71fb546b5d2210a56e90b448ee10120cd92c518c8f79fb960f01b918f89f2b00

SHA512
c0e4d3eccc0135ac92051539a18f64b8b8628cfe74e5b019d4f8e1dcbb51a9b49c486a1523885fe6be53da7118c013852e753c26a5490538c1e721fd0188836c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
3d27f1c853df7ddea192b243de0b25c2

SHA1
e522e81266b6d0a9d70a37ab97fe335b26a7d1d5

SHA256
bd74d6198ab514ed4ddbde87b14d73a6f954a7924f7c1653abd73acdc322d6fa

SHA512
f3aa15be5a66de917db1935e8a34a7435a692966f98ac309c418232b13c92553165262c9916eddef2d4b48cc6b4a0b330c23982b9750802f152ff7d10ebf6257

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
9ee2eea38a3b1f180992ed67bb7b52f4

SHA1
85dd23be4faa832665da1403964404e1efcc47aa

SHA256
b2e79ad1cb7c2ef21ac8383bb934ed9c4ef5047b6683f56265029b37ca18be4e

SHA512
f07775d9daeba72d6bb06e93467c7a6057b23604773e73b36e206c47d6b7ee35e66950ff8164e03069173ae6ce4b267a61b4967a61bfbca1029f8af014da27f4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
9829fbd0b44ed00d9ce8c9516c9ea479

SHA1
9d67e659f898225b21527511d61b37007aae933e

SHA256
5b21f32b1abe1fd4b3cbab7c967b6f9ffc0b449e3ae22878be4f7d36a803a3be

SHA512
3eb10f3c7c8436d167fb085c218023553b9c3b2bc7763e1b1f58f99ddcc677917ddef8b88fcfcccbd3965ec95b63d7e23d37d79a78981cf94b0f8660ef94a9df

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\3mrom4gn.default-release\activity-stream.discovery_stream.json

Filesize
21KB

MD5
d2e500e1ccd39c209a252a7b5053d3ad

SHA1
f045c63dbe86740a2e9a90e0a272e87b21254394

SHA256
1af658f1a5f810260d140f90373249b959b9f8566d34f950a2e6da217ba01ef1

SHA512
dcb6cb83fa9bfc7b3ea53bc9e9731c20160a3f93bf18fcf191acc7e6b0868507a3a34678b011b9b3988412860416c1f1f4d08ea057a038f054fcf77c7d0de9ba

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\3mrom4gn.default-release\cache2\entries\8A2034D325DC0B5C9E11EDDA3FC70A54C8DC1C0D

Filesize
13KB

MD5
8af22bbf37ba8b682cf8bffebc39cc6d

SHA1
0b718d235e9e54a60f737024fbc91f0760f694d1

SHA256
e78c9052a6823e612808122dd30570f3582077d7122479e62b5cc1b75edba592

SHA512
44f26dd47a4af5e4ab9453128ce967f6b6d8812265e0f0ed227a62e5419f3073282abb205617074ec0f559b83e04bad73ebd3fe834974e40bc73b0ec1b6aba25

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsm8C34.tmp\DcryptDll.dll

Filesize
14KB

MD5
904beebec2790ee2ca0c90fc448ac7e0

SHA1
40fabf1eb0a3b7168351c4514c5288216cb1566d

SHA256
f730d9385bf72eac5d579bcf1f7e4330f1d239ca1054d4ead48e9e363d9f4222

SHA512
8bdbbaaf73e396cf9fd9866b3e824b7e70c59a2bdefdb3236387e60d0e645d011265fe79fb193f6c0d6abe2e9c01260720c71cd8f068fcc4624760511c54efaa

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsm8C34.tmp\IpConfig.dll

Filesize
114KB

MD5
a3ed6f7ea493b9644125d494fbf9a1e6

SHA1
ebeee67fb0b5b3302c69f47c5e7fca62e1a809d8

SHA256
ec0f85f8a9d6b77081ba0103f967ef6705b547bf27bcd866d77ac909d21a1e08

SHA512
7099e1bc78ba5727661aa49f75523126563a5ebccdff10cabf868ce5335821118384825f037fbf1408c416c0212aa702a5974bc54d1b63c9d0bcade140f9aae1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsm8C34.tmp\MoreInfo.dll

Filesize
7KB

MD5
80e34b7f576b710d100f6e7c0bed0c2e

SHA1
2b5b895034d41ee0d0d01bf650594ad0d1346662

SHA256
569d62345f6c915236772fa2575d1806cd2bfe089505807cb477618f1eeccf99

SHA512
f5970c192b7089040fd1cf26e5cab131879b91722dff0216cdc735f9cfde1eda061409b579eb0f11e3b32e5513e34bbedd4050b75bb1b2acc81be814c2c6c59b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsm8C34.tmp\System.dll

Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsm8C34.tmp\inetc.dll

Filesize
20KB

MD5
4c01fdfd2b57b32046b3b3635a4f4df8

SHA1
e0af8e418cbe2b2783b5de93279a3b5dcb73490e

SHA256
b98e21645910f82b328f30c644b86c112969b42697e797671647b09eb40ad014

SHA512
cbd354536e2a970d31ba69024208673b1dc56603ad604ff17c5840b4371958fc22bafd90040ae3fb19ae9c248b2cfce08d0bc73cc93481f02c73b86dbc0697b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsm8C34.tmp\nsExec.dll

Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsm8C34.tmp\nsisos.dll

Filesize
5KB

MD5
69806691d649ef1c8703fd9e29231d44

SHA1
e2193fcf5b4863605eec2a5eb17bf84c7ac00166

SHA256
ba79ab7f63f02ed5d5d46b82b11d97dac5b7ef7e9b9a4df926b43ceac18483b6

SHA512
5e5e0319e701d15134a01cb6472c624e271e99891058aef4dfe779c29c73899771a5b6f8b1cd61b543a3b3defeaecaa080c9cc4e76e84038ca08e12084f128eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3mrom4gn.default-release\AlternateServices.bin

Filesize
6KB

MD5
66beb3de25c4a12335986e1a809d997b

SHA1
17daaec8daf72cb9435c5f5511d5527c725d3dd5

SHA256
9faa42c14fa5350ba5a25769fe6b18b7829da900e0796f879ef2a0fe69b39198

SHA512
5e44272e3b1cc31653964b466ae4e20e98def772c410f3825f067726162f932a811273797912c26e9d3b5e00773b4bba2d6fa3f8285ad18d115367e006f406ca

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3mrom4gn.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
494ff8e7a2eabe1bbf8b2855487657be

SHA1
52b93738d26de0272870e293a2fecf8767de6fce

SHA256
1cc1876f9f308895889563e1ce1082f90821b1ff05280d497a374a3e35a93277

SHA512
88df3be8244a493f35775f82b74acf41a7940d8802229fe591cf0f170c9f6b6c5d2d96c12b7b7cfad96476b32941378a9396e1ea6753e9c0949d8f66e5f87f0e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3mrom4gn.default-release\datareporting\glean\db\data.safe.tmp

Filesize
14KB

MD5
4a7695af91e0220ce65d4cc7875db98a

SHA1
29ce53a72cb6f29b2a095d8ff05e5d91fc221e87

SHA256
6c91a1fa67bb29376df6a286adc8b2881b6e46f1f8a0c951c42b7e5a8254282e

SHA512
40797fe3dc4d9c0bb55d09e3cedfb5cb200d5d2bdb7ced370216716fa9f86dbc47829f207883f76a21cdaffa6df4bb0f3d4390c86621187fd2236158a4a752a8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3mrom4gn.default-release\datareporting\glean\db\data.safe.tmp

Filesize
14KB

MD5
0a066ce3a0a3bd4ab2b4320d4bfb7045

SHA1
e73b45c093aef2762959c36f1873b6ec0e8db2bd

SHA256
1ba117a8cf3b21e9823529470318694a9305e16852244267e867ef89355b2ac3

SHA512
45a33961738daee63d40d893ead6b883f5d83596b17927ec78e29d5fa5e77a936aa0bea1431179b166387b4628f3ceeedc911837188e6dbae3c23ef9a061951c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3mrom4gn.default-release\datareporting\glean\pending_pings\1797a8b7-703f-4dd5-bb7e-aaa93b00763e

Filesize
671B

MD5
8b669bab66a580078c3302e705b9c5b9

SHA1
3f2894b379286b8f0498f01edb234dfd18a23e15

SHA256
c74b8cc6493c108210391fc6acf25c3e3e4ec616fe322a8a6bbb57edce6d722a

SHA512
94d357af7677866a08dc361d7e4010108bd87b0ce79093f9960472e2e96b014f1f095e37f74393f3f847da451e543cf76665343d0befb640ee972632b94d419f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3mrom4gn.default-release\datareporting\glean\pending_pings\95a9cf43-b76b-488a-b86a-62f8a513ab11

Filesize
27KB

MD5
2a873bf1146ef1dff03e8f6c7d815fdf

SHA1
1e7574ccd524941e0a0179a28b80747813e9d336

SHA256
a4c3ef7bcd28242a0b685ac32d920dc11e4641862c70fba56872a41e9552249d

SHA512
0889d2058abadbc967e6fe1a61453cdf7c94638a07b04d419668f359afef54b567ed7ac801e29ece4befbcf95e0f391dfe4cbe3d6f7839c0f0e6bb0df40a412c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3mrom4gn.default-release\datareporting\glean\pending_pings\a8da25a4-ea15-4d74-bb7b-516e2ed806fb

Filesize
982B

MD5
e25d985075cd126dea02814d69f0fdcf

SHA1
baefabc5786d81736748d67648d88ee31467336c

SHA256
c03ca70981e19937491a7be5a5106abcf3b224040b0c66885931a4b343d87a7e

SHA512
2ced0e531e7de7bc39e469bd714de6d9f466f7fac726530c92b08d7f939538533440a19b0c0fd170c3a720d81e0af39f5e0ec81e7a91dfa928f1c53e18671361

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3mrom4gn.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3mrom4gn.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3mrom4gn.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3mrom4gn.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3mrom4gn.default-release\prefs-1.js

Filesize
12KB

MD5
006fa730d2f03adc84cfb9d2dce8b21a

SHA1
3ddbc9cd8558f88f8cdc93a60af147f4f3deb157

SHA256
dd6990b8a9b1e98a678ea9c216d381c0d5cc26e00778c7ba111d6d10ae030cdf

SHA512
af2fc2f5861a179ecc93274372fc76e152913dbecc9f920ab22b1c79b96c1625672687b28e478d2dd2bc8a5b5a02a45c8fbc6801f2489d5816e2915d056e4e48

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3mrom4gn.default-release\prefs.js

Filesize
8KB

MD5
5df37d7a2db630cc71eeac9cc9beeef5

SHA1
a52622f338b14ed92126c38ebd065fcd7c3e6665

SHA256
c241ca7eb072e07ddd80cd546859705326b57072832d37c378f824c66b781c9a

SHA512
d61ebbe44e58e2561a0312bbe5f8daa2e547a13ea966c3fd4bcd7682ec18fd785ae9c8996dd602bad14bac9c271c6ccefd833f508f31fe4b8db704a63a85b446

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3mrom4gn.default-release\prefs.js

Filesize
11KB

MD5
84ff80c1851a5cea4570ed8ce31b604e

SHA1
4338ed716231b39dbafd908c7630f80e3ec0ea60

SHA256
95a64317410e018eb0a05bbc2210c0f7ca455e6c0d62a92c7d6f00d018c11a6e

SHA512
41e299a92974714bc69b20927c618b0b78364b617000a3e1b643e962a86ba808d2e662dc843af5664771c03d7eee0fd4488e8bd26ddf6ac995e73bbbea5fb424

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3mrom4gn.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
1.6MB

MD5
63fec045f1be80a144da108557368fec

SHA1
408e58b5f70246592369da8223cb3505243cf9b4

SHA256
e2275bfc46009a3796c5915ae8b4c8733bd36b16793a81c483f019f80d088a5e

SHA512
51c9f971cc34467c54754590bd2a114872d25cc6e67789f0952ff7b70d4fb56ca165ee76d8d15c844d508774b13b1ed59ecdfdd701b564c1b3b08cb0a4da1492

Download Submit
memory/3740-122-0x00000000032F0000-0x0000000003317000-memory.dmp

Filesize
156KB

Download