f3742cb8c7e315bcdbd8ac763609f870282957c9ed174f7d2de2f8e614e780a7

Analysis

max time kernel
149s
max time network
154s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
25/09/2024, 16:24

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

f6668db0b61bc428756c643a4bd0cd42_JaffaCakes118.exe
Size

382KB
MD5

f6668db0b61bc428756c643a4bd0cd42
SHA1

ece7460af9560e9154c6f5d307baddbca15620e1
SHA256

f3742cb8c7e315bcdbd8ac763609f870282957c9ed174f7d2de2f8e614e780a7
SHA512

b52c2d7b7b69dafd4cd78be1979f1f22e94d06ecbfd91ac82e949088960705c03d5963f766770e22f06e6768ecfff2d5ccbf8da794179d81fb2c5bcb5d39598a
SSDEEP

6144:9Tq+P6GQgTCqSBam14ckqGMkNgypdj4a2gz+M0YfJnlCHhMjWP+TLxklIm5vqAb:9R6GPTCq9m1HkqlO7pJzf0YBnlCHhMu/

Score

7^/10

adware discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2728	WajamUpdater.exe
2616	WajamUpdater.exe

Loads dropped DLL 11 IoCs

pid	Process
1568	f6668db0b61bc428756c643a4bd0cd42_JaffaCakes118.exe
1568	f6668db0b61bc428756c643a4bd0cd42_JaffaCakes118.exe
1568	f6668db0b61bc428756c643a4bd0cd42_JaffaCakes118.exe
1568	f6668db0b61bc428756c643a4bd0cd42_JaffaCakes118.exe
1568	f6668db0b61bc428756c643a4bd0cd42_JaffaCakes118.exe
1568	f6668db0b61bc428756c643a4bd0cd42_JaffaCakes118.exe
1568	f6668db0b61bc428756c643a4bd0cd42_JaffaCakes118.exe
1568	f6668db0b61bc428756c643a4bd0cd42_JaffaCakes118.exe
1568	f6668db0b61bc428756c643a4bd0cd42_JaffaCakes118.exe
1568	f6668db0b61bc428756c643a4bd0cd42_JaffaCakes118.exe
1568	f6668db0b61bc428756c643a4bd0cd42_JaffaCakes118.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Installs/modifies Browser Helper Object 2 TTPs 3 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{A7A6995D-6EE1-4FD1-A258-49395D5BF99C}	f6668db0b61bc428756c643a4bd0cd42_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{A7A6995D-6EE1-4FD1-A258-49395D5BF99C}\ = "Wajam IE BHO"	f6668db0b61bc428756c643a4bd0cd42_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{A7A6995D-6EE1-4FD1-A258-49395D5BF99C}\NoExplorer = "1"	f6668db0b61bc428756c643a4bd0cd42_JaffaCakes118.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	WajamUpdater.exe

Drops file in Program Files directory 9 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Wajam\Firefox\{5a95a9e0-59dd-4314-bd84-4d18ca83a0e2}.xpi	f6668db0b61bc428756c643a4bd0cd42_JaffaCakes118.exe
File created	C:\Program Files (x86)\Wajam\Firefox\firefox_trigger_extension.htm	f6668db0b61bc428756c643a4bd0cd42_JaffaCakes118.exe
File created	C:\Program Files (x86)\Wajam\Updater\WajamUpdater.exe	f6668db0b61bc428756c643a4bd0cd42_JaffaCakes118.exe
File created	C:\Program Files (x86)\Wajam\install.log	f6668db0b61bc428756c643a4bd0cd42_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Wajam\install.log	f6668db0b61bc428756c643a4bd0cd42_JaffaCakes118.exe
File created	C:\Program Files (x86)\Wajam\IE\favicon.ico	f6668db0b61bc428756c643a4bd0cd42_JaffaCakes118.exe
File created	C:\Program Files (x86)\Wajam\Updater\wajamLogo.bmp	f6668db0b61bc428756c643a4bd0cd42_JaffaCakes118.exe
File created	C:\Program Files (x86)\Wajam\uninstall.exe	f6668db0b61bc428756c643a4bd0cd42_JaffaCakes118.exe
File created	C:\Program Files (x86)\Wajam\IE\priam_bho.dll	f6668db0b61bc428756c643a4bd0cd42_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WajamUpdater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WajamUpdater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f6668db0b61bc428756c643a4bd0cd42_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral1/files/0x0004000000019461-44.dat	nsis_installer_1
behavioral1/files/0x0004000000019461-44.dat	nsis_installer_2

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
2956	Taskkill.exe

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{9FB764A1-7B5A-11EF-8FDB-C28ADB222BBA} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007b88b8645d6de74ab21efaf0de98379b00000000020000000000106600000001000020000000814e3903b66718d65b92964d56cc2e0c41b05a4669a4267c37bd9df07b1bec67000000000e8000000002000020000000d822996d5565f8d52b63f9a1fa9e3c3c3f1bd2bc3bfb36d3cbffd811c03e1e1b20000000eb3c8aaac8b9f7d6bc179aeaec76e6ca471a5f4c4397195ae7ade4056e959c2c40000000bfeae2d50bb1054127cf0dc49a0843f5c90af1038842321d2ab193c1fcc65287073b5e96b07f87ed4fb9d04fa40e5787f6e063bfb97540f7b941ab54d718671f	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "433443331"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007b88b8645d6de74ab21efaf0de98379b0000000002000000000010660000000100002000000059f7f1ac4e587b517a9d25727a108492188112d97b747384be438014da603a8c000000000e80000000020000200000002a6b94fb36d2bb15de40a8db93a0db5e1a7680fa5c647e4beb04b0ca1b86abbe90000000d1df1e8589ff7eee42bbb43eb6a28726090028cd8721e1c938519dc17d821aa7b9439593b2037d521e4183fdc84c7f106003d2536cbdf0d2b50e0cf3dba4910a72e715358da0d200ac1f68126014c6ff98e0538b6cbed82fa72aba75e8e07781ac4d3e901c799c725c310e9cc6fde8283acf9c356b86bd0cacb9f9a2eae6b833fe1322bdb75d7ff1e0e94bf37e3c9dd2400000006ad49ae87bce19fbc2c140ced385f9c484b2ae24e86a2fca7c64fc9a78b43a31556944235eea671aea24d5a60cf65480d682eb0064ce71be3c2f7b7cdf9bbd3e	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f0abb677670fdb01	iexplore.exe

Modifies data under HKEY_USERS 24 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	WajamUpdater.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	WajamUpdater.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{D226AD4A-3C34-49D8-9A5C-6CE79AB60051}\WpadDecisionTime = 009bea62670fdb01	WajamUpdater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{D226AD4A-3C34-49D8-9A5C-6CE79AB60051}\ee-21-71-88-e5-44	WajamUpdater.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ee-21-71-88-e5-44\WpadDecisionTime = 009bea62670fdb01	WajamUpdater.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	WajamUpdater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{D226AD4A-3C34-49D8-9A5C-6CE79AB60051}	WajamUpdater.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{D226AD4A-3C34-49D8-9A5C-6CE79AB60051}\WpadDecisionReason = "1"	WajamUpdater.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00bf000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	WajamUpdater.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	WajamUpdater.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	WajamUpdater.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{D226AD4A-3C34-49D8-9A5C-6CE79AB60051}\WpadDecision = "0"	WajamUpdater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ee-21-71-88-e5-44	WajamUpdater.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ee-21-71-88-e5-44\WpadDecisionReason = "1"	WajamUpdater.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	WajamUpdater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	WajamUpdater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	WajamUpdater.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	WajamUpdater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	WajamUpdater.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	WajamUpdater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	WajamUpdater.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	WajamUpdater.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{D226AD4A-3C34-49D8-9A5C-6CE79AB60051}\WpadNetworkName = "Network 3"	WajamUpdater.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ee-21-71-88-e5-44\WpadDecision = "0"	WajamUpdater.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A7A6995D-6EE1-4FD1-A258-49395D5BF99C}\Programmable	f6668db0b61bc428756c643a4bd0cd42_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\wajam.WajamDownloader.1\ = "WajamDownloader Class"	f6668db0b61bc428756c643a4bd0cd42_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{095BFD3C-4602-4FE1-96F1-AEFAFBFD067D}\1.0\FLAGS	f6668db0b61bc428756c643a4bd0cd42_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{095BFD3C-4602-4FE1-96F1-AEFAFBFD067D}\1.0\0\win32\ = "C:\\Program Files (x86)\\Wajam\\IE\\priam_bho.dll"	f6668db0b61bc428756c643a4bd0cd42_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5D64294B-1341-4FE7-B6D8-7C36828D4DD5}\TypeLib	f6668db0b61bc428756c643a4bd0cd42_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\wajam.WajamBHO.1\ = "Wajam"	f6668db0b61bc428756c643a4bd0cd42_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A7A6995D-6EE1-4FD1-A258-49395D5BF99C}\ProgID\ = "wajam.WajamBHO.1"	f6668db0b61bc428756c643a4bd0cd42_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5D64294B-1341-4FE7-B6D8-7C36828D4DD5}\ = "WajamDownloader Class"	f6668db0b61bc428756c643a4bd0cd42_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5D64294B-1341-4FE7-B6D8-7C36828D4DD5}\InprocServer32\ = "C:\\Program Files (x86)\\Wajam\\IE\\priam_bho.dll"	f6668db0b61bc428756c643a4bd0cd42_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\wajam.WajamDownloader\CurVer	f6668db0b61bc428756c643a4bd0cd42_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{431532BD-0AE1-4ABC-BE8C-919F3D1332E2}\InProcServer32\ThreadingModel = "Both"	f6668db0b61bc428756c643a4bd0cd42_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_Classes\Local Settings	firefox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A7A6995D-6EE1-4FD1-A258-49395D5BF99C}\ = "Wajam"	f6668db0b61bc428756c643a4bd0cd42_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A7A6995D-6EE1-4FD1-A258-49395D5BF99C}\ProgID	f6668db0b61bc428756c643a4bd0cd42_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A7A6995D-6EE1-4FD1-A258-49395D5BF99C}\InprocServer32\ThreadingModel = "Apartment"	f6668db0b61bc428756c643a4bd0cd42_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\wajam.WajamDownloader\ = "WajamDownloader Class"	f6668db0b61bc428756c643a4bd0cd42_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface	f6668db0b61bc428756c643a4bd0cd42_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\wajam.WajamBHO.1\CLSID	f6668db0b61bc428756c643a4bd0cd42_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{431532BD-0AE1-4ABC-BE8C-919F3D1332E2}\ = "IWajamBHO"	f6668db0b61bc428756c643a4bd0cd42_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{431532BD-0AE1-4ABC-BE8C-919F3D1332E2}\TypeLib	f6668db0b61bc428756c643a4bd0cd42_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{431532BD-0AE1-4ABC-BE8C-919F3D1332E2}	f6668db0b61bc428756c643a4bd0cd42_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{D616A4A2-7B38-4DBC-9093-6FE7A4A21B17}	WajamUpdater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5D64294B-1341-4FE7-B6D8-7C36828D4DD5}\VersionIndependentProgID\ = "wajam.WajamDownloader"	f6668db0b61bc428756c643a4bd0cd42_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{431532BD-0AE1-4ABC-BE8C-919F3D1332E2}\ = "IWajamBHO"	f6668db0b61bc428756c643a4bd0cd42_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{095BFD3C-4602-4FE1-96F1-AEFAFBFD067D}\1.0\ = "wajam 1.0 Type Library"	f6668db0b61bc428756c643a4bd0cd42_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{431532BD-0AE1-4ABC-BE8C-919F3D1332E2}	f6668db0b61bc428756c643a4bd0cd42_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{431532BD-0AE1-4ABC-BE8C-919F3D1332E2}\ProxyStubClsid32	f6668db0b61bc428756c643a4bd0cd42_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{431532BD-0AE1-4ABC-BE8C-919F3D1332E2}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	f6668db0b61bc428756c643a4bd0cd42_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\wajam.WajamBHO\CurVer	f6668db0b61bc428756c643a4bd0cd42_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\wajam.WajamDownloader.1\CLSID	f6668db0b61bc428756c643a4bd0cd42_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5D64294B-1341-4FE7-B6D8-7C36828D4DD5}\ProgID\ = "wajam.WajamDownloader.1"	f6668db0b61bc428756c643a4bd0cd42_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5D64294B-1341-4FE7-B6D8-7C36828D4DD5}\InprocServer32	f6668db0b61bc428756c643a4bd0cd42_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{431532BD-0AE1-4ABC-BE8C-919F3D1332E2}\TypeLib	f6668db0b61bc428756c643a4bd0cd42_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	f6668db0b61bc428756c643a4bd0cd42_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{095BFD3C-4602-4FE1-96F1-AEFAFBFD067D}\1.0\FLAGS\ = "0"	f6668db0b61bc428756c643a4bd0cd42_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{095BFD3C-4602-4FE1-96F1-AEFAFBFD067D}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\Wajam\\IE"	f6668db0b61bc428756c643a4bd0cd42_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{431532BD-0AE1-4ABC-BE8C-919F3D1332E2}\TypeLib\ = "{095BFD3C-4602-4FE1-96F1-AEFAFBFD067D}"	f6668db0b61bc428756c643a4bd0cd42_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\wajam.WajamBHO.1\CLSID\ = "{A7A6995D-6EE1-4FD1-A258-49395D5BF99C}"	f6668db0b61bc428756c643a4bd0cd42_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\wajam.WajamBHO\ = "Wajam"	f6668db0b61bc428756c643a4bd0cd42_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\wajam.WajamDownloader.1\CLSID\ = "{5D64294B-1341-4FE7-B6D8-7C36828D4DD5}"	f6668db0b61bc428756c643a4bd0cd42_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5D64294B-1341-4FE7-B6D8-7C36828D4DD5}	f6668db0b61bc428756c643a4bd0cd42_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{D616A4A2-7B38-4DBC-9093-6FE7A4A21B17}\LocalService = "WajamUpdater"	WajamUpdater.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{095BFD3C-4602-4FE1-96F1-AEFAFBFD067D}\1.0	f6668db0b61bc428756c643a4bd0cd42_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{431532BD-0AE1-4ABC-BE8C-919F3D1332E2}\NumMethods	f6668db0b61bc428756c643a4bd0cd42_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5D64294B-1341-4FE7-B6D8-7C36828D4DD5}\VersionIndependentProgID	f6668db0b61bc428756c643a4bd0cd42_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{431532BD-0AE1-4ABC-BE8C-919F3D1332E2}\TypeLib\Version = "1.0"	f6668db0b61bc428756c643a4bd0cd42_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{431532BD-0AE1-4ABC-BE8C-919F3D1332E2}\TypeLib\ = "{095BFD3C-4602-4FE1-96F1-AEFAFBFD067D}"	f6668db0b61bc428756c643a4bd0cd42_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{431532BD-0AE1-4ABC-BE8C-919F3D1332E2}\InProcServer32	f6668db0b61bc428756c643a4bd0cd42_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{1FAEE6D5-34F4-42AA-8025-3FD8F3EC4634}\ = "Wajam"	f6668db0b61bc428756c643a4bd0cd42_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A7A6995D-6EE1-4FD1-A258-49395D5BF99C}	f6668db0b61bc428756c643a4bd0cd42_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{095BFD3C-4602-4FE1-96F1-AEFAFBFD067D}\1.0\0\win32	f6668db0b61bc428756c643a4bd0cd42_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{431532BD-0AE1-4ABC-BE8C-919F3D1332E2}\TypeLib\Version = "1.0"	f6668db0b61bc428756c643a4bd0cd42_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\wajam.WajamDownloader\CLSID\ = "{5D64294B-1341-4FE7-B6D8-7C36828D4DD5}"	f6668db0b61bc428756c643a4bd0cd42_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5D64294B-1341-4FE7-B6D8-7C36828D4DD5}\TypeLib\ = "{095BFD3C-4602-4FE1-96F1-AEFAFBFD067D}"	f6668db0b61bc428756c643a4bd0cd42_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{095BFD3C-4602-4FE1-96F1-AEFAFBFD067D}\1.0\0	f6668db0b61bc428756c643a4bd0cd42_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{431532BD-0AE1-4ABC-BE8C-919F3D1332E2}\ProxyStubClsid32	f6668db0b61bc428756c643a4bd0cd42_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\priam_bho.DLL\AppID = "{1FAEE6D5-34F4-42AA-8025-3FD8F3EC4634}"	f6668db0b61bc428756c643a4bd0cd42_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\wajam.WajamBHO\CLSID\ = "{A7A6995D-6EE1-4FD1-A258-49395D5BF99C}"	f6668db0b61bc428756c643a4bd0cd42_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\wajam.WajamBHO\CurVer\ = "wajam.WajamBHO.1"	f6668db0b61bc428756c643a4bd0cd42_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\wajam.WajamDownloader	f6668db0b61bc428756c643a4bd0cd42_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{431532BD-0AE1-4ABC-BE8C-919F3D1332E2}\NumMethods\ = "18"	f6668db0b61bc428756c643a4bd0cd42_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\wajam.WajamDownloader.1	f6668db0b61bc428756c643a4bd0cd42_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{095BFD3C-4602-4FE1-96F1-AEFAFBFD067D}	f6668db0b61bc428756c643a4bd0cd42_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{095BFD3C-4602-4FE1-96F1-AEFAFBFD067D}\1.0\HELPDIR	f6668db0b61bc428756c643a4bd0cd42_JaffaCakes118.exe

Runs net.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2956	Taskkill.exe
Token: SeDebugPrivilege	2892	firefox.exe
Token: SeDebugPrivilege	2892	firefox.exe

Suspicious use of FindShellTrayWindow 5 IoCs

pid	Process
3016	iexplore.exe
2892	firefox.exe
2892	firefox.exe
2892	firefox.exe
2892	firefox.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
2892	firefox.exe
2892	firefox.exe
2892	firefox.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
3016	iexplore.exe
3016	iexplore.exe
2600	IEXPLORE.EXE
2600	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1568 wrote to memory of 2664	1568	f6668db0b61bc428756c643a4bd0cd42_JaffaCakes118.exe	30
PID 1568 wrote to memory of 2664	1568	f6668db0b61bc428756c643a4bd0cd42_JaffaCakes118.exe	30
PID 1568 wrote to memory of 2664	1568	f6668db0b61bc428756c643a4bd0cd42_JaffaCakes118.exe	30
PID 1568 wrote to memory of 2664	1568	f6668db0b61bc428756c643a4bd0cd42_JaffaCakes118.exe	30
PID 2664 wrote to memory of 1792	2664	net.exe	32
PID 2664 wrote to memory of 1792	2664	net.exe	32
PID 2664 wrote to memory of 1792	2664	net.exe	32
PID 2664 wrote to memory of 1792	2664	net.exe	32
PID 1568 wrote to memory of 2956	1568	f6668db0b61bc428756c643a4bd0cd42_JaffaCakes118.exe	33
PID 1568 wrote to memory of 2956	1568	f6668db0b61bc428756c643a4bd0cd42_JaffaCakes118.exe	33
PID 1568 wrote to memory of 2956	1568	f6668db0b61bc428756c643a4bd0cd42_JaffaCakes118.exe	33
PID 1568 wrote to memory of 2956	1568	f6668db0b61bc428756c643a4bd0cd42_JaffaCakes118.exe	33
PID 1568 wrote to memory of 2728	1568	f6668db0b61bc428756c643a4bd0cd42_JaffaCakes118.exe	35
PID 1568 wrote to memory of 2728	1568	f6668db0b61bc428756c643a4bd0cd42_JaffaCakes118.exe	35
PID 1568 wrote to memory of 2728	1568	f6668db0b61bc428756c643a4bd0cd42_JaffaCakes118.exe	35
PID 1568 wrote to memory of 2728	1568	f6668db0b61bc428756c643a4bd0cd42_JaffaCakes118.exe	35
PID 1568 wrote to memory of 2728	1568	f6668db0b61bc428756c643a4bd0cd42_JaffaCakes118.exe	35
PID 1568 wrote to memory of 2728	1568	f6668db0b61bc428756c643a4bd0cd42_JaffaCakes118.exe	35
PID 1568 wrote to memory of 2728	1568	f6668db0b61bc428756c643a4bd0cd42_JaffaCakes118.exe	35
PID 1568 wrote to memory of 2540	1568	f6668db0b61bc428756c643a4bd0cd42_JaffaCakes118.exe	36
PID 1568 wrote to memory of 2540	1568	f6668db0b61bc428756c643a4bd0cd42_JaffaCakes118.exe	36
PID 1568 wrote to memory of 2540	1568	f6668db0b61bc428756c643a4bd0cd42_JaffaCakes118.exe	36
PID 1568 wrote to memory of 2540	1568	f6668db0b61bc428756c643a4bd0cd42_JaffaCakes118.exe	36
PID 2540 wrote to memory of 2592	2540	net.exe	38
PID 2540 wrote to memory of 2592	2540	net.exe	38
PID 2540 wrote to memory of 2592	2540	net.exe	38
PID 2540 wrote to memory of 2592	2540	net.exe	38
PID 1568 wrote to memory of 3016	1568	f6668db0b61bc428756c643a4bd0cd42_JaffaCakes118.exe	40
PID 1568 wrote to memory of 3016	1568	f6668db0b61bc428756c643a4bd0cd42_JaffaCakes118.exe	40
PID 1568 wrote to memory of 3016	1568	f6668db0b61bc428756c643a4bd0cd42_JaffaCakes118.exe	40
PID 1568 wrote to memory of 3016	1568	f6668db0b61bc428756c643a4bd0cd42_JaffaCakes118.exe	40
PID 3016 wrote to memory of 2600	3016	iexplore.exe	41
PID 3016 wrote to memory of 2600	3016	iexplore.exe	41
PID 3016 wrote to memory of 2600	3016	iexplore.exe	41
PID 3016 wrote to memory of 2600	3016	iexplore.exe	41
PID 1568 wrote to memory of 2852	1568	f6668db0b61bc428756c643a4bd0cd42_JaffaCakes118.exe	43
PID 1568 wrote to memory of 2852	1568	f6668db0b61bc428756c643a4bd0cd42_JaffaCakes118.exe	43
PID 1568 wrote to memory of 2852	1568	f6668db0b61bc428756c643a4bd0cd42_JaffaCakes118.exe	43
PID 1568 wrote to memory of 2852	1568	f6668db0b61bc428756c643a4bd0cd42_JaffaCakes118.exe	43
PID 2852 wrote to memory of 2892	2852	firefox.exe	44
PID 2852 wrote to memory of 2892	2852	firefox.exe	44
PID 2852 wrote to memory of 2892	2852	firefox.exe	44
PID 2852 wrote to memory of 2892	2852	firefox.exe	44
PID 2852 wrote to memory of 2892	2852	firefox.exe	44
PID 2852 wrote to memory of 2892	2852	firefox.exe	44
PID 2852 wrote to memory of 2892	2852	firefox.exe	44
PID 2852 wrote to memory of 2892	2852	firefox.exe	44
PID 2852 wrote to memory of 2892	2852	firefox.exe	44
PID 2852 wrote to memory of 2892	2852	firefox.exe	44
PID 2852 wrote to memory of 2892	2852	firefox.exe	44
PID 2852 wrote to memory of 2892	2852	firefox.exe	44
PID 2892 wrote to memory of 2036	2892	firefox.exe	45
PID 2892 wrote to memory of 2036	2892	firefox.exe	45
PID 2892 wrote to memory of 2036	2892	firefox.exe	45
PID 2892 wrote to memory of 1752	2892	firefox.exe	46
PID 2892 wrote to memory of 1752	2892	firefox.exe	46
PID 2892 wrote to memory of 1752	2892	firefox.exe	46
PID 2892 wrote to memory of 1752	2892	firefox.exe	46
PID 2892 wrote to memory of 1752	2892	firefox.exe	46
PID 2892 wrote to memory of 1752	2892	firefox.exe	46
PID 2892 wrote to memory of 1752	2892	firefox.exe	46
PID 2892 wrote to memory of 1752	2892	firefox.exe	46
PID 2892 wrote to memory of 1752	2892	firefox.exe	46
PID 2892 wrote to memory of 1752	2892	firefox.exe	46

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\f6668db0b61bc428756c643a4bd0cd42_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f6668db0b61bc428756c643a4bd0cd42_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1568
- C:\Windows\SysWOW64\net.exe
  net stop WajamUpdater
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2664
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop WajamUpdater
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1792
- C:\Windows\SysWOW64\Taskkill.exe
  Taskkill /IM WajamUpdater.exe /F
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2956
- C:\Program Files (x86)\Wajam\Updater\WajamUpdater.exe
  "C:\Program Files (x86)\Wajam\Updater\WajamUpdater.exe" /Service
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  PID:2728
- C:\Windows\SysWOW64\net.exe
  net start WajamUpdater
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2540
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 start WajamUpdater
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2592
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" "http://www.wajam.com/index.php?firstrun=1&unique_id=F9ECF30E4DBA9F4841DC7CFD3FB1D613&aid=5402&aid2=none&enabled=1"
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3016
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3016 CREDAT:275457 /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:2600
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" "C:\Program Files (x86)\Wajam\Firefox\firefox_trigger_extension.htm"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2852
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" "C:\Program Files (x86)\Wajam\Firefox\firefox_trigger_extension.htm"
    3⤵
    - Checks processor information in registry
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:2892
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2892.0.506769919\1577550419" -parentBuildID 20221007134813 -prefsHandle 1228 -prefMapHandle 1220 -prefsLen 20847 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {5c51b0c8-371b-416d-ae0a-8c7f8996efbb} 2892 "\\.\pipe\gecko-crash-server-pipe.2892" 1292 102db558 gpu
      4⤵
      PID:2036
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2892.1.1481012195\2137268534" -parentBuildID 20221007134813 -prefsHandle 1496 -prefMapHandle 1492 -prefsLen 21708 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {20fb2aaf-db50-4cc6-a93e-f97eaefca635} 2892 "\\.\pipe\gecko-crash-server-pipe.2892" 1508 d70458 socket
      4⤵
      PID:1752
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2892.2.1151699127\1390577457" -childID 1 -isForBrowser -prefsHandle 2108 -prefMapHandle 2100 -prefsLen 21746 -prefMapSize 233444 -jsInitHandle 836 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {30c9ff9c-ca00-4ac7-a297-ec75807fde10} 2892 "\\.\pipe\gecko-crash-server-pipe.2892" 2120 1a2e2a58 tab
      4⤵
      PID:1964
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2892.3.241653962\1031717743" -childID 2 -isForBrowser -prefsHandle 3136 -prefMapHandle 3132 -prefsLen 26216 -prefMapSize 233444 -jsInitHandle 836 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {5cee2fb5-ebfa-47a9-a858-9f74747a08bc} 2892 "\\.\pipe\gecko-crash-server-pipe.2892" 3156 d62858 tab
      4⤵
      PID:2792
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2892.4.617122034\1509637268" -childID 3 -isForBrowser -prefsHandle 1112 -prefMapHandle 3776 -prefsLen 26356 -prefMapSize 233444 -jsInitHandle 836 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1d592327-0d33-40eb-ba87-63470d5058bb} 2892 "\\.\pipe\gecko-crash-server-pipe.2892" 3788 1c352558 tab
      4⤵
      PID:2908
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2892.5.261879060\1957593439" -childID 4 -isForBrowser -prefsHandle 3896 -prefMapHandle 3900 -prefsLen 26356 -prefMapSize 233444 -jsInitHandle 836 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e402478f-c47c-40b1-9bf2-6c14a40aa77a} 2892 "\\.\pipe\gecko-crash-server-pipe.2892" 3884 1f184158 tab
      4⤵
      PID:2916
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2892.6.1031358527\1179382409" -childID 5 -isForBrowser -prefsHandle 4040 -prefMapHandle 4036 -prefsLen 26356 -prefMapSize 233444 -jsInitHandle 836 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d842ad90-427e-4d19-8a36-4f374a2bdf2d} 2892 "\\.\pipe\gecko-crash-server-pipe.2892" 3976 1f185058 tab
      4⤵
      PID:1772
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2892.7.1621649294\229117596" -childID 6 -isForBrowser -prefsHandle 4276 -prefMapHandle 4080 -prefsLen 26531 -prefMapSize 233444 -jsInitHandle 836 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c1e54fd4-8b40-4353-8a32-85600635f3fb} 2892 "\\.\pipe\gecko-crash-server-pipe.2892" 4288 1f4baa58 tab
      4⤵
      PID:1684

C:\Program Files (x86)\Wajam\Updater\WajamUpdater.exe
"C:\Program Files (x86)\Wajam\Updater\WajamUpdater.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:2616

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Wajam\Firefox\firefox_trigger_extension.htm

Filesize
2KB

MD5
ba7197cc8e52161fcdff765697febe37

SHA1
b03b974574d741ec8ba6042f14553886fe45d76b

SHA256
746739c05859db81f472d8bfe0b2f11ab33a3a661f6943e55e2833184f8925fa

SHA512
168fc12fbfcca80c7398636cb5b8ed0388d5d58227b3c2288f031c48ea490e64d09b1e1d0cd8e7bd67e67e4caae0574909db1d5aa36e8a40c421bf25c93ff8f1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9f1c08d894c1070960f29a56786e0e90

SHA1
af4af73077ebbf760b9e7b22f401ff6ed2a3e8e4

SHA256
865852c4bdfee593d1e4629554a692813554ef4c1c6f46d67e66fe485ae881b2

SHA512
8ce64ec26b614d0b13fff41e1dba9fb8b1844cf88b288a5d31b35396dd738fce2cd585871b39a6ed9f50fa209795a47805572a9afc700a4e322a4c1d15ece259

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3e00587b3f73ebff24e078216bfc9803

SHA1
c146b8e2c54f6193cca62558d348c6845484398a

SHA256
7ba30bee15d93418170f317932929a8aeb4418e528022d8fbf1016f88b2edf35

SHA512
21caa63fdf007c65989ea8afd2fbdb4551b96c0926c6e096d5d24436fb6518bf31c832bdfb507e91c5483e60a8d4e1714fb1f7ef201cc587679a131bae18d381

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9f89d3e65ed9fb686cab51aac1480eb6

SHA1
4e9a750ce79ca3275cb37f3e0d0aceb0783dc976

SHA256
2a19eac520b3ff17dc6d377ded321fd07c2c8ea0ff050d03cdb38e4fdb490a5a

SHA512
838b884937c2b1c60ab7bc2e7100afda11e4a83e242805776ed26e9cede559f9152ddeb101a4fc2fcb41ee4e604012e2787bb906e1c7540f243f20e95c6cd4e5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
71a02834c4b3798fa3326480921e7e6d

SHA1
fdfa3baa39c12d0b3b4658df936349a9db4fe857

SHA256
99d482a3d1610e210ea16a1804f294a36c88a4a3445afffecde4c87a5cd9ec89

SHA512
48772de77c68d5a2430f45d2056d5830a84a571d25fada0f700e74a41c5df4cd9d53723c4b39b5cdd1ced3053fb684be7291d095965e1dfd7cf034fcf1c573bd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0930cf226ab9c76e185c41f3db575925

SHA1
37ce25189c17edb99d5a395f5b1b383749b18e27

SHA256
fadf53f2ade84a6aa05712b6e62b9d0ba35b88442b82128dd09d33208f004e26

SHA512
83ab052c3299b57b69e3f26a4ba3f31a89107f66ecd4c6fc6b0aaf70e7dfc05124f4fbb964ccb401977443d4fabb0addd7458d9173d23dc141175a765ae5b951

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4a304d1cc1670c64730f2d57b51bb3ab

SHA1
4f302697731a2e6f442d1f40c90824437a0880c4

SHA256
62f8803e3949668e2452fd7ad80f19ddd0a3d887f5c91424c4e68c6c88c14e0d

SHA512
7d694bd7c9eb310a1900f58154a49e18a48fb7007a2cf89f1ffeac345ab40558cd54a26ccd1e654fd78ff7149427dbd473ba9a730120020e69a08e2c2399a860

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ab65a07ea2380d2ca531914c1504390e

SHA1
7f24b0cc8d5edbd0bb9ecfc8fabeb6fa6358cf3f

SHA256
179fcf4561ff2d99cc4c759570c50c8c542f170df2ae252a3d95cee1f4889ca6

SHA512
c44c08f650cd4c60f31081f59e5e5f919ed346e502517e9c450ca2d5966c577ce3277d1219b7b6b38b9fed69b6775531684b570d534971f1867348f0b138acad

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1efdf0105c695cc2ec8d47e1d0c45595

SHA1
59aa1c9f5e364aa395239ef39258deca0e16561f

SHA256
2b78e7768ccfd6f1099dac8e35c84dba68ed172e75eb2a099f58816bfdfb69ba

SHA512
df44c60b1de53ec2b85e7d0aceb833d02e2150661eb7c37e15443883746bf04238dc84a65ebc6d7f837e9fbd319cfcd04c18df6207a923848db2dce4d292912f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e1fd42b09b11e9bc13182d224e99e481

SHA1
4a4c6a433b15911339862f019178183209846e32

SHA256
70815cae50edd6ec1d8dadba235510c21b73dfc5352ab1af5d4dd0704d0a3fb0

SHA512
9ae5a2d4a12355b6bf24bf63bab9dc1dd79b9d1cd3bace055db02ff5273a9e53b718d3649a6b73718984a662c2cfa6173b3509b05a50c067ffb1fe3add2d6253

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
449f5358c85185aa095cdfc487ad8013

SHA1
d95c2836208945a66c2070d3b93b8dd012706e7d

SHA256
c5e7206d96606cc1a6b3080cfde07836ce33cc3c4aa8e85bc0d3f3feb1b6acce

SHA512
7e8d63b5a112b24b5c1befe3c5eaac4aaed12393bb7caad967bbc600225536c1314ba7af6f5816d7aaf63b6a528502810123b6bd78d316bc9c62f2a37264d689

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
397bd6adbc5e8a1d375dabcc887fb172

SHA1
b9933c703d42113cb3f3eafb3bbc02db74e350a0

SHA256
00cc4aadc68ec5e1d4db8520446034d3c9e0bd907fce29eee3af2e47e80df69e

SHA512
5bde1e0942d1a2af35f4de1399a56b85916c3e2648f22aa816785d061b53b58c456c5fdf56b8f05c90ef41e1cafdac36f7a2595469a2eb63f1ee3b33804fd979

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
454d8b5850dbd9797a7060600d228649

SHA1
8605c467434cf8a7e9c7ee012bef23c9d01f9ec4

SHA256
c54c1a6563d20ed3e99e111d4859fa28eb0de3a11852a3f6a1f1af0b8bc68fb5

SHA512
30809183cede890eac143ff4b42dc09fb1b963c2f942d1dc91907e2a3e99ca0f70b06916a8b7d3a380bebc7f89742dfc32fdf802f299355691e32a3daa7d417a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
165f32b3a88cbc4c2ecc9eaa1a045161

SHA1
94de957b6150318e0e67c9216013d225eba29619

SHA256
dd3e5076e1f456f377c1783bf421715b77b6d9ea8a593c48fe7c168c3cce4051

SHA512
87dd5010b718dd23daa7b4227003693aec480e7cb2bd523487ff3c5eb61d851f7bb7dac1ffa7c10270f6df31842b69a802aa3d95a95b21f3f10a6c1c00626eff

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1e5de5455286e13cfedbb6d952005ba5

SHA1
3d36d8d9dc93a1da18c5e919c7d40bf3f890c0cc

SHA256
ac9009de8260beea5e786d196516e69ce5170bb8b648190aa12a1e006a417815

SHA512
1f268fcb58fcf607bd3aa4dde1f8961e8947870a9d4ec0eeb18ae0c055ce74027ad09885ed916fbcd33c1f7e03809793f2accfac621fd332513fbac9af31e390

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2798ae5edc08d014cef2e08f5ecd6c17

SHA1
a8cd007c6d477a0035afa73f3bd0b82e1f08b0b3

SHA256
4d220e8a5bc992c94c4a3c20d3a30c293f5c7785752ddbeedb8a3e85042aae7a

SHA512
2b55673a1e7286c39f5f05f14d9dc6586d70c2a4b2a37357b6ebb2a0072367dff0727defbfa4801f826bb38e069198cf9069479158a11cf7691e08aecd568571

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
584de8e1a7004b26153c103ff8f4d4b9

SHA1
ecdcc15be1795757585b1d2948f3fbd63fb9ecd5

SHA256
8a9f74d7e98e1985f2e177f095db6d417230c4584cad260630ca258cd6c2666e

SHA512
3038b8e89b4b292eda2cf45112a839545af3e634081e182b934a906eaa91e027ffae33cfffa28ac6dba42074afc3975268b790d3d78f9ad30eb17f0154a792d3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5aa1244f6247e31c31839305480f0222

SHA1
78962054c765b8ef0f787033b524f53e9bfa6b8e

SHA256
bd7b3fffb5248bb6355a0506c4aa2637afc4860feda1961673bec40333032b82

SHA512
74fe419ff834be2aa3fc3a025585e49d10806a5030b77620d8e16a37d9f9ddc7628f0d14804d6db98ea6ea40c493ee74c477931fc21f3790fee1825ef0e41a2c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c21fcb18300862c8fd00792ea952fac9

SHA1
9cfe38774911e12f8bce0919843c91c205deb41e

SHA256
31d0fe566a714286aa1d75356f29de2f6461875cb29be7dd0834dd94dfb222b5

SHA512
37fdbdf1e99e03d897688008feb25f3c65c2432ac8928090bde29f0170ce17ab88134ac7e4ee291dea14dd479b6a0aa085ca293a701fd09df8a90e8292f058ff

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d2c3e3a1653b0bfc47928af905ba1b9b

SHA1
d549b64a43470eab04c675b705475aafb9450655

SHA256
bc74c4bec7e1c0d72629bcfd3de84fc0f0fc505db820c9272440d0dd6cf31e0c

SHA512
82f52a9e09c5763a0a68750dfa2217d58d84c866edbd3e06b763a813f854f75bb49f3233273695f2a5e2943e637d212f489602c7193d3b794c093cd3603023b4

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\dt6wk0rq.default-release\activity-stream.discovery_stream.json.tmp

Filesize
33KB

MD5
97e370ab374d70dd411648ed328c5989

SHA1
7ba302a77b269148cb561bda1e71b1865419a99d

SHA256
f5159733503f0e56e11c135687315b7f1deb26555b454950d6961b6d00fee95c

SHA512
4b8315806dc22b67e6c1cc3f994063b2e28d31d9c737ac1ac3b90f578ae7b80569a1a56393f72e1f98a1149518a18477f0c530ab221315d21a48283b0ff31cbf

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\dt6wk0rq.default-release\cache2\entries\22386449CA13D8975B935875780066C6EF52CE37

Filesize
13KB

MD5
899755f0a0acc85ba07f1ef8694c7b33

SHA1
2040ba9477a612eb64e66538a38f074817f92d6f

SHA256
b58251cbaa77da350641a83c1045811e24b5f5d5a1f3ade045923c9443dd5833

SHA512
a6d1e8b820299d83cacfaab8d6a2517bfedb8c2c9cd43a70f8f9f66bbd20860d7225f87f4fcb35978e000ff3a2359132b97847e99c5a4da4ef4298bc773ce822

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab4E04.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar4EA3.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
442KB

MD5
85430baed3398695717b0263807cf97c

SHA1
fffbee923cea216f50fce5d54219a188a5100f41

SHA256
a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e

SHA512
06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
8.0MB

MD5
a01c5ecd6108350ae23d2cddf0e77c17

SHA1
c6ac28a2cd979f1f9a75d56271821d5ff665e2b6

SHA256
345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42

SHA512
b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dt6wk0rq.default-release\datareporting\glean\db\data.safe.bin

Filesize
2KB

MD5
d69f7380be597d923ef0430cb521ea61

SHA1
8cc553e4f20110331fbfe651373dcd0e45dbde72

SHA256
c8ae05d584ce30d51f241150494f96461c258dea26592229eeead0c9ed70302f

SHA512
345b6766b04fa2542b31845c088d57bb167c76c0648c0662f52fb568a082858999404bd0dccc529bdee2e5aead1a570acf64a331bda614be409a39058bf10f03

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dt6wk0rq.default-release\datareporting\glean\pending_pings\9842fb1b-d903-425d-9ce2-f8b97ef71a58

Filesize
13KB

MD5
11a1c3cc8f22779b27eee50f33718c2a

SHA1
3eedc1e5c326c99fd6581e9a7a53be08ca88cae3

SHA256
4b384a2590d2be4c1b1ca16c2ee61879e3d65a3d5bbcbc8577a5e756c03e5885

SHA512
f0d84861118b29ecb479c953dcd583f24e77b637012b36cf776ebcf7514744d4934d20951358df00453bf81bc8296f4203d15f88133c0a3eebabc20915170f86

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dt6wk0rq.default-release\datareporting\glean\pending_pings\e78fd002-e385-4f3f-9497-daa106b21d69

Filesize
745B

MD5
3ce95f59edc4d9e00321ace34abedb31

SHA1
753a9f7b855c41627970f086196a8cb1661fe0b3

SHA256
b0bdcac9ae11e467a0476523153ee53069c1fe8ee6c9d692a9e8d9e3184696ff

SHA512
827e5ffeddbe5e328088f273c93fb76542efba562457924563de2c16d866e6a3e2293ca0b3e0cc30a30421cf0f0bdb9c1420d81c58e151a44b38317762dd3c89

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dt6wk0rq.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll

Filesize
997KB

MD5
fe3355639648c417e8307c6d051e3e37

SHA1
f54602d4b4778da21bc97c7238fc66aa68c8ee34

SHA256
1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e

SHA512
8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dt6wk0rq.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info

Filesize
116B

MD5
3d33cdc0b3d281e67dd52e14435dd04f

SHA1
4db88689282fd4f9e9e6ab95fcbb23df6e6485db

SHA256
f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b

SHA512
a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dt6wk0rq.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt

Filesize
479B

MD5
49ddb419d96dceb9069018535fb2e2fc

SHA1
62aa6fea895a8b68d468a015f6e6ab400d7a7ca6

SHA256
2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539

SHA512
48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dt6wk0rq.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json

Filesize
372B

MD5
8be33af717bb1b67fbd61c3f4b807e9e

SHA1
7cf17656d174d951957ff36810e874a134dd49e0

SHA256
e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd

SHA512
6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dt6wk0rq.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll

Filesize
11.8MB

MD5
33bf7b0439480effb9fb212efce87b13

SHA1
cee50f2745edc6dc291887b6075ca64d716f495a

SHA256
8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e

SHA512
d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dt6wk0rq.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib

Filesize
1KB

MD5
688bed3676d2104e7f17ae1cd2c59404

SHA1
952b2cdf783ac72fcb98338723e9afd38d47ad8e

SHA256
33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237

SHA512
7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dt6wk0rq.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig

Filesize
1KB

MD5
937326fead5fd401f6cca9118bd9ade9

SHA1
4526a57d4ae14ed29b37632c72aef3c408189d91

SHA256
68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81

SHA512
b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dt6wk0rq.default-release\prefs-1.js

Filesize
7KB

MD5
de8d6cc8d7386e38df7cf45e5f36220b

SHA1
f0c321a81096970cdde0de54a9617d5f14f79fc9

SHA256
f77ee7cad29550b0d0cdcd1393835ae1501f3caca53f3eb7ddeb5c2f720740fe

SHA512
cc19a062d5ebc4fe72241c34624579074d5e82a88dd0f05c7c94250abf112fa8fc046956c7edae3b5bf3d842a51594b72c1b9ac0ea251f30782b3efd5efe1022

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dt6wk0rq.default-release\prefs-1.js

Filesize
8KB

MD5
85367092675150ab507638835ba8cd77

SHA1
05bd05db33641285402e7dca24f7214be9b894b9

SHA256
3a45ba600f41b627f24bc4d82abc674383f34e4ec24cdb0f9ec0ff5a3047a94d

SHA512
0b24862b6126b47ed13769a90047bdf2b45a8857bffb210896f3a7f9eecaede2ed3beb9f3656dcd2bf244850115a42e93f204455ad464ec7977ef11897921a3d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dt6wk0rq.default-release\prefs-1.js

Filesize
6KB

MD5
15b5bab75cf41b1b8f354eacbe642077

SHA1
fadfc363cbb2d7857b78e1eb8ade6f0011110cf3

SHA256
7e523e35d89e695fc3f6a7bf390817aa28a01e41127b3d40a5bb27b09a006b02

SHA512
c920b23a04c3cf32f8bd1ebd439cb2de69e921efa1c13146ef236282679f06395b571dc48560ea4678fb47a9db155606e4504846d57a5d70c546b34f8a7c223b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dt6wk0rq.default-release\prefs-1.js

Filesize
6KB

MD5
83f54b6e3900f516b72dbb598669f9b3

SHA1
f44886bb5f6f4e900400b46e70e8bd13ba204420

SHA256
052f9b2da7ad2f2cbe9ae8fafdc68ec9b550eef45892476fec9f85e2bd9de8c9

SHA512
f35a76fdd695dd986aa93d458e918ac1655685333c5b5a3c2adfef572c939476b8a760e71b5521554265bb74bc8a7ee592421008323869295fe799be37d0fa16

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dt6wk0rq.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
2d233290df67293f74dfb2f75e0a9920

SHA1
00e262e1d50d2b3a01707b875bc3169930771d35

SHA256
0b9a31da8ce0f1dbf6f1f6fffc6e0c1f8ffa24700c10ca3c96693704811b544d

SHA512
b2d68cbc7f71d83b53d75443b11785fb8a5f2a7be02aba2511238d0b7236f38e642166b34ac352eaec9cf64cf1a89d41cc54f27849dcd6c8ca0949c493d91165

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dt6wk0rq.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
c6a5adee7ef2ac0158f79ea6b96b5b32

SHA1
173675f3f4f8d0953b4e59ce9c9fbf2cb879b372

SHA256
4d7cb4b56aca44735b14a43bb22e00fa921ce7450f6dfe77747e5a227ca53f94

SHA512
baca6657092684fd192f55dd04b941722e22c53e0cd5d49cf49d1e218ac1b7e5ab34c1b540fa7d7e2826ddca5a2daa32772cbf4726bfaa9b978edf85e1bf2780

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dt6wk0rq.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
7.9MB

MD5
f716f70638654c0d86b7661b40797e87

SHA1
6a5f266daeda3b1250b1626cd972160eda038ad9

SHA256
0361c32e25098ad1286c20a67dbe812ac1318dd91bf588fd3d478048a44adeb2

SHA512
d29a8496974187fd7b4c47fca91d62aae5a7bedf3ebe5a06c4d9786f86b57b2e9da360115a73372eb6f3b28d679e8b116e16271de75cbaf70482bf960d369c31

Download Submit
\Program Files (x86)\Wajam\IE\priam_bho.dll

Filesize
286KB

MD5
28f3dcbe89cd9dd06fdee806e418a15c

SHA1
f12443dc84b5ad33247e8ac0b0c0765ba78c6a0d

SHA256
0a1fa2058197703119745da2b1b58ec0a28612231924ed10c53cb98a71e2dd7f

SHA512
04eece4f897d620f3669dcfda6e1f6e87e4c428a0021781e7a13f6a0571ba3d15294b8cc16236b62480fd96cb38376f76842471ea7327eb0741d35b15353f32c

Download Submit
\Program Files (x86)\Wajam\Updater\WajamUpdater.exe

Filesize
106KB

MD5
4aa2cc5979aff984227364f2c23b04f3

SHA1
a252fedceedca1655d593982040cceed07812def

SHA256
b23112ae291efae80aa7f9b1b119eb0da4e426930a23ee77a6a43288f3c0cbb9

SHA512
f0a3d63a90745f7f8e15e526d1e7998ba29392e3af7f847ed9e2ca5c90f2a5889e32794487e31f4973267b9aec0685bb1b7d6a202208a8885ed0bc613439a481

Download Submit
\Program Files (x86)\Wajam\uninstall.exe

Filesize
61KB

MD5
e4b042cef6cc1042b66649eead08f733

SHA1
9e3675fe6a820be8bb98cda80d456ba78ec87bc3

SHA256
7e0087d837465c2f5f66e844d445c6b5e491bff625d1f38bf33b1e34cc17c5ed

SHA512
815fffb1b4f973a534e4279162fed057cdee3b6628b6e1712bdec1039c3fd6c66b7eaa7d9b309cafb4b117e9b3942e4e27d80ffc6843269e526c21f960a47b53

Download Submit
\Users\Admin\AppData\Local\Temp\nsu1576.tmp\DcryptDll.dll

Filesize
14KB

MD5
904beebec2790ee2ca0c90fc448ac7e0

SHA1
40fabf1eb0a3b7168351c4514c5288216cb1566d

SHA256
f730d9385bf72eac5d579bcf1f7e4330f1d239ca1054d4ead48e9e363d9f4222

SHA512
8bdbbaaf73e396cf9fd9866b3e824b7e70c59a2bdefdb3236387e60d0e645d011265fe79fb193f6c0d6abe2e9c01260720c71cd8f068fcc4624760511c54efaa

Download Submit
\Users\Admin\AppData\Local\Temp\nsu1576.tmp\IpConfig.dll

Filesize
114KB

MD5
a3ed6f7ea493b9644125d494fbf9a1e6

SHA1
ebeee67fb0b5b3302c69f47c5e7fca62e1a809d8

SHA256
ec0f85f8a9d6b77081ba0103f967ef6705b547bf27bcd866d77ac909d21a1e08

SHA512
7099e1bc78ba5727661aa49f75523126563a5ebccdff10cabf868ce5335821118384825f037fbf1408c416c0212aa702a5974bc54d1b63c9d0bcade140f9aae1

Download Submit
\Users\Admin\AppData\Local\Temp\nsu1576.tmp\MoreInfo.dll

Filesize
7KB

MD5
80e34b7f576b710d100f6e7c0bed0c2e

SHA1
2b5b895034d41ee0d0d01bf650594ad0d1346662

SHA256
569d62345f6c915236772fa2575d1806cd2bfe089505807cb477618f1eeccf99

SHA512
f5970c192b7089040fd1cf26e5cab131879b91722dff0216cdc735f9cfde1eda061409b579eb0f11e3b32e5513e34bbedd4050b75bb1b2acc81be814c2c6c59b

Download Submit
\Users\Admin\AppData\Local\Temp\nsu1576.tmp\System.dll

Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
\Users\Admin\AppData\Local\Temp\nsu1576.tmp\inetc.dll

Filesize
20KB

MD5
4c01fdfd2b57b32046b3b3635a4f4df8

SHA1
e0af8e418cbe2b2783b5de93279a3b5dcb73490e

SHA256
b98e21645910f82b328f30c644b86c112969b42697e797671647b09eb40ad014

SHA512
cbd354536e2a970d31ba69024208673b1dc56603ad604ff17c5840b4371958fc22bafd90040ae3fb19ae9c248b2cfce08d0bc73cc93481f02c73b86dbc0697b2

Download Submit
\Users\Admin\AppData\Local\Temp\nsu1576.tmp\nsExec.dll

Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
\Users\Admin\AppData\Local\Temp\nsu1576.tmp\nsisos.dll

Filesize
5KB

MD5
69806691d649ef1c8703fd9e29231d44

SHA1
e2193fcf5b4863605eec2a5eb17bf84c7ac00166

SHA256
ba79ab7f63f02ed5d5d46b82b11d97dac5b7ef7e9b9a4df926b43ceac18483b6

SHA512
5e5e0319e701d15134a01cb6472c624e271e99891058aef4dfe779c29c73899771a5b6f8b1cd61b543a3b3defeaecaa080c9cc4e76e84038ca08e12084f128eb

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads