f3742cb8c7e315bcdbd8ac763609f870282957c9ed174f7d2de2f8e614e780a7

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
25/09/2024, 16:24

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

f6668db0b61bc428756c643a4bd0cd42_JaffaCakes118.exe
Size

382KB
MD5

f6668db0b61bc428756c643a4bd0cd42
SHA1

ece7460af9560e9154c6f5d307baddbca15620e1
SHA256

f3742cb8c7e315bcdbd8ac763609f870282957c9ed174f7d2de2f8e614e780a7
SHA512

b52c2d7b7b69dafd4cd78be1979f1f22e94d06ecbfd91ac82e949088960705c03d5963f766770e22f06e6768ecfff2d5ccbf8da794179d81fb2c5bcb5d39598a
SSDEEP

6144:9Tq+P6GQgTCqSBam14ckqGMkNgypdj4a2gz+M0YfJnlCHhMjWP+TLxklIm5vqAb:9R6GPTCq9m1HkqlO7pJzf0YBnlCHhMu/

Score

7^/10

adware discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
952	WajamUpdater.exe
2068	WajamUpdater.exe

Loads dropped DLL 16 IoCs

pid	Process
4664	f6668db0b61bc428756c643a4bd0cd42_JaffaCakes118.exe
4664	f6668db0b61bc428756c643a4bd0cd42_JaffaCakes118.exe
4664	f6668db0b61bc428756c643a4bd0cd42_JaffaCakes118.exe
4664	f6668db0b61bc428756c643a4bd0cd42_JaffaCakes118.exe
4664	f6668db0b61bc428756c643a4bd0cd42_JaffaCakes118.exe
4664	f6668db0b61bc428756c643a4bd0cd42_JaffaCakes118.exe
4664	f6668db0b61bc428756c643a4bd0cd42_JaffaCakes118.exe
4664	f6668db0b61bc428756c643a4bd0cd42_JaffaCakes118.exe
4664	f6668db0b61bc428756c643a4bd0cd42_JaffaCakes118.exe
4664	f6668db0b61bc428756c643a4bd0cd42_JaffaCakes118.exe
4664	f6668db0b61bc428756c643a4bd0cd42_JaffaCakes118.exe
4664	f6668db0b61bc428756c643a4bd0cd42_JaffaCakes118.exe
4664	f6668db0b61bc428756c643a4bd0cd42_JaffaCakes118.exe
4664	f6668db0b61bc428756c643a4bd0cd42_JaffaCakes118.exe
4664	f6668db0b61bc428756c643a4bd0cd42_JaffaCakes118.exe
4664	f6668db0b61bc428756c643a4bd0cd42_JaffaCakes118.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Installs/modifies Browser Helper Object 2 TTPs 3 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A7A6995D-6EE1-4FD1-A258-49395D5BF99C}	f6668db0b61bc428756c643a4bd0cd42_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A7A6995D-6EE1-4FD1-A258-49395D5BF99C}\ = "Wajam IE BHO"	f6668db0b61bc428756c643a4bd0cd42_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A7A6995D-6EE1-4FD1-A258-49395D5BF99C}\NoExplorer = "1"	f6668db0b61bc428756c643a4bd0cd42_JaffaCakes118.exe

Drops file in Program Files directory 9 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Wajam\Firefox\{5a95a9e0-59dd-4314-bd84-4d18ca83a0e2}.xpi	f6668db0b61bc428756c643a4bd0cd42_JaffaCakes118.exe
File created	C:\Program Files (x86)\Wajam\Firefox\firefox_trigger_extension.htm	f6668db0b61bc428756c643a4bd0cd42_JaffaCakes118.exe
File created	C:\Program Files (x86)\Wajam\IE\favicon.ico	f6668db0b61bc428756c643a4bd0cd42_JaffaCakes118.exe
File created	C:\Program Files (x86)\Wajam\Updater\WajamUpdater.exe	f6668db0b61bc428756c643a4bd0cd42_JaffaCakes118.exe
File created	C:\Program Files (x86)\Wajam\install.log	f6668db0b61bc428756c643a4bd0cd42_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Wajam\install.log	f6668db0b61bc428756c643a4bd0cd42_JaffaCakes118.exe
File created	C:\Program Files (x86)\Wajam\uninstall.exe	f6668db0b61bc428756c643a4bd0cd42_JaffaCakes118.exe
File created	C:\Program Files (x86)\Wajam\IE\priam_bho.dll	f6668db0b61bc428756c643a4bd0cd42_JaffaCakes118.exe
File created	C:\Program Files (x86)\Wajam\Updater\wajamLogo.bmp	f6668db0b61bc428756c643a4bd0cd42_JaffaCakes118.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WajamUpdater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f6668db0b61bc428756c643a4bd0cd42_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WajamUpdater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
216	Taskkill.exe

Modifies data under HKEY_USERS 5 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	WajamUpdater.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	WajamUpdater.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	WajamUpdater.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	WajamUpdater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	WajamUpdater.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{1FAEE6D5-34F4-42AA-8025-3FD8F3EC4634}	f6668db0b61bc428756c643a4bd0cd42_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A7A6995D-6EE1-4FD1-A258-49395D5BF99C}\ProgID	f6668db0b61bc428756c643a4bd0cd42_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\wajam.WajamDownloader\ = "WajamDownloader Class"	f6668db0b61bc428756c643a4bd0cd42_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5D64294B-1341-4FE7-B6D8-7C36828D4DD5}\VersionIndependentProgID\ = "wajam.WajamDownloader"	f6668db0b61bc428756c643a4bd0cd42_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{431532BD-0AE1-4ABC-BE8C-919F3D1332E2}	f6668db0b61bc428756c643a4bd0cd42_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{431532BD-0AE1-4ABC-BE8C-919F3D1332E2}\TypeLib\Version = "1.0"	f6668db0b61bc428756c643a4bd0cd42_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A7A6995D-6EE1-4FD1-A258-49395D5BF99C}\Programmable	f6668db0b61bc428756c643a4bd0cd42_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A7A6995D-6EE1-4FD1-A258-49395D5BF99C}\InprocServer32\ThreadingModel = "Apartment"	f6668db0b61bc428756c643a4bd0cd42_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{095BFD3C-4602-4FE1-96F1-AEFAFBFD067D}\1.0\ = "wajam 1.0 Type Library"	f6668db0b61bc428756c643a4bd0cd42_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{095BFD3C-4602-4FE1-96F1-AEFAFBFD067D}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\Wajam\\IE"	f6668db0b61bc428756c643a4bd0cd42_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{431532BD-0AE1-4ABC-BE8C-919F3D1332E2}\ = "PSFactoryBuffer"	f6668db0b61bc428756c643a4bd0cd42_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\wajam.WajamBHO\ = "Wajam"	f6668db0b61bc428756c643a4bd0cd42_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A7A6995D-6EE1-4FD1-A258-49395D5BF99C}	f6668db0b61bc428756c643a4bd0cd42_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A7A6995D-6EE1-4FD1-A258-49395D5BF99C}\VersionIndependentProgID	f6668db0b61bc428756c643a4bd0cd42_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\wajam.WajamDownloader\CurVer	f6668db0b61bc428756c643a4bd0cd42_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\wajam.WajamDownloader\CurVer\ = "wajam.WajamDownloader.1"	f6668db0b61bc428756c643a4bd0cd42_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5D64294B-1341-4FE7-B6D8-7C36828D4DD5}	f6668db0b61bc428756c643a4bd0cd42_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{095BFD3C-4602-4FE1-96F1-AEFAFBFD067D}\1.0	f6668db0b61bc428756c643a4bd0cd42_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{431532BD-0AE1-4ABC-BE8C-919F3D1332E2}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	f6668db0b61bc428756c643a4bd0cd42_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\WOW6432Node\Interface	f6668db0b61bc428756c643a4bd0cd42_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\wajam.WajamBHO.1\CLSID\ = "{A7A6995D-6EE1-4FD1-A258-49395D5BF99C}"	f6668db0b61bc428756c643a4bd0cd42_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\wajam.WajamBHO\CurVer	f6668db0b61bc428756c643a4bd0cd42_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A7A6995D-6EE1-4FD1-A258-49395D5BF99C}\TypeLib	f6668db0b61bc428756c643a4bd0cd42_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5D64294B-1341-4FE7-B6D8-7C36828D4DD5}\VersionIndependentProgID	f6668db0b61bc428756c643a4bd0cd42_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{D616A4A2-7B38-4DBC-9093-6FE7A4A21B17}	WajamUpdater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A7A6995D-6EE1-4FD1-A258-49395D5BF99C}\ProgID\ = "wajam.WajamBHO.1"	f6668db0b61bc428756c643a4bd0cd42_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\wajam.WajamDownloader.1	f6668db0b61bc428756c643a4bd0cd42_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5D64294B-1341-4FE7-B6D8-7C36828D4DD5}\TypeLib\ = "{095BFD3C-4602-4FE1-96F1-AEFAFBFD067D}"	f6668db0b61bc428756c643a4bd0cd42_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{431532BD-0AE1-4ABC-BE8C-919F3D1332E2}\ = "IWajamBHO"	f6668db0b61bc428756c643a4bd0cd42_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{D616A4A2-7B38-4DBC-9093-6FE7A4A21B17}\LocalService = "WajamUpdater"	WajamUpdater.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\wajam.WajamBHO\CLSID	f6668db0b61bc428756c643a4bd0cd42_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\wajam.WajamBHO\CurVer\ = "wajam.WajamBHO.1"	f6668db0b61bc428756c643a4bd0cd42_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A7A6995D-6EE1-4FD1-A258-49395D5BF99C}\InprocServer32\ = "C:\\Program Files (x86)\\Wajam\\IE\\priam_bho.dll"	f6668db0b61bc428756c643a4bd0cd42_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{095BFD3C-4602-4FE1-96F1-AEFAFBFD067D}\1.0\0	f6668db0b61bc428756c643a4bd0cd42_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{431532BD-0AE1-4ABC-BE8C-919F3D1332E2}\NumMethods\ = "18"	f6668db0b61bc428756c643a4bd0cd42_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\wajam.WajamBHO\CLSID\ = "{A7A6995D-6EE1-4FD1-A258-49395D5BF99C}"	f6668db0b61bc428756c643a4bd0cd42_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5D64294B-1341-4FE7-B6D8-7C36828D4DD5}\InprocServer32	f6668db0b61bc428756c643a4bd0cd42_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{095BFD3C-4602-4FE1-96F1-AEFAFBFD067D}	f6668db0b61bc428756c643a4bd0cd42_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{431532BD-0AE1-4ABC-BE8C-919F3D1332E2}\InProcServer32\ = "C:\\Program Files (x86)\\Wajam\\IE\\priam_bho.dll"	f6668db0b61bc428756c643a4bd0cd42_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{431532BD-0AE1-4ABC-BE8C-919F3D1332E2}\InProcServer32\ThreadingModel = "Both"	f6668db0b61bc428756c643a4bd0cd42_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A7A6995D-6EE1-4FD1-A258-49395D5BF99C}\InprocServer32	f6668db0b61bc428756c643a4bd0cd42_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{095BFD3C-4602-4FE1-96F1-AEFAFBFD067D}\1.0\0\win32	f6668db0b61bc428756c643a4bd0cd42_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5D64294B-1341-4FE7-B6D8-7C36828D4DD5}\ProgID	f6668db0b61bc428756c643a4bd0cd42_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5D64294B-1341-4FE7-B6D8-7C36828D4DD5}\InprocServer32\ThreadingModel = "Apartment"	f6668db0b61bc428756c643a4bd0cd42_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5D64294B-1341-4FE7-B6D8-7C36828D4DD5}\TypeLib	f6668db0b61bc428756c643a4bd0cd42_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{431532BD-0AE1-4ABC-BE8C-919F3D1332E2}\TypeLib\ = "{095BFD3C-4602-4FE1-96F1-AEFAFBFD067D}"	f6668db0b61bc428756c643a4bd0cd42_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{1FAEE6D5-34F4-42AA-8025-3FD8F3EC4634}\ = "Wajam"	f6668db0b61bc428756c643a4bd0cd42_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\priam_bho.DLL	f6668db0b61bc428756c643a4bd0cd42_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\wajam.WajamBHO	f6668db0b61bc428756c643a4bd0cd42_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A7A6995D-6EE1-4FD1-A258-49395D5BF99C}\VersionIndependentProgID\ = "wajam.WajamBHO"	f6668db0b61bc428756c643a4bd0cd42_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\wajam.WajamDownloader.1\CLSID\ = "{5D64294B-1341-4FE7-B6D8-7C36828D4DD5}"	f6668db0b61bc428756c643a4bd0cd42_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\wajam.WajamDownloader	f6668db0b61bc428756c643a4bd0cd42_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\wajam.WajamDownloader\CLSID	f6668db0b61bc428756c643a4bd0cd42_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5D64294B-1341-4FE7-B6D8-7C36828D4DD5}\ = "WajamDownloader Class"	f6668db0b61bc428756c643a4bd0cd42_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{095BFD3C-4602-4FE1-96F1-AEFAFBFD067D}\1.0\HELPDIR	f6668db0b61bc428756c643a4bd0cd42_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{431532BD-0AE1-4ABC-BE8C-919F3D1332E2}\TypeLib\ = "{095BFD3C-4602-4FE1-96F1-AEFAFBFD067D}"	f6668db0b61bc428756c643a4bd0cd42_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{431532BD-0AE1-4ABC-BE8C-919F3D1332E2}\ProxyStubClsid32\ = "{431532BD-0AE1-4ABC-BE8C-919F3D1332E2}"	f6668db0b61bc428756c643a4bd0cd42_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\wajam.WajamBHO.1	f6668db0b61bc428756c643a4bd0cd42_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A7A6995D-6EE1-4FD1-A258-49395D5BF99C}\TypeLib\ = "{095BFD3C-4602-4FE1-96F1-AEFAFBFD067D}"	f6668db0b61bc428756c643a4bd0cd42_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{431532BD-0AE1-4ABC-BE8C-919F3D1332E2}	f6668db0b61bc428756c643a4bd0cd42_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\WOW6432Node\CLSID	f6668db0b61bc428756c643a4bd0cd42_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\wajam.WajamDownloader.1\ = "WajamDownloader Class"	f6668db0b61bc428756c643a4bd0cd42_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5D64294B-1341-4FE7-B6D8-7C36828D4DD5}\InprocServer32\ = "C:\\Program Files (x86)\\Wajam\\IE\\priam_bho.dll"	f6668db0b61bc428756c643a4bd0cd42_JaffaCakes118.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
3544	msedge.exe
3544	msedge.exe
3764	msedge.exe
3764	msedge.exe
1420	identity_helper.exe
1420	identity_helper.exe
4652	msedge.exe
4652	msedge.exe
4652	msedge.exe
4652	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

pid	Process
3764	msedge.exe
3764	msedge.exe
3764	msedge.exe
3764	msedge.exe
3764	msedge.exe
3764	msedge.exe
3764	msedge.exe
3764	msedge.exe
3764	msedge.exe
3764	msedge.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	216	Taskkill.exe
Token: SeDebugPrivilege	2340	firefox.exe
Token: SeDebugPrivilege	2340	firefox.exe
Token: SeDebugPrivilege	2340	firefox.exe
Token: SeDebugPrivilege	2340	firefox.exe
Token: SeDebugPrivilege	2340	firefox.exe

Suspicious use of FindShellTrayWindow 46 IoCs

pid	Process
3764	msedge.exe
3764	msedge.exe
3764	msedge.exe
3764	msedge.exe
3764	msedge.exe
3764	msedge.exe
3764	msedge.exe
3764	msedge.exe
3764	msedge.exe
3764	msedge.exe
3764	msedge.exe
3764	msedge.exe
3764	msedge.exe
3764	msedge.exe
3764	msedge.exe
3764	msedge.exe
3764	msedge.exe
3764	msedge.exe
3764	msedge.exe
3764	msedge.exe
3764	msedge.exe
3764	msedge.exe
3764	msedge.exe
3764	msedge.exe
3764	msedge.exe
2340	firefox.exe
2340	firefox.exe
2340	firefox.exe
2340	firefox.exe
2340	firefox.exe
2340	firefox.exe
2340	firefox.exe
2340	firefox.exe
2340	firefox.exe
2340	firefox.exe
2340	firefox.exe
2340	firefox.exe
2340	firefox.exe
2340	firefox.exe
2340	firefox.exe
2340	firefox.exe
2340	firefox.exe
2340	firefox.exe
2340	firefox.exe
2340	firefox.exe
2340	firefox.exe

Suspicious use of SendNotifyMessage 44 IoCs

pid	Process
3764	msedge.exe
3764	msedge.exe
3764	msedge.exe
3764	msedge.exe
3764	msedge.exe
3764	msedge.exe
3764	msedge.exe
3764	msedge.exe
3764	msedge.exe
3764	msedge.exe
3764	msedge.exe
3764	msedge.exe
3764	msedge.exe
3764	msedge.exe
3764	msedge.exe
3764	msedge.exe
3764	msedge.exe
3764	msedge.exe
3764	msedge.exe
3764	msedge.exe
3764	msedge.exe
3764	msedge.exe
3764	msedge.exe
3764	msedge.exe
2340	firefox.exe
2340	firefox.exe
2340	firefox.exe
2340	firefox.exe
2340	firefox.exe
2340	firefox.exe
2340	firefox.exe
2340	firefox.exe
2340	firefox.exe
2340	firefox.exe
2340	firefox.exe
2340	firefox.exe
2340	firefox.exe
2340	firefox.exe
2340	firefox.exe
2340	firefox.exe
2340	firefox.exe
2340	firefox.exe
2340	firefox.exe
2340	firefox.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2340	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4664 wrote to memory of 752	4664	f6668db0b61bc428756c643a4bd0cd42_JaffaCakes118.exe	83
PID 4664 wrote to memory of 752	4664	f6668db0b61bc428756c643a4bd0cd42_JaffaCakes118.exe	83
PID 4664 wrote to memory of 752	4664	f6668db0b61bc428756c643a4bd0cd42_JaffaCakes118.exe	83
PID 752 wrote to memory of 1052	752	net.exe	85
PID 752 wrote to memory of 1052	752	net.exe	85
PID 752 wrote to memory of 1052	752	net.exe	85
PID 4664 wrote to memory of 216	4664	f6668db0b61bc428756c643a4bd0cd42_JaffaCakes118.exe	86
PID 4664 wrote to memory of 216	4664	f6668db0b61bc428756c643a4bd0cd42_JaffaCakes118.exe	86
PID 4664 wrote to memory of 216	4664	f6668db0b61bc428756c643a4bd0cd42_JaffaCakes118.exe	86
PID 4664 wrote to memory of 952	4664	f6668db0b61bc428756c643a4bd0cd42_JaffaCakes118.exe	88
PID 4664 wrote to memory of 952	4664	f6668db0b61bc428756c643a4bd0cd42_JaffaCakes118.exe	88
PID 4664 wrote to memory of 952	4664	f6668db0b61bc428756c643a4bd0cd42_JaffaCakes118.exe	88
PID 4664 wrote to memory of 1540	4664	f6668db0b61bc428756c643a4bd0cd42_JaffaCakes118.exe	89
PID 4664 wrote to memory of 1540	4664	f6668db0b61bc428756c643a4bd0cd42_JaffaCakes118.exe	89
PID 4664 wrote to memory of 1540	4664	f6668db0b61bc428756c643a4bd0cd42_JaffaCakes118.exe	89
PID 1540 wrote to memory of 2840	1540	net.exe	91
PID 1540 wrote to memory of 2840	1540	net.exe	91
PID 1540 wrote to memory of 2840	1540	net.exe	91
PID 4664 wrote to memory of 3764	4664	f6668db0b61bc428756c643a4bd0cd42_JaffaCakes118.exe	93
PID 4664 wrote to memory of 3764	4664	f6668db0b61bc428756c643a4bd0cd42_JaffaCakes118.exe	93
PID 3764 wrote to memory of 3188	3764	msedge.exe	94
PID 3764 wrote to memory of 3188	3764	msedge.exe	94
PID 3764 wrote to memory of 4820	3764	msedge.exe	95
PID 3764 wrote to memory of 4820	3764	msedge.exe	95
PID 3764 wrote to memory of 4820	3764	msedge.exe	95
PID 3764 wrote to memory of 4820	3764	msedge.exe	95
PID 3764 wrote to memory of 4820	3764	msedge.exe	95
PID 3764 wrote to memory of 4820	3764	msedge.exe	95
PID 3764 wrote to memory of 4820	3764	msedge.exe	95
PID 3764 wrote to memory of 4820	3764	msedge.exe	95
PID 3764 wrote to memory of 4820	3764	msedge.exe	95
PID 3764 wrote to memory of 4820	3764	msedge.exe	95
PID 3764 wrote to memory of 4820	3764	msedge.exe	95
PID 3764 wrote to memory of 4820	3764	msedge.exe	95
PID 3764 wrote to memory of 4820	3764	msedge.exe	95
PID 3764 wrote to memory of 4820	3764	msedge.exe	95
PID 3764 wrote to memory of 4820	3764	msedge.exe	95
PID 3764 wrote to memory of 4820	3764	msedge.exe	95
PID 3764 wrote to memory of 4820	3764	msedge.exe	95
PID 3764 wrote to memory of 4820	3764	msedge.exe	95
PID 3764 wrote to memory of 4820	3764	msedge.exe	95
PID 3764 wrote to memory of 4820	3764	msedge.exe	95
PID 3764 wrote to memory of 4820	3764	msedge.exe	95
PID 3764 wrote to memory of 4820	3764	msedge.exe	95
PID 3764 wrote to memory of 4820	3764	msedge.exe	95
PID 3764 wrote to memory of 4820	3764	msedge.exe	95
PID 3764 wrote to memory of 4820	3764	msedge.exe	95
PID 3764 wrote to memory of 4820	3764	msedge.exe	95
PID 3764 wrote to memory of 4820	3764	msedge.exe	95
PID 3764 wrote to memory of 4820	3764	msedge.exe	95
PID 3764 wrote to memory of 4820	3764	msedge.exe	95
PID 3764 wrote to memory of 4820	3764	msedge.exe	95
PID 3764 wrote to memory of 4820	3764	msedge.exe	95
PID 3764 wrote to memory of 4820	3764	msedge.exe	95
PID 3764 wrote to memory of 4820	3764	msedge.exe	95
PID 3764 wrote to memory of 4820	3764	msedge.exe	95
PID 3764 wrote to memory of 4820	3764	msedge.exe	95
PID 3764 wrote to memory of 4820	3764	msedge.exe	95
PID 3764 wrote to memory of 4820	3764	msedge.exe	95
PID 3764 wrote to memory of 4820	3764	msedge.exe	95
PID 3764 wrote to memory of 4820	3764	msedge.exe	95
PID 3764 wrote to memory of 4820	3764	msedge.exe	95
PID 3764 wrote to memory of 3544	3764	msedge.exe	96
PID 3764 wrote to memory of 3544	3764	msedge.exe	96

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\f6668db0b61bc428756c643a4bd0cd42_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f6668db0b61bc428756c643a4bd0cd42_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4664
- C:\Windows\SysWOW64\net.exe
  net stop WajamUpdater
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:752
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop WajamUpdater
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1052
- C:\Windows\SysWOW64\Taskkill.exe
  Taskkill /IM WajamUpdater.exe /F
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:216
- C:\Program Files (x86)\Wajam\Updater\WajamUpdater.exe
  "C:\Program Files (x86)\Wajam\Updater\WajamUpdater.exe" /Service
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  PID:952
- C:\Windows\SysWOW64\net.exe
  net start WajamUpdater
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1540
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 start WajamUpdater
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2840
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" "http://www.wajam.com/index.php?firstrun=1&unique_id=831E357CCA0900D2DCCFFD075E553F9C&aid=5402&aid2=none&enabled=1"
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:3764
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffcb90146f8,0x7ffcb9014708,0x7ffcb9014718
    3⤵
    PID:3188
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,15739698567219779852,12615446498309735677,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2140 /prefetch:2
    3⤵
    PID:4820
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2120,15739698567219779852,12615446498309735677,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2184 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3544
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2120,15739698567219779852,12615446498309735677,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2860 /prefetch:8
    3⤵
    PID:4872
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,15739698567219779852,12615446498309735677,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3244 /prefetch:1
    3⤵
    PID:4856
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,15739698567219779852,12615446498309735677,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3252 /prefetch:1
    3⤵
    PID:3500
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,15739698567219779852,12615446498309735677,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4228 /prefetch:1
    3⤵
    PID:652
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,15739698567219779852,12615446498309735677,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3572 /prefetch:1
    3⤵
    PID:3640
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,15739698567219779852,12615446498309735677,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3544 /prefetch:8
    3⤵
    PID:920
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,15739698567219779852,12615446498309735677,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3544 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1420
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,15739698567219779852,12615446498309735677,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4248 /prefetch:1
    3⤵
    PID:1600
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,15739698567219779852,12615446498309735677,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4336 /prefetch:1
    3⤵
    PID:2392
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,15739698567219779852,12615446498309735677,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5584 /prefetch:1
    3⤵
    PID:4408
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,15739698567219779852,12615446498309735677,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3592 /prefetch:1
    3⤵
    PID:6720
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,15739698567219779852,12615446498309735677,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2356 /prefetch:1
    3⤵
    PID:4312
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,15739698567219779852,12615446498309735677,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4008 /prefetch:1
    3⤵
    PID:3092
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,15739698567219779852,12615446498309735677,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5564 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4652
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" "C:\Program Files (x86)\Wajam\Firefox\firefox_trigger_extension.htm"
  2⤵
  PID:2696
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" "C:\Program Files (x86)\Wajam\Firefox\firefox_trigger_extension.htm"
    3⤵
    - Checks processor information in registry
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    PID:2340
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1984 -parentBuildID 20240401114208 -prefsHandle 1912 -prefMapHandle 1904 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {26b30871-5c26-423a-8ce7-049ea5d54e4a} 2340 "\\.\pipe\gecko-crash-server-pipe.2340" gpu
      4⤵
      PID:4876
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2420 -parentBuildID 20240401114208 -prefsHandle 2412 -prefMapHandle 2408 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {aa3ea66a-f148-44ad-91ee-1b2c7c275de2} 2340 "\\.\pipe\gecko-crash-server-pipe.2340" socket
      4⤵
      PID:4944
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3200 -childID 1 -isForBrowser -prefsHandle 1912 -prefMapHandle 2984 -prefsLen 24741 -prefMapSize 244658 -jsInitHandle 1252 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d61cbc4e-3790-4896-a24a-65c3589aa9e3} 2340 "\\.\pipe\gecko-crash-server-pipe.2340" tab
      4⤵
      PID:5204
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3392 -childID 2 -isForBrowser -prefsHandle 3644 -prefMapHandle 3640 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1252 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c879d5f0-96cc-4a39-8bec-3869ed3c9e89} 2340 "\\.\pipe\gecko-crash-server-pipe.2340" tab
      4⤵
      PID:5340
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4836 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4856 -prefMapHandle 4852 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {14e0f0d2-32cd-49b6-9d27-185a23dd08a6} 2340 "\\.\pipe\gecko-crash-server-pipe.2340" utility
      4⤵
      Checks processor information in registry
      PID:5552
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5032 -childID 3 -isForBrowser -prefsHandle 5024 -prefMapHandle 5020 -prefsLen 26944 -prefMapSize 244658 -jsInitHandle 1252 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {65e2ffc8-208e-4dc8-811f-14a54d3e63a7} 2340 "\\.\pipe\gecko-crash-server-pipe.2340" tab
      4⤵
      PID:6256
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5640 -childID 4 -isForBrowser -prefsHandle 5628 -prefMapHandle 5632 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1252 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {87183506-8487-42e2-8578-669a4aca6a95} 2340 "\\.\pipe\gecko-crash-server-pipe.2340" tab
      4⤵
      PID:7064
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5728 -childID 5 -isForBrowser -prefsHandle 5672 -prefMapHandle 5668 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1252 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3b2cb000-754f-4728-8088-f959f995609d} 2340 "\\.\pipe\gecko-crash-server-pipe.2340" tab
      4⤵
      PID:7076
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5964 -childID 6 -isForBrowser -prefsHandle 5884 -prefMapHandle 5888 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1252 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {35665662-97ab-484e-9db1-a608f158df8e} 2340 "\\.\pipe\gecko-crash-server-pipe.2340" tab
      4⤵
      PID:7088

C:\Program Files (x86)\Wajam\Updater\WajamUpdater.exe
"C:\Program Files (x86)\Wajam\Updater\WajamUpdater.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:2068

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2016

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1616

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Wajam\Firefox\firefox_trigger_extension.htm

Filesize
2KB

MD5
ba7197cc8e52161fcdff765697febe37

SHA1
b03b974574d741ec8ba6042f14553886fe45d76b

SHA256
746739c05859db81f472d8bfe0b2f11ab33a3a661f6943e55e2833184f8925fa

SHA512
168fc12fbfcca80c7398636cb5b8ed0388d5d58227b3c2288f031c48ea490e64d09b1e1d0cd8e7bd67e67e4caae0574909db1d5aa36e8a40c421bf25c93ff8f1

Download Submit
C:\Program Files (x86)\Wajam\IE\priam_bho.dll

Filesize
286KB

MD5
28f3dcbe89cd9dd06fdee806e418a15c

SHA1
f12443dc84b5ad33247e8ac0b0c0765ba78c6a0d

SHA256
0a1fa2058197703119745da2b1b58ec0a28612231924ed10c53cb98a71e2dd7f

SHA512
04eece4f897d620f3669dcfda6e1f6e87e4c428a0021781e7a13f6a0571ba3d15294b8cc16236b62480fd96cb38376f76842471ea7327eb0741d35b15353f32c

Download Submit
C:\Program Files (x86)\Wajam\Updater\WajamUpdater.exe

Filesize
106KB

MD5
4aa2cc5979aff984227364f2c23b04f3

SHA1
a252fedceedca1655d593982040cceed07812def

SHA256
b23112ae291efae80aa7f9b1b119eb0da4e426930a23ee77a6a43288f3c0cbb9

SHA512
f0a3d63a90745f7f8e15e526d1e7998ba29392e3af7f847ed9e2ca5c90f2a5889e32794487e31f4973267b9aec0685bb1b7d6a202208a8885ed0bc613439a481

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
2783c40400a8912a79cfd383da731086

SHA1
001a131fe399c30973089e18358818090ca81789

SHA256
331fa67da5f67bbb42794c3aeab8f7819f35347460ffb352ccc914e0373a22c5

SHA512
b7c7d3aa966ad39a86aae02479649d74dcbf29d9cb3a7ff8b9b2354ea60704da55f5c0df803fd0a7191170a8e72fdd5eacfa1a739d7a74e390a7b74bdced1685

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ff63763eedb406987ced076e36ec9acf

SHA1
16365aa97cd1a115412f8ae436d5d4e9be5f7b5d

SHA256
8f460e8b7a67f0c65b7248961a7c71146c9e7a19772b193972b486dbf05b8e4c

SHA512
ce90336169c8b2de249d4faea2519bf7c3df48ae9d77cdf471dd5dbd8e8542d47d9348080a098074aa63c255890850ee3b80ddb8eef8384919fdca3bb9371d9f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
f55e90ec8d68947538d69d591c8dbd2b

SHA1
9dee6f9591daed3a6ae7d633687ab97cf5388842

SHA256
96b2f08291dde42dda4197c39377b7db1c4ae6c863e048ecd7e8e9f67fe153c4

SHA512
57ddfd08a17d9929e3546635040fafc330f504899ef7e1953e1c76f31cd3a6a60912178f7304676acc3bc0631b34b5c49dbd11df955286755be8f83908b28a12

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
fbf35385cc772b08b2f6a715fe08375f

SHA1
c5f3d0b81cd96588b0b9077c3804eed3a652590f

SHA256
dfafbc91b50d933d8e968bfdb0f3f40a4b9c5ed15e7f5f755cb9b39edfa34fea

SHA512
c1a02c168bc174545d83ae3acdcb11bdbbaaa1cc2f76d1e4e8d99b0ffc84b8b12b54352ee968d30ee345baa8cf01782fb2936643b08db1bbf6b8ca173e8f4099

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
07cc7706dbdbd6a046c4bd782ec48523

SHA1
5ae29d59812f348daf7a03d8f42aa606160a2519

SHA256
b73a100550be0a61df58ff1d12e525c261ddb84ceb35ee793d681b28a97430ca

SHA512
26892d185fe5e361ae6c000f6539d70a37d2c9a81b33c16b001498e2eca51fbcad63a40cd3112d91044ab05306bdd3f4349e507b3a8a6dbfe9a447a429fdd5e5

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\activity-stream.discovery_stream.json

Filesize
30KB

MD5
c74d315ae357aaec551b2a3254c782a0

SHA1
1f52c9d9ca8584a7605194a2b265cc375b35f0aa

SHA256
21a2fb1f23dfa0b44a5c450ae9befa87e05e26b4c4ac751692622e36a7d40faf

SHA512
86b4579ae3778bfb5ae201e6062c752d50d19dc715dc6044c738718a89b80d039d5420e93768e39a08bf3f7689c16dd703494fe390340fa0009144b10b4942ee

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\cache2\entries\22386449CA13D8975B935875780066C6EF52CE37

Filesize
13KB

MD5
5493060702b582af8cc737cbb84dc2fe

SHA1
8a20f1a4f77f41f99e6096c83484b1cfc6986408

SHA256
2df81d751ca06b4a112d6522075907b5e32461e370296c637f4d2b5c2687e5ed

SHA512
9165bed5bd82003130e8976dba0e3259d2f58de000e3d03160c84d527eecf8ce319a04c2af4d64481cdc0d1963319e98be5bcd974884650e15d25291b4f428c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nswAF2E.tmp\DcryptDll.dll

Filesize
14KB

MD5
904beebec2790ee2ca0c90fc448ac7e0

SHA1
40fabf1eb0a3b7168351c4514c5288216cb1566d

SHA256
f730d9385bf72eac5d579bcf1f7e4330f1d239ca1054d4ead48e9e363d9f4222

SHA512
8bdbbaaf73e396cf9fd9866b3e824b7e70c59a2bdefdb3236387e60d0e645d011265fe79fb193f6c0d6abe2e9c01260720c71cd8f068fcc4624760511c54efaa

Download Submit
C:\Users\Admin\AppData\Local\Temp\nswAF2E.tmp\IpConfig.dll

Filesize
114KB

MD5
a3ed6f7ea493b9644125d494fbf9a1e6

SHA1
ebeee67fb0b5b3302c69f47c5e7fca62e1a809d8

SHA256
ec0f85f8a9d6b77081ba0103f967ef6705b547bf27bcd866d77ac909d21a1e08

SHA512
7099e1bc78ba5727661aa49f75523126563a5ebccdff10cabf868ce5335821118384825f037fbf1408c416c0212aa702a5974bc54d1b63c9d0bcade140f9aae1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nswAF2E.tmp\MoreInfo.dll

Filesize
7KB

MD5
80e34b7f576b710d100f6e7c0bed0c2e

SHA1
2b5b895034d41ee0d0d01bf650594ad0d1346662

SHA256
569d62345f6c915236772fa2575d1806cd2bfe089505807cb477618f1eeccf99

SHA512
f5970c192b7089040fd1cf26e5cab131879b91722dff0216cdc735f9cfde1eda061409b579eb0f11e3b32e5513e34bbedd4050b75bb1b2acc81be814c2c6c59b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nswAF2E.tmp\System.dll

Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nswAF2E.tmp\inetc.dll

Filesize
20KB

MD5
4c01fdfd2b57b32046b3b3635a4f4df8

SHA1
e0af8e418cbe2b2783b5de93279a3b5dcb73490e

SHA256
b98e21645910f82b328f30c644b86c112969b42697e797671647b09eb40ad014

SHA512
cbd354536e2a970d31ba69024208673b1dc56603ad604ff17c5840b4371958fc22bafd90040ae3fb19ae9c248b2cfce08d0bc73cc93481f02c73b86dbc0697b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\nswAF2E.tmp\nsExec.dll

Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\nswAF2E.tmp\nsisos.dll

Filesize
5KB

MD5
69806691d649ef1c8703fd9e29231d44

SHA1
e2193fcf5b4863605eec2a5eb17bf84c7ac00166

SHA256
ba79ab7f63f02ed5d5d46b82b11d97dac5b7ef7e9b9a4df926b43ceac18483b6

SHA512
5e5e0319e701d15134a01cb6472c624e271e99891058aef4dfe779c29c73899771a5b6f8b1cd61b543a3b3defeaecaa080c9cc4e76e84038ca08e12084f128eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\AlternateServices.bin

Filesize
8KB

MD5
b53e8611b4f62b5f9cc4c5fab8351917

SHA1
cfada30d59166c7eb063ccbd4b45b5ffa37a2ada

SHA256
19e172f161abb83e30b125757067630d34458c0f07976a0be3dac3ef0df55312

SHA512
064abe2f3940ecec19fff78f4185fc0aa55e2b1f42aaa09c85f9cd97da1e97a513a9005621d929d1d7b0cdd6ccafed55d4589f6307dd081a9b972b366bd1828c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\datareporting\glean\db\data.safe.tmp

Filesize
14KB

MD5
e2ec23e04c7aa1e0b466315569728b2e

SHA1
e25005dbe84b74894f3015d60b201caaef791574

SHA256
bb903e3427f24f1d4deeadf9eea8533f9fed2846ccdaad81419acd05e8ba4883

SHA512
c3c2b9c252edc06428ffe3cced21c2263237e69eb7e766f91c4217436e853c7074dd2fe5e711b1d807cec44497512afaa669ebf9c4861f752257af3aa6322c76

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
e387a7ae367c2f97a7981f05adc7f828

SHA1
f73aa819dc26385e50a30a437dcdad818a754010

SHA256
2eea32c9fc9809efe2b4beb60f9bbbc5634f2bd06b1ab5e25b46f2683a584b34

SHA512
d16ca9fcb520a6230cbf8fad45dd5b83a173610cb63dc79b2416bca7a35a76c6cd2ae179f1394b3a80250e39b9607f86c903e43ee78bc02a40a8973da9723164

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\datareporting\glean\db\data.safe.tmp

Filesize
14KB

MD5
6e08b5a52dd342d6f9edfd6d3d7044e9

SHA1
c4470c9b6c45c66677fcb8bc43d3490afdca7201

SHA256
c3d04742d82acb90acc5c48f917d14edabd552358ed9cd1f8043dfc9c174b173

SHA512
e896ad40ff889c37539effc8c9c8e5eef17724ce5cd3acd8cf2c599ffba76d8362b80b5ad5ee699803bf75161023264ab9eb5e57bc0155f499d77883d7c7b597

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
7823c3cb564a225c1ba779735fe45fc0

SHA1
1e2f8feededec39afa029de9123f9287dbd4e11c

SHA256
fba6a97af5338c234cd179bdec2a7c641b7e6a6a98b97ff1c869ac9dc715b860

SHA512
8201b793f9399fb05a77c8d6cdbba254580cb479c9cd4ad6916e74d16b9c92307669f09ec6707d3b23a537874c345fdc7e70da5819968571cad5abf97565bae4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\datareporting\glean\pending_pings\55701d07-21ec-42a2-ada7-c73b862eb95c

Filesize
982B

MD5
7545fffb67d3ed6f07303f3c8592684a

SHA1
d45e6b6c1604cc780a2a757d7fcd450de19984df

SHA256
a0c5a898d99818331ff3ab3c5f6bc78c1388868af1102aad7e7a424e5054689f

SHA512
eb5f1c18cb17a7a0dc89637e0f41faa519185a59f86986c6462d07bee846173fd9bae1da94c52e06365462bba3c74b7b525899020390cb2a01b58f2202d4211c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\datareporting\glean\pending_pings\634304aa-8e36-4e42-bac3-eabc2238300f

Filesize
26KB

MD5
d8e707cf4355b4a50452212573a6951a

SHA1
121e754a82c58d2f868d5cb5337f523caf0bba17

SHA256
66d13ed26fd42400699b0ae3c7cb5826f82899b58d9b1608bc1faf6583071a47

SHA512
17f2fbafeedea905abf0cd08614459eca1f81a20e48675eb7b79a932b59da273a84e70ad479980da7cfac8662aa635bc4aa3e88b20d4198c0a32083ce5121e32

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\datareporting\glean\pending_pings\a873942a-9313-4198-9749-43058c3db8d5

Filesize
671B

MD5
9c9011596fb3429ef6b6ff1c12935af2

SHA1
0ee224c5d7de7170c8f7eb7cb6dd9c448719b6f6

SHA256
27f92d8d2bf0f4564ad6f8ca4a05cd0be08128949699b9ef069bcc2792b914f2

SHA512
9480ae7b65f17ee16ca00359ee1d7b2aa75e3f16a37eabb4a90053ed2b70ec06d23194d7eae0f7c7c423c82fea4413d1b39b2e7b34e739f45a4abd22c5a94ba5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\prefs-1.js

Filesize
12KB

MD5
3978c5e20ac0468f104089b1b1c90133

SHA1
60b4fd70422e64c4dca00d7884ac08fd2238f291

SHA256
473a147a5387cdb1eccc3eaa9099dd7b69e6e9b6dad1dcd7664b672daca8d41d

SHA512
de73f9a0e296ece66688b68193f80bc736467cf7ea727490bd7d0dbae680c837b05f760406d88673c566f39de207a3bc78cf73e1793b12ef7142a30e855cdde3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\prefs-1.js

Filesize
16KB

MD5
8f5c1900558313d8aed6f84bc901957b

SHA1
7b684a577c13e33d9d512a12a690005e0efaa0b8

SHA256
90a69ac1472a8c0fd2941d9ca7486b827031f4ff65b6e6af1074b219656aced6

SHA512
56dd0e70f13a470e8bbb742f7508a6434563776ec74cec48e27dc29a9f35751e4599818d982dcedb3f6b1ebc7c3f29001d6b0e8db0794b3bfe1f1334095ce4d4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\prefs.js

Filesize
11KB

MD5
74994c73cfe2ed8080cd62a27cf048f8

SHA1
e5d6d8fcecada48b4a27818a13fa8562341e2c85

SHA256
af6059da35b6cf6ab61f21854405fc5b0ca107e99bccb5ae0b69f4cbb2cdc63c

SHA512
08a2a6be621d323685a77960917f263b44c1aa0892eca38297db674459dd46d92719ee2cbd693686bac31628d7e8b20eec765c699fc21bbcae8aee592831f787

Download Submit
memory/4664-107-0x0000000003240000-0x0000000003267000-memory.dmp

Filesize
156KB

Download