6a393ecb2861a27240d322dd407f6adb7218b0a5.exe
This report is generated from a file or URL submitted to this webservice on June 19th 2019 15:35:00 (UTC) and action script Heavy Anti-Evasion
Guest System: Windows 7 32 bit, Professional, 6.1 (build 7601), Service Pack 1
Report generated by
Falcon Sandbox v8.30 © Hybrid Analysis
Incident Response
Risk Assessment
- Spyware
-
Contains ability to open the clipboard
Contains ability to open the clipboard
Contains ability to retrieve keyboard strokes
POSTs files to a webserver - Persistence
-
Modifies auto-execute functionality by setting/creating a value in the registry
Writes data to a remote process - Fingerprint
-
Queries kernel debugger information
Queries sensitive IE security settings
Queries the internet cache settings (often used to hide footprints in index.dat or internet cache)
Reads the active computer name
Reads the cryptographic machine GUID - Evasive
-
Found a reference to a WMI query string known to be used for VM detection
Marks file for deletion - Network Behavior
- Contacts 9 domains and 9 hosts. View all details
MITRE ATT&CK™ Techniques Detection
Additional Context
OSINT
- External References
- 459031.csv-ids
- External User Tags
- #malware
Indicators
Not all malicious and suspicious indicators are displayed. Get your own cloud service or the full version to view all details.
-
Malicious Indicators 12
-
External Systems
-
Detected Suricata Alert
- details
- Detected alert "ET POLICY User-Agent (NSIS_Inetc (Mozilla)) - Sometimes used by hostile installers" (SID: 2011227, Rev: 5, Severity: 1) categorized as "A Network Trojan was detected"
- source
- Suricata Alerts
- relevance
- 10/10
-
Sample was identified as malicious by a large number of Antivirus engines
- details
- 34/71 Antivirus vendors marked sample as malicious (47% detection rate)
- source
- External System
- relevance
- 10/10
-
Sample was identified as malicious by at least one Antivirus engine
- details
-
1/15 Antivirus vendors marked sample as malicious (6% detection rate)
34/71 Antivirus vendors marked sample as malicious (47% detection rate) - source
- External System
- relevance
- 8/10
-
Detected Suricata Alert
-
General
-
The analysis extracted a file that was identified as malicious
- details
-
8/56 Antivirus vendors marked dropped file "uninstall.exe" as malicious (classified as "Wajam" with 14% detection rate)
19/75 Antivirus vendors marked dropped file "WajamUpdater.exe" as malicious (classified as "Adware.Wajam" with 25% detection rate)
22/73 Antivirus vendors marked dropped file "priam_bho.dll" as malicious (classified as "PUA.Wajam" with 30% detection rate)
1/78 Antivirus vendors marked dropped file "ExecCmd.dll" as malicious (classified as "Suspicious" with 1% detection rate)
2/79 Antivirus vendors marked dropped file "DcryptDll.dll" as malicious (classified as "DNSChanger.aho" with 2% detection rate)
4/78 Antivirus vendors marked dropped file "IE_approveExt.exe" as malicious (classified as "Pua.Wajam" with 5% detection rate)
1/79 Antivirus vendors marked dropped file "nsisos.dll" as malicious (classified as "Suspicious" with 1% detection rate)
3/79 Antivirus vendors marked dropped file "MoreInfo.dll" as malicious (classified as "Unavailable" with 3% detection rate) - source
- Binary File
- relevance
- 10/10
-
The analysis spawned a process that was identified as malicious
- details
-
4/78 Antivirus vendors marked spawned process "IE_approveExt.exe" (PID: 1096) as malicious (classified as "Pua.Wajam" with 5% detection rate)
19/75 Antivirus vendors marked spawned process "WajamUpdater.exe" (PID: 3708) as malicious (classified as "Adware.Wajam" with 25% detection rate) - source
- Monitored Target
- relevance
- 10/10
-
The analysis extracted a file that was identified as malicious
-
Installation/Persistance
-
Allocates virtual memory in a remote process
- details
-
"6a393ecb2861a27240d322dd407f6adb7218b0a5.exe" allocated memory in "%APPDATA%\Microsoft\Windows\Cookies\E4O0EOXN.txt"
"6a393ecb2861a27240d322dd407f6adb7218b0a5.exe" allocated memory in "%TEMP%\nsfE187.tmp\SimpleSC.dll"
"6a393ecb2861a27240d322dd407f6adb7218b0a5.exe" allocated memory in "C:\install2.log" - source
- API Call
- relevance
- 7/10
- ATT&CK ID
- T1055 (Show technique in the MITRE ATT&CK™ matrix)
-
Writes data to a remote process
- details
-
"6a393ecb2861a27240d322dd407f6adb7218b0a5.exe" wrote 32 bytes to a remote process "%PROGRAMFILES%\Internet Explorer\iexplore.exe" (Handle: 1044)
"6a393ecb2861a27240d322dd407f6adb7218b0a5.exe" wrote 52 bytes to a remote process "C:\Program Files\Internet Explorer\iexplore.exe" (Handle: 1044)
"6a393ecb2861a27240d322dd407f6adb7218b0a5.exe" wrote 4 bytes to a remote process "C:\Program Files\Internet Explorer\iexplore.exe" (Handle: 1044)
"6a393ecb2861a27240d322dd407f6adb7218b0a5.exe" wrote 1500 bytes to a remote process "C:\Program Files\Wajam\Updater\WajamUpdater.exe" (Handle: 1060)
"6a393ecb2861a27240d322dd407f6adb7218b0a5.exe" wrote 4 bytes to a remote process "C:\Program Files\Wajam\Updater\WajamUpdater.exe" (Handle: 1060)
"6a393ecb2861a27240d322dd407f6adb7218b0a5.exe" wrote 32 bytes to a remote process "C:\Program Files\Wajam\Updater\WajamUpdater.exe" (Handle: 1060)
"6a393ecb2861a27240d322dd407f6adb7218b0a5.exe" wrote 52 bytes to a remote process "C:\Program Files\Wajam\Updater\WajamUpdater.exe" (Handle: 1060)
"cmd.exe" wrote 32 bytes to a remote process "C:\Program Files\Wajam\IE\IE_approveExt.exe" (Handle: 80)
"cmd.exe" wrote 52 bytes to a remote process "C:\Program Files\Wajam\IE\IE_approveExt.exe" (Handle: 80)
"cmd.exe" wrote 4 bytes to a remote process "C:\Program Files\Wajam\IE\IE_approveExt.exe" (Handle: 80)
"iexplore.exe" wrote 32 bytes to a remote process "C:\Program Files\Internet Explorer\iexplore.exe" (Handle: 888)
"iexplore.exe" wrote 52 bytes to a remote process "C:\Program Files\Internet Explorer\iexplore.exe" (Handle: 888)
"iexplore.exe" wrote 4 bytes to a remote process "C:\Program Files\Internet Explorer\iexplore.exe" (Handle: 888) - source
- API Call
- relevance
- 6/10
- ATT&CK ID
- T1055 (Show technique in the MITRE ATT&CK™ matrix)
-
Allocates virtual memory in a remote process
-
Network Related
-
Found more than one unique User-Agent
- details
-
Found the following User-Agents: NSIS_Inetc (Mozilla)
Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Microsoft-CryptoAPI/6.1 - source
- Network Traffic
- relevance
- 5/10
-
Malicious artifacts seen in the context of a contacted host
- details
-
Found malicious artifacts related to "5.135.138.118": ...
URL: http://wajam.com/download/ (AV positives: 3/70 scanned on 06/19/2019 10:41:15)
URL: http://www.wajam.com/download/ (AV positives: 2/70 scanned on 06/19/2019 07:39:25)
URL: http://wajam.com/download/wajam_download.exe (AV positives: 2/70 scanned on 06/19/2019 05:30:35)
URL: http://socialwebsearch.co/download/ (AV positives: 4/70 scanned on 06/16/2019 07:13:17)
URL: http://www.socialwebsearch.co/download/ (AV positives: 3/70 scanned on 06/13/2019 23:51:25)
File SHA256: 8a482f2271a42c5f54c96e816a84340a6f2357a5b81f927d07d00788f5140a41 (AV positives: 1/65 scanned on 06/19/2019 04:45:51)
File SHA256: 81cf1f2d60ed081b06e45d860abc1d5b7dd664b77b7193e04cbb014fc92dbb68 (AV positives: 43/70 scanned on 06/12/2019 04:34:14)
File SHA256: 176f53f07b3b159a8b2dde4edb7e08287ef24705777cf1b12ca9616426ad7ad5 (AV positives: 36/71 scanned on 06/07/2019 07:47:59)
File SHA256: 7fd04a40bd34855aedf36175ee99d89d62b5b25df2d4cd675dea3c3d843961e1 (AV positives: 26/71 scanned on 04/23/2019 13:53:27)
File SHA256: 974b45be66f78467e52322f6786927e41fd6f8482e52e445c8d5c093b9729f13 (AV positives: 39/70 scanned on 02/03/2019 09:17:36)
File SHA256: e2d5dda7c3d1d0feba79933c1826561f8a83df57babc3705a353e426fb68d06c (Date: 01/07/2019 00:30:10)
File SHA256: 0db73d0db95424df4a6817f18f075090bd475e3bae3c6d48d17d7e29e590219b (Date: 02/21/2015 01:21:35)
File SHA256: 38bdd91490fddbbe9cbc65949f432a3cdb7f00142ba340e08a79ff5af775687e (Date: 02/10/2015 18:59:29)
Found malicious artifacts related to "172.217.7.170": ...
File SHA256: 336404d806cbb03bfec8dc60cd8413d39f6ca47adae0572477f31bc18f79ca22 (Date: 05/05/2018 22:44:40)
File SHA256: fe05e3e070f6971796a4c12805b877f85c8b49e5278b859a0844f3fc994ae831 (Date: 05/05/2018 13:19:33)
File SHA256: a553f2ff7003b5fa2d4c8e47272c659c98ea0c1293fa23e81e879c74c2fafcb5 (Date: 04/21/2018 16:32:03)
File SHA256: 44e882709e943d36f8c512e0c603df895fab79f2e9e099f406fc29e38da5b0f2 (AV positives: 38/66 scanned on 04/11/2018 22:19:04)
File SHA256: dfe210d31f3cb7c4c4bed901eb83579e8e72cdbbc7935482a402bdc05e730d57 (Date: 04/04/2018 13:48:06)
File SHA256: 0e9683520e254094503ae0c381212e81554be09ec97039af0f61a0e6c8a225e2 (Date: 03/30/2018 20:31:48)
File SHA256: adcb7a9c1fef0db1d03f63bb5dcb76bd0a0479c63d14645d106a257e16caec9b (AV positives: 29/68 scanned on 12/19/2017 23:30:42)
File SHA256: 4681929e6c5344af2d54e85d3d9261a7371c8a0213ac95c970462ea1c32f65d4 (AV positives: 37/68 scanned on 12/07/2017 15:19:37)
File SHA256: 36de74e3bfab5d938c77069b4fa4a190e0f8d7548a0892651fbe014913ecb2ce (AV positives: 15/64 scanned on 11/25/2017 16:49:35)
File SHA256: db5d8a230105dd15216b90eea2de4407b5959602bfcf051f831bcbf11c564249 (AV positives: 31/68 scanned on 11/12/2017 20:54:25)
Found malicious artifacts related to "192.229.163.25": ...
URL: http://platform.twitter.com/widgets/tweet_button.html?url=http%3A%2F%2Fzoemoon.com%2F2013%2F08%2F11%2Fzoe-moon-astrology-weekly-forecast-aug-12-18%2F&%3Bcounturl=http%3A%2F%2Fzoemoon.com%2F2013%2F08%2F11%2Fzoe-moon-astrology-weekly-forecast-aug-12-18%2F&%3Bcount=horizontal&%3Btext=ZOE+MOON+ASTROLOGY+WEEKLY+FORECAST+AUG+12-18 (AV positives: 1/67 scanned on 08/22/2018 12:09:25)
URL: http://platform.twitter.com/widgets/tweet_button.html?url=http%3A%2F%2Fteruc.dnsalias.net%2Fblog%2F2012%2F05%2F10%2F319&text=%5BASP.NET%20MVC%5D%E3%83%AA%E3%82%BD%E3%83%BC%E3%82%B9%E3%83%95%E3%82%A1%E3%82%A4%E3%83%AB%E3%81%8B%E3%82%89%E3%81%AE%E3%83%A1%E3%83%83%E3%82%BB%E3%83%BC%E3%82%B8%E5%8F%96%E5%BE%97%E3%81%A8%E4%BB%BB%E6%84%8F%E3%81%AE%E7%BD%AE%E6%8F%9B%E6%96%87%E5%AD%97%E5%88%97%E3%81%AB%E5%AF%BE%E5%BF%9C%E3%81%97%E3%81%9F%E6%A4%9C%E8%A8%BC%E5%B1%9E%E6%80%A7%E3%81%AE%E5%AE%9F%E8%A3%85&lang=ja&count=horizontal (AV positives: 1/64 scanned on 01/30/2017 04:59:29)
URL: https://pbs.twimg.com/media/CahUxqZW4AASA7m.jpg (AV positives: 1/67 scanned on 02/21/2016 16:11:36)
URL: https://pbs.twimg.com/media/CahEtHBWEAERmWE.jpg (AV positives: 1/67 scanned on 02/21/2016 16:07:26)
URL: https://pbs.twimg.com/media/Cbv9rE7WEAAYhTF.jpg (AV positives: 1/67 scanned on 02/21/2016 15:59:12)
File SHA256: 4fde0ef98e790ec50a72f4277c88c3bed1c93fc4d8b81ac0d81aa32943a264a6 (Date: 06/18/2019 21:53:12)
File SHA256: 19ff61db918e59df80acc1bdd44580b7c559d4a99b3535dfa9a8137ab6dff7bc (Date: 06/17/2019 19:17:38)
File SHA256: 5184b174cd09596c1984fb54fa4d6b60a9522073f8b1e840f1fd7003bc24c155 (Date: 06/17/2019 19:17:27)
File SHA256: e7da1bd0437a0a0e4f39a312257c2fad40140378fee4ff2ba82873083132f2d3 (AV positives: 17/71 scanned on 12/22/2018 02:47:17)
File SHA256: d4539d82927e72df973e009f5f730188447af920869d9320ebb9a0b6c3fd4cd3 (AV positives: 1/70 scanned on 09/01/2018 00:06:05)
File SHA256: 183a783e4b4137053cb32215ffd258948b557afeec70aafdd4f4aa9ade31366c (AV positives: 40/71 scanned on 08/03/2018 13:54:20)
File SHA256: 4d50fcf12a9057f50c84b726577c1a2a1e23e586e1817883ed55b7c426a02fe2 (AV positives: 1/69 scanned on 07/07/2018 02:27:49)
File SHA256: fff82662e3589be64093618e8e4ff7836c527f3f747aede0143aff5d02450780 (AV positives: 28/68 scanned on 07/06/2018 17:51:09)
File SHA256: 2c361e8fee10884b61e94d8995da90ab0f8baebd1f12af13f4e6267dc6ddb1bd (Date: 11/23/2017 14:52:33)
File SHA256: 1be0c624091f49e1b67875f4bbe664cd55acdef22c28bcb7ee245c61907b0ec7 (Date: 11/23/2017 13:29:00)
Found malicious artifacts related to "172.217.5.234": ...
File SHA256: 1ca8850f3938ec72b5bdb571164424dd4d7b9bd247d378d7b58bba2457c09a35 (AV positives: 58/72 scanned on 05/15/2019 23:34:11)
File SHA256: 100977320924b9f1b7f134c770daab86479b57f8e1d8f8c1f001c8b54241b477 (AV positives: 50/65 scanned on 02/28/2019 22:15:41)
File SHA256: f4e04e9ab842c2e61b4bb4aab44fe58486c4b8a22c9517cc8bb39d8a18b8abde (AV positives: 48/64 scanned on 02/28/2019 22:55:42)
File SHA256: e69e9a3bf88c203712ae998de30acfb994206897b64df3ab9a47707d6a591231 (Date: 05/12/2018 16:26:53)
File SHA256: af3ee003a5ded63597b7fba40edeb8f7ca1e7c410b1dd72bf1aa04249de36947 (Date: 05/03/2018 20:29:36)
File SHA256: fe0cabbd60c38b0a22048025480ea6a26af0cd4e0fe3a2aa36a5ce4866cc8a44 (Date: 04/26/2018 02:39:17)
File SHA256: fa42d12d0c05c0c9c965d2cdd31d967a81b823553607319f976ea96e78032cc7 (Date: 02/07/2018 17:49:00)
File SHA256: 0da465adf9c8d068245bd2cec3164f2956d14d3a771730bb30c4d452eaa6bd78 (Date: 12/22/2017 06:40:24)
File SHA256: 9efef38d35eb6a917860e081b96259d4322be6583c2e6d6e3d18ceca5efd2218 (AV positives: 51/67 scanned on 12/21/2017 20:41:44)
File SHA256: 44a7043877f2f5cb149df3ac39e13dba742240998ea55c9472044d7b09a11fa3 (AV positives: 35/68 scanned on 12/21/2017 14:53:27)
Found malicious artifacts related to "74.125.192.155": ...
URL: https://stats.g.doubleclick.net/r/collect?v=1&aip=1&t=dc&_r=3&tid=UA-51915447-1&cid=1561689094.1430196265&jid=1743330473&_v=j35&z=1388274836 (AV positives: 1/63 scanned on 04/28/2015 04:45:35)
URL: https://stats.g.doubleclick.net/r/collect?v=1&aip=1&t=dc&_r=3&tid=UA-51915447-1&cid=982038166.1430196095&jid=339211618&_v=j35&z=1108641866 (AV positives: 1/63 scanned on 04/28/2015 04:43:02)
URL: https://stats.g.doubleclick.net/r/collect?v=1&aip=1&t=dc&_r=3&tid=UA-51915447-1&cid=616252409.1430195976&jid=803007462&_v=j35&z=1987499391 (AV positives: 1/63 scanned on 04/28/2015 04:40:47)
URL: https://stats.g.doubleclick.net/r/collect?v=1&aip=1&t=dc&_r=3&tid=UA-51915447-1&cid=789606747.1430195847&jid=2024444283&_v=j35&z=618399270 (AV positives: 1/63 scanned on 04/28/2015 04:39:59)
URL: https://stats.g.doubleclick.net/r/collect?v=1&aip=1&t=dc&_r=3&tid=UA-51915447-1&cid=1863498444.1430195804&jid=1759761465&_v=j35&z=1909541938 (AV positives: 1/63 scanned on 04/28/2015 04:38:57)
File SHA256: bfb33147f9b8bd5db589d5354a0d477217a926f8cd92617fc56467875f589086 (Date: 04/25/2019 03:59:15)
File SHA256: 763238e897f996710e9a24c95f8e60015f630e3f0b1b74a2b9ffe0f255277dfb (AV positives: 22/54 scanned on 11/04/2014 10:31:17)
File SHA256: 8679362afe8969e39c8a67bd10dc4f154067e9b1c67b774f41efb11315df5314 (AV positives: 20/53 scanned on 08/31/2014 19:10:16)
File SHA256: e717b4a152e1951565d90cd594868766146f57248bc9e1e37f317f7234fd5f15 (AV positives: 1/52 scanned on 07/14/2014 16:36:14)
File SHA256: 18cda4fc1d191ed1d9e2dd77513a0e7cb928651510b1053049e8cd86e4cf1886 (AV positives: 1/50 scanned on 06/05/2014 12:00:08)
File SHA256: 38b88de0565dee0113b4576650a26548c5f95f1a1ab4ed96dfc5f07ce80503bb (AV positives: 1/51 scanned on 02/15/2014 02:41:46)
Found malicious artifacts related to "151.139.244.29": ...
URL: http://indigenouspathwaysus.com/page-9/Cache/Bookmark/Chase0n3 (AV positives: 7/70 scanned on 06/19/2019 01:56:47)
URL: http://indigenouspathwaysus.com/page-4/page-6/files/Cookies (AV positives: 5/67 scanned on 06/09/2019 02:02:43)
URL: http://indigenouspathwaysus.com/page-4/page-5/Cache (AV positives: 8/67 scanned on 06/08/2019 08:02:57)
URL: http://indigenouspathwaysus.com/page-9/Cache/Bookmark (AV positives: 3/67 scanned on 06/05/2019 14:10:05)
URL: http://indigenouspathwaysus.com/page-4/page-6/files (AV positives: 2/67 scanned on 05/29/2019 13:29:18)
File SHA256: 05073af551fd4064cced8a8b13a4491125b3cd1f08defe3d3970b8211c46e6b2 (Date: 02/27/2019 00:35:26)
File SHA256: 7a0403cd44fddb5c9d88965bdd3b26d0562de81b7945ddbc4f56651760a2fbe2 (AV positives: 1/68 scanned on 11/16/2018 18:18:57)
File SHA256: 10e720e38144e87e99c07dd82eaa63bfd785063341333b9b043c9f8a697059dd (AV positives: 1/69 scanned on 11/15/2018 02:05:13)
File SHA256: ca5cfea416c583e9c87fd99f6e45f52fd00d5ae1976ecc347624da14acb797c4 (AV positives: 1/68 scanned on 11/11/2018 02:00:31)
File SHA256: 876c706dcfd4b5e58ab3024d0df69ced0b75562f2718a5447c0be9adb920d1fe (AV positives: 60/68 scanned on 10/30/2017 17:26:59)
File SHA256: 40042d29c459f49c02a54b6b930684b564d56e9d70eda1c3bae4613eaeb2a4e3 (Date: 08/27/2017 21:46:48)
File SHA256: 2955e5ac943adc0df2aa71ec9233b376c62cf2abc85afb487330e8ef5bef2239 (Date: 08/03/2017 11:32:24)
File SHA256: 248aa32d0683d6c1f435826bd1f7ee01dcdd38e9c7a971e26ca0af127040b945 (Date: 08/01/2017 18:11:30)
File SHA256: 8f6136d4de51122f9bdefefeeeb57671c91f33fe18fb3b52e711b7fd23060410 (AV positives: 2/65 scanned on 07/28/2017 09:28:54)
File SHA256: c73a1bd165b83a4f240b30628a36a0a7f9d9b1fda4e5ab76252c6122118704d5 (Date: 06/09/2017 03:02:41)
Found malicious artifacts related to "172.217.7.131": ...
File SHA256: bf3f597d290ffec7e2dfa0a33c74954be5fac77f36327f055bb4b8f838d4f618 (AV positives: 56/71 scanned on 06/17/2019 21:56:27)
File SHA256: fdbac1c1d4f4052212fcab4656bd52aa813de741f03a9ceb587dda72dde312a6 (AV positives: 56/71 scanned on 06/15/2019 23:04:55)
File SHA256: 6931482d4043722c1cf08ed16ca42a7e3e32a28ff31fb34657364308761137eb (AV positives: 59/71 scanned on 06/09/2019 22:55:42)
File SHA256: 3856c5245e63fd08e822622796f3b72b04ddb9e2d33c189c6b9e2d8056841c25 (AV positives: 55/73 scanned on 06/08/2019 23:54:55)
File SHA256: 5ba27a2b0bdf609c4df9a5a11f834f4fdd7a85aaacb7c65a0165674977e99f42 (AV positives: 56/72 scanned on 06/07/2019 23:49:16)
File SHA256: 52fca8adb64e8a8f8b81214a612bbd1555dcff0679d63b077493f9b15e4b9427 (Date: 03/14/2018 11:02:03)
File SHA256: c6b2aa73eecbcd38bb48fad255cf25046aac7fb766853e659bbe4369b3067c63 (Date: 03/14/2018 10:50:40)
File SHA256: b40d1341722014701bfbcb5bf3040c77e693917a8049c782079bfe88d0fb4ffe (Date: 01/11/2018 04:06:03)
File SHA256: 2d186e84ef5c67ef6c1e660f0ddb9d91f1e1ff60876a93228e357188791900f4 (Date: 01/10/2018 20:13:31)
File SHA256: 60fafbfeeb435fee4d68896409c320636a05796e7936bdbc7ec6c9bc696ecec1 (Date: 12/14/2017 04:46:01)
Found malicious artifacts related to "104.244.42.72": ...
URL: https://syndication.twitter.com/ (AV positives: 1/66 scanned on 03/22/2019 12:15:44)
URL: https://syndication.twitter.com/i/jot/syndication?l={%22_category_%22:%22syndicated_impression%22
%22event_namespace%22:{%22client%22:%22web%22
%22page%22:%22profile%22
%22action%22:%22impression%22}
%22triggered_on%22:1553255746886} (AV positives: 1/66 scanned on 03/22/2019 12:14:30)
File SHA256: a210a164b2cfb981e2a6a6aad36706e8342a3eab2c81093b682a6f7e8799ecc3 (AV positives: 3/71 scanned on 06/18/2019 09:39:00)
File SHA256: 0957ab909d52abc91dea24cc6c627813126e05429c770e43ef85c1aac1e7a76e (AV positives: 18/70 scanned on 06/17/2019 11:35:18)
File SHA256: e58587bcb5c1273652d361f77c356f91dd5ca9436b62c28aeab31ed2a4449906 (AV positives: 5/71 scanned on 06/17/2019 14:55:41)
File SHA256: ec1f9759d95d8b3f8274bae612a66a847bbb479ba78221966517abbcf50ed387 (AV positives: 11/72 scanned on 06/17/2019 14:26:24)
File SHA256: 78f70ff918b9aa5cfe0de07f604c7e4b88ebdab7e8a1a6066372307859ed83e5 (AV positives: 19/71 scanned on 06/16/2019 08:42:21) - source
- Network Traffic
- relevance
- 10/10
-
Multiple malicious artifacts seen in the context of different hosts
- details
-
Found malicious artifacts related to "5.135.138.118": ...
URL: http://wajam.com/download/ (AV positives: 3/70 scanned on 06/19/2019 10:41:15)
URL: http://www.wajam.com/download/ (AV positives: 2/70 scanned on 06/19/2019 07:39:25)
URL: http://wajam.com/download/wajam_download.exe (AV positives: 2/70 scanned on 06/19/2019 05:30:35)
URL: http://socialwebsearch.co/download/ (AV positives: 4/70 scanned on 06/16/2019 07:13:17)
URL: http://www.socialwebsearch.co/download/ (AV positives: 3/70 scanned on 06/13/2019 23:51:25)
File SHA256: 8a482f2271a42c5f54c96e816a84340a6f2357a5b81f927d07d00788f5140a41 (AV positives: 1/65 scanned on 06/19/2019 04:45:51)
File SHA256: 81cf1f2d60ed081b06e45d860abc1d5b7dd664b77b7193e04cbb014fc92dbb68 (AV positives: 43/70 scanned on 06/12/2019 04:34:14)
File SHA256: 176f53f07b3b159a8b2dde4edb7e08287ef24705777cf1b12ca9616426ad7ad5 (AV positives: 36/71 scanned on 06/07/2019 07:47:59)
File SHA256: 7fd04a40bd34855aedf36175ee99d89d62b5b25df2d4cd675dea3c3d843961e1 (AV positives: 26/71 scanned on 04/23/2019 13:53:27)
File SHA256: 974b45be66f78467e52322f6786927e41fd6f8482e52e445c8d5c093b9729f13 (AV positives: 39/70 scanned on 02/03/2019 09:17:36)
File SHA256: e2d5dda7c3d1d0feba79933c1826561f8a83df57babc3705a353e426fb68d06c (Date: 01/07/2019 00:30:10)
File SHA256: 0db73d0db95424df4a6817f18f075090bd475e3bae3c6d48d17d7e29e590219b (Date: 02/21/2015 01:21:35)
File SHA256: 38bdd91490fddbbe9cbc65949f432a3cdb7f00142ba340e08a79ff5af775687e (Date: 02/10/2015 18:59:29)
Found malicious artifacts related to "172.217.7.170": ...
File SHA256: 336404d806cbb03bfec8dc60cd8413d39f6ca47adae0572477f31bc18f79ca22 (Date: 05/05/2018 22:44:40)
File SHA256: fe05e3e070f6971796a4c12805b877f85c8b49e5278b859a0844f3fc994ae831 (Date: 05/05/2018 13:19:33)
File SHA256: a553f2ff7003b5fa2d4c8e47272c659c98ea0c1293fa23e81e879c74c2fafcb5 (Date: 04/21/2018 16:32:03)
File SHA256: 44e882709e943d36f8c512e0c603df895fab79f2e9e099f406fc29e38da5b0f2 (AV positives: 38/66 scanned on 04/11/2018 22:19:04)
File SHA256: dfe210d31f3cb7c4c4bed901eb83579e8e72cdbbc7935482a402bdc05e730d57 (Date: 04/04/2018 13:48:06)
File SHA256: 0e9683520e254094503ae0c381212e81554be09ec97039af0f61a0e6c8a225e2 (Date: 03/30/2018 20:31:48)
File SHA256: adcb7a9c1fef0db1d03f63bb5dcb76bd0a0479c63d14645d106a257e16caec9b (AV positives: 29/68 scanned on 12/19/2017 23:30:42)
File SHA256: 4681929e6c5344af2d54e85d3d9261a7371c8a0213ac95c970462ea1c32f65d4 (AV positives: 37/68 scanned on 12/07/2017 15:19:37)
File SHA256: 36de74e3bfab5d938c77069b4fa4a190e0f8d7548a0892651fbe014913ecb2ce (AV positives: 15/64 scanned on 11/25/2017 16:49:35)
File SHA256: db5d8a230105dd15216b90eea2de4407b5959602bfcf051f831bcbf11c564249 (AV positives: 31/68 scanned on 11/12/2017 20:54:25)
Found malicious artifacts related to "192.229.163.25": ...
URL: http://platform.twitter.com/widgets/tweet_button.html?url=http%3A%2F%2Fzoemoon.com%2F2013%2F08%2F11%2Fzoe-moon-astrology-weekly-forecast-aug-12-18%2F&%3Bcounturl=http%3A%2F%2Fzoemoon.com%2F2013%2F08%2F11%2Fzoe-moon-astrology-weekly-forecast-aug-12-18%2F&%3Bcount=horizontal&%3Btext=ZOE+MOON+ASTROLOGY+WEEKLY+FORECAST+AUG+12-18 (AV positives: 1/67 scanned on 08/22/2018 12:09:25)
URL: http://platform.twitter.com/widgets/tweet_button.html?url=http%3A%2F%2Fteruc.dnsalias.net%2Fblog%2F2012%2F05%2F10%2F319&text=%5BASP.NET%20MVC%5D%E3%83%AA%E3%82%BD%E3%83%BC%E3%82%B9%E3%83%95%E3%82%A1%E3%82%A4%E3%83%AB%E3%81%8B%E3%82%89%E3%81%AE%E3%83%A1%E3%83%83%E3%82%BB%E3%83%BC%E3%82%B8%E5%8F%96%E5%BE%97%E3%81%A8%E4%BB%BB%E6%84%8F%E3%81%AE%E7%BD%AE%E6%8F%9B%E6%96%87%E5%AD%97%E5%88%97%E3%81%AB%E5%AF%BE%E5%BF%9C%E3%81%97%E3%81%9F%E6%A4%9C%E8%A8%BC%E5%B1%9E%E6%80%A7%E3%81%AE%E5%AE%9F%E8%A3%85&lang=ja&count=horizontal (AV positives: 1/64 scanned on 01/30/2017 04:59:29)
URL: https://pbs.twimg.com/media/CahUxqZW4AASA7m.jpg (AV positives: 1/67 scanned on 02/21/2016 16:11:36)
URL: https://pbs.twimg.com/media/CahEtHBWEAERmWE.jpg (AV positives: 1/67 scanned on 02/21/2016 16:07:26)
URL: https://pbs.twimg.com/media/Cbv9rE7WEAAYhTF.jpg (AV positives: 1/67 scanned on 02/21/2016 15:59:12)
File SHA256: 4fde0ef98e790ec50a72f4277c88c3bed1c93fc4d8b81ac0d81aa32943a264a6 (Date: 06/18/2019 21:53:12)
File SHA256: 19ff61db918e59df80acc1bdd44580b7c559d4a99b3535dfa9a8137ab6dff7bc (Date: 06/17/2019 19:17:38)
File SHA256: 5184b174cd09596c1984fb54fa4d6b60a9522073f8b1e840f1fd7003bc24c155 (Date: 06/17/2019 19:17:27)
File SHA256: e7da1bd0437a0a0e4f39a312257c2fad40140378fee4ff2ba82873083132f2d3 (AV positives: 17/71 scanned on 12/22/2018 02:47:17)
File SHA256: d4539d82927e72df973e009f5f730188447af920869d9320ebb9a0b6c3fd4cd3 (AV positives: 1/70 scanned on 09/01/2018 00:06:05)
File SHA256: 183a783e4b4137053cb32215ffd258948b557afeec70aafdd4f4aa9ade31366c (AV positives: 40/71 scanned on 08/03/2018 13:54:20)
File SHA256: 4d50fcf12a9057f50c84b726577c1a2a1e23e586e1817883ed55b7c426a02fe2 (AV positives: 1/69 scanned on 07/07/2018 02:27:49)
File SHA256: fff82662e3589be64093618e8e4ff7836c527f3f747aede0143aff5d02450780 (AV positives: 28/68 scanned on 07/06/2018 17:51:09)
File SHA256: 2c361e8fee10884b61e94d8995da90ab0f8baebd1f12af13f4e6267dc6ddb1bd (Date: 11/23/2017 14:52:33)
File SHA256: 1be0c624091f49e1b67875f4bbe664cd55acdef22c28bcb7ee245c61907b0ec7 (Date: 11/23/2017 13:29:00)
Found malicious artifacts related to "172.217.5.234": ...
File SHA256: 1ca8850f3938ec72b5bdb571164424dd4d7b9bd247d378d7b58bba2457c09a35 (AV positives: 58/72 scanned on 05/15/2019 23:34:11)
File SHA256: 100977320924b9f1b7f134c770daab86479b57f8e1d8f8c1f001c8b54241b477 (AV positives: 50/65 scanned on 02/28/2019 22:15:41)
File SHA256: f4e04e9ab842c2e61b4bb4aab44fe58486c4b8a22c9517cc8bb39d8a18b8abde (AV positives: 48/64 scanned on 02/28/2019 22:55:42)
File SHA256: e69e9a3bf88c203712ae998de30acfb994206897b64df3ab9a47707d6a591231 (Date: 05/12/2018 16:26:53)
File SHA256: af3ee003a5ded63597b7fba40edeb8f7ca1e7c410b1dd72bf1aa04249de36947 (Date: 05/03/2018 20:29:36)
File SHA256: fe0cabbd60c38b0a22048025480ea6a26af0cd4e0fe3a2aa36a5ce4866cc8a44 (Date: 04/26/2018 02:39:17)
File SHA256: fa42d12d0c05c0c9c965d2cdd31d967a81b823553607319f976ea96e78032cc7 (Date: 02/07/2018 17:49:00)
File SHA256: 0da465adf9c8d068245bd2cec3164f2956d14d3a771730bb30c4d452eaa6bd78 (Date: 12/22/2017 06:40:24)
File SHA256: 9efef38d35eb6a917860e081b96259d4322be6583c2e6d6e3d18ceca5efd2218 (AV positives: 51/67 scanned on 12/21/2017 20:41:44)
File SHA256: 44a7043877f2f5cb149df3ac39e13dba742240998ea55c9472044d7b09a11fa3 (AV positives: 35/68 scanned on 12/21/2017 14:53:27)
Found malicious artifacts related to "74.125.192.155": ...
URL: https://stats.g.doubleclick.net/r/collect?v=1&aip=1&t=dc&_r=3&tid=UA-51915447-1&cid=1561689094.1430196265&jid=1743330473&_v=j35&z=1388274836 (AV positives: 1/63 scanned on 04/28/2015 04:45:35)
URL: https://stats.g.doubleclick.net/r/collect?v=1&aip=1&t=dc&_r=3&tid=UA-51915447-1&cid=982038166.1430196095&jid=339211618&_v=j35&z=1108641866 (AV positives: 1/63 scanned on 04/28/2015 04:43:02)
URL: https://stats.g.doubleclick.net/r/collect?v=1&aip=1&t=dc&_r=3&tid=UA-51915447-1&cid=616252409.1430195976&jid=803007462&_v=j35&z=1987499391 (AV positives: 1/63 scanned on 04/28/2015 04:40:47)
URL: https://stats.g.doubleclick.net/r/collect?v=1&aip=1&t=dc&_r=3&tid=UA-51915447-1&cid=789606747.1430195847&jid=2024444283&_v=j35&z=618399270 (AV positives: 1/63 scanned on 04/28/2015 04:39:59)
URL: https://stats.g.doubleclick.net/r/collect?v=1&aip=1&t=dc&_r=3&tid=UA-51915447-1&cid=1863498444.1430195804&jid=1759761465&_v=j35&z=1909541938 (AV positives: 1/63 scanned on 04/28/2015 04:38:57)
File SHA256: bfb33147f9b8bd5db589d5354a0d477217a926f8cd92617fc56467875f589086 (Date: 04/25/2019 03:59:15)
File SHA256: 763238e897f996710e9a24c95f8e60015f630e3f0b1b74a2b9ffe0f255277dfb (AV positives: 22/54 scanned on 11/04/2014 10:31:17)
File SHA256: 8679362afe8969e39c8a67bd10dc4f154067e9b1c67b774f41efb11315df5314 (AV positives: 20/53 scanned on 08/31/2014 19:10:16)
File SHA256: e717b4a152e1951565d90cd594868766146f57248bc9e1e37f317f7234fd5f15 (AV positives: 1/52 scanned on 07/14/2014 16:36:14)
File SHA256: 18cda4fc1d191ed1d9e2dd77513a0e7cb928651510b1053049e8cd86e4cf1886 (AV positives: 1/50 scanned on 06/05/2014 12:00:08)
File SHA256: 38b88de0565dee0113b4576650a26548c5f95f1a1ab4ed96dfc5f07ce80503bb (AV positives: 1/51 scanned on 02/15/2014 02:41:46)
Found malicious artifacts related to "151.139.244.29": ...
URL: http://indigenouspathwaysus.com/page-9/Cache/Bookmark/Chase0n3 (AV positives: 7/70 scanned on 06/19/2019 01:56:47)
URL: http://indigenouspathwaysus.com/page-4/page-6/files/Cookies (AV positives: 5/67 scanned on 06/09/2019 02:02:43)
URL: http://indigenouspathwaysus.com/page-4/page-5/Cache (AV positives: 8/67 scanned on 06/08/2019 08:02:57)
URL: http://indigenouspathwaysus.com/page-9/Cache/Bookmark (AV positives: 3/67 scanned on 06/05/2019 14:10:05)
URL: http://indigenouspathwaysus.com/page-4/page-6/files (AV positives: 2/67 scanned on 05/29/2019 13:29:18)
File SHA256: 05073af551fd4064cced8a8b13a4491125b3cd1f08defe3d3970b8211c46e6b2 (Date: 02/27/2019 00:35:26)
File SHA256: 7a0403cd44fddb5c9d88965bdd3b26d0562de81b7945ddbc4f56651760a2fbe2 (AV positives: 1/68 scanned on 11/16/2018 18:18:57)
File SHA256: 10e720e38144e87e99c07dd82eaa63bfd785063341333b9b043c9f8a697059dd (AV positives: 1/69 scanned on 11/15/2018 02:05:13)
File SHA256: ca5cfea416c583e9c87fd99f6e45f52fd00d5ae1976ecc347624da14acb797c4 (AV positives: 1/68 scanned on 11/11/2018 02:00:31)
File SHA256: 876c706dcfd4b5e58ab3024d0df69ced0b75562f2718a5447c0be9adb920d1fe (AV positives: 60/68 scanned on 10/30/2017 17:26:59)
File SHA256: 40042d29c459f49c02a54b6b930684b564d56e9d70eda1c3bae4613eaeb2a4e3 (Date: 08/27/2017 21:46:48)
File SHA256: 2955e5ac943adc0df2aa71ec9233b376c62cf2abc85afb487330e8ef5bef2239 (Date: 08/03/2017 11:32:24)
File SHA256: 248aa32d0683d6c1f435826bd1f7ee01dcdd38e9c7a971e26ca0af127040b945 (Date: 08/01/2017 18:11:30)
File SHA256: 8f6136d4de51122f9bdefefeeeb57671c91f33fe18fb3b52e711b7fd23060410 (AV positives: 2/65 scanned on 07/28/2017 09:28:54)
File SHA256: c73a1bd165b83a4f240b30628a36a0a7f9d9b1fda4e5ab76252c6122118704d5 (Date: 06/09/2017 03:02:41)
Found malicious artifacts related to "172.217.7.131": ...
File SHA256: bf3f597d290ffec7e2dfa0a33c74954be5fac77f36327f055bb4b8f838d4f618 (AV positives: 56/71 scanned on 06/17/2019 21:56:27)
File SHA256: fdbac1c1d4f4052212fcab4656bd52aa813de741f03a9ceb587dda72dde312a6 (AV positives: 56/71 scanned on 06/15/2019 23:04:55)
File SHA256: 6931482d4043722c1cf08ed16ca42a7e3e32a28ff31fb34657364308761137eb (AV positives: 59/71 scanned on 06/09/2019 22:55:42)
File SHA256: 3856c5245e63fd08e822622796f3b72b04ddb9e2d33c189c6b9e2d8056841c25 (AV positives: 55/73 scanned on 06/08/2019 23:54:55)
File SHA256: 5ba27a2b0bdf609c4df9a5a11f834f4fdd7a85aaacb7c65a0165674977e99f42 (AV positives: 56/72 scanned on 06/07/2019 23:49:16)
File SHA256: 52fca8adb64e8a8f8b81214a612bbd1555dcff0679d63b077493f9b15e4b9427 (Date: 03/14/2018 11:02:03)
File SHA256: c6b2aa73eecbcd38bb48fad255cf25046aac7fb766853e659bbe4369b3067c63 (Date: 03/14/2018 10:50:40)
File SHA256: b40d1341722014701bfbcb5bf3040c77e693917a8049c782079bfe88d0fb4ffe (Date: 01/11/2018 04:06:03)
File SHA256: 2d186e84ef5c67ef6c1e660f0ddb9d91f1e1ff60876a93228e357188791900f4 (Date: 01/10/2018 20:13:31)
File SHA256: 60fafbfeeb435fee4d68896409c320636a05796e7936bdbc7ec6c9bc696ecec1 (Date: 12/14/2017 04:46:01)
Found malicious artifacts related to "104.244.42.72": ...
URL: https://syndication.twitter.com/ (AV positives: 1/66 scanned on 03/22/2019 12:15:44)
URL: https://syndication.twitter.com/i/jot/syndication?l={%22_category_%22:%22syndicated_impression%22
%22event_namespace%22:{%22client%22:%22web%22
%22page%22:%22profile%22
%22action%22:%22impression%22}
%22triggered_on%22:1553255746886} (AV positives: 1/66 scanned on 03/22/2019 12:14:30)
File SHA256: a210a164b2cfb981e2a6a6aad36706e8342a3eab2c81093b682a6f7e8799ecc3 (AV positives: 3/71 scanned on 06/18/2019 09:39:00)
File SHA256: 0957ab909d52abc91dea24cc6c627813126e05429c770e43ef85c1aac1e7a76e (AV positives: 18/70 scanned on 06/17/2019 11:35:18)
File SHA256: e58587bcb5c1273652d361f77c356f91dd5ca9436b62c28aeab31ed2a4449906 (AV positives: 5/71 scanned on 06/17/2019 14:55:41)
File SHA256: ec1f9759d95d8b3f8274bae612a66a847bbb479ba78221966517abbcf50ed387 (AV positives: 11/72 scanned on 06/17/2019 14:26:24)
File SHA256: 78f70ff918b9aa5cfe0de07f604c7e4b88ebdab7e8a1a6066372307859ed83e5 (AV positives: 19/71 scanned on 06/16/2019 08:42:21) - source
- Network Traffic
- relevance
- 10/10
-
Found more than one unique User-Agent
-
Unusual Characteristics
-
Contains ability to reboot/shutdown the operating system
- details
-
ExitWindowsEx@USER32.DLL from 6a393ecb2861a27240d322dd407f6adb7218b0a5.exe (PID: 3408) (Show Stream)
ExitWindowsEx@USER32.DLL from 6a393ecb2861a27240d322dd407f6adb7218b0a5.exe (PID: 3408) (Show Stream)
ExitWindowsEx@USER32.DLL from 6a393ecb2861a27240d322dd407f6adb7218b0a5.exe (PID: 3408) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 5/10
-
Contains ability to reboot/shutdown the operating system
-
Hiding 1 Malicious Indicators
- All indicators are available only in the private webservice or standalone version
-
Suspicious Indicators 37
-
Anti-Detection/Stealthyness
-
Contains ability to open/control a service
- details
-
OpenServiceW@ADVAPI32.DLL from WajamUpdater.exe (PID: 3708) (Show Stream)
OpenServiceW@ADVAPI32.DLL from WajamUpdater.exe (PID: 3708) (Show Stream)
OpenServiceW@ADVAPI32.DLL from WajamUpdater.exe (PID: 3708) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 8/10
- ATT&CK ID
- T1035 (Show technique in the MITRE ATT&CK™ matrix)
-
Queries kernel debugger information
- details
- "6a393ecb2861a27240d322dd407f6adb7218b0a5.exe" at 00045479-00003408-00000105-5852349052
- source
- API Call
- relevance
- 6/10
-
Queries the internet cache settings (often used to hide footprints in index.dat or internet cache)
- details
- "6a393ecb2861a27240d322dd407f6adb7218b0a5.exe" (Access type: "QUERYVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS"; Key: "DISABLECACHINGOFSSLPAGES"; Value: "00000000040000000400000000000000")
- source
- Registry Access
- relevance
- 3/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Contains ability to open/control a service
-
Anti-Reverse Engineering
-
PE file has unusual entropy sections
- details
- UPX1 with unusual entropies 7.54700394028
- source
- Static Parser
- relevance
- 10/10
-
PE file is packed with UPX
- details
-
"GetVersion.dll" has a section named "UPX0"
"GetVersion.dll" has a section named "UPX1" - source
- Static Parser
- relevance
- 10/10
- ATT&CK ID
- T1045 (Show technique in the MITRE ATT&CK™ matrix)
-
PE file has unusual entropy sections
-
Environment Awareness
-
Contains ability to query CPU information
- details
- cpuid (Show Stream)
- source
- Hybrid Analysis Technology
- relevance
- 10/10
- ATT&CK ID
- T1082 (Show technique in the MITRE ATT&CK™ matrix)
-
Found a reference to a WMI query string known to be used for VM detection
- details
-
"Win32_NetworkAdapterConfiguration" (Indicator: "win32_networkadapterconfiguration"; File: "00045479-00003408.00000000.45801.0040A000.00000004.mdmp")
"Win32_NetworkAdapter" (Indicator: "win32_networkadapter"; File: "00045479-00003408.00000000.45801.0040A000.00000004.mdmp") - source
- File/Memory
- relevance
- 10/10
- ATT&CK ID
- T1047 (Show technique in the MITRE ATT&CK™ matrix)
-
Reads the active computer name
- details
-
"6a393ecb2861a27240d322dd407f6adb7218b0a5.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\COMPUTERNAME\ACTIVECOMPUTERNAME"; Key: "COMPUTERNAME")
"IE_approveExt.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\COMPUTERNAME\ACTIVECOMPUTERNAME"; Key: "COMPUTERNAME")
"WajamUpdater.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\COMPUTERNAME\ACTIVECOMPUTERNAME"; Key: "COMPUTERNAME") - source
- Registry Access
- relevance
- 5/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Reads the cryptographic machine GUID
- details
- "6a393ecb2861a27240d322dd407f6adb7218b0a5.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\CRYPTOGRAPHY"; Key: "MACHINEGUID")
- source
- Registry Access
- relevance
- 10/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Contains ability to query CPU information
-
External Systems
-
Found an IP/URL artifact that was identified as malicious by at least one reputation engine
- details
-
1/66 reputation engines marked "http://www.wajam.com" as malicious (1% detection rate)
1/70 reputation engines marked "http://stats.g.doubleclick.net" as malicious (1% detection rate) - source
- External System
- relevance
- 10/10
-
Found an IP/URL artifact that was identified as malicious by at least one reputation engine
-
General
-
Contains ability to find and load resources of a specific module
- details
-
FindResourceW@KERNEL32.DLL from IE_approveExt.exe (PID: 1096) (Show Stream)
LoadResource@KERNEL32.DLL from IE_approveExt.exe (PID: 1096) (Show Stream)
LoadResource@KERNEL32.DLL from IE_approveExt.exe (PID: 1096) (Show Stream)
FindResourceW@KERNEL32.DLL from WajamUpdater.exe (PID: 3708) (Show Stream)
LoadResource@KERNEL32.DLL from WajamUpdater.exe (PID: 3708) (Show Stream)
LoadResource@KERNEL32.DLL from WajamUpdater.exe (PID: 3708) (Show Stream)
LoadResource@KERNEL32.dll (Show Stream)
FindResourceW@KERNEL32.dll (Show Stream)
LoadResource@KERNEL32.dll (Show Stream)
LoadResource@KERNEL32.dll (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
POSTs files to a webserver
- details
-
"POST /client_send_debug_info.php?v=i1.92&unique_id=C7C92D87F1EF2BC54BF1F382E5949857&aid=3673&aid2=none&major_version=6&minor_version=1 HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Filename: install.log
User-Agent: NSIS_Inetc (Mozilla)
Host: www.wajam.com
Content-Length: 10769
Connection: Keep-Alive
Cache-Control: no-cache" with no payload - source
- Network Traffic
- relevance
- 5/10
-
Reads configuration files
- details
-
"6a393ecb2861a27240d322dd407f6adb7218b0a5.exe" read file "%USERPROFILE%\Desktop\desktop.ini"
"6a393ecb2861a27240d322dd407f6adb7218b0a5.exe" read file "%WINDIR%\win.ini"
"6a393ecb2861a27240d322dd407f6adb7218b0a5.exe" read file "%PROGRAMFILES%\desktop.ini" - source
- API Call
- relevance
- 4/10
-
Contains ability to find and load resources of a specific module
-
Installation/Persistance
-
Drops executable files
- details
-
"SimpleSC.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"inetc.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"uninstall.exe" has type "PE32 executable (GUI) Intel 80386 for MS Windows Nullsoft Installer self-extracting archive"
"WajamUpdater.exe" has type "PE32 executable (GUI) Intel 80386 for MS Windows"
"priam_bho.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"ExecCmd.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"DcryptDll.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"IE_approveExt.exe" has type "PE32 executable (console) Intel 80386 for MS Windows"
"GetVersion.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows UPX compressed"
"IpConfig.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"nsisos.dll" has type "PE32 executable (DLL) (console) Intel 80386 for MS Windows"
"System.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"MoreInfo.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows" - source
- Binary File
- relevance
- 10/10
-
Modifies auto-execute functionality by setting/creating a value in the registry
- details
-
"6a393ecb2861a27240d322dd407f6adb7218b0a5.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{A7A6995D-6EE1-4FD1-A258-49395D5BF99C}")
"6a393ecb2861a27240d322dd407f6adb7218b0a5.exe" (Access type: "SETVAL"; Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{A7A6995D-6EE1-4FD1-A258-49395D5BF99C}"; Key: "(DEFAULT)"; Value: "Wajam IE BHO"), "6a393ecb2861a27240d322dd407f6adb7218b0a5.exe" (Access type: "SETVAL"; Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{A7A6995D-6EE1-4FD1-A258-49395D5BF99C}"; Key: "NOEXPLORER"; Value: "01000000") - source
- Registry Access
- relevance
- 8/10
- ATT&CK ID
- T1060 (Show technique in the MITRE ATT&CK™ matrix)
-
Drops executable files
-
Network Related
-
Found potential IP address in binary/memory
- details
-
"1.1.0.7"
Heuristic match: "<versionentry groupname="Java(TM) 9" filename="jp2ssv.dll" productversion="9.0.4-65535.65535.65535.65535" fileversion="12.0.4.0-65535.65535.65535.65535" />"
Heuristic match: "<versionentry groupname="Java(TM) 1.8" filename="jp2ssv.dll" productversion="8.0.1610.0-65535.65535.65535.65535" fileversion="11.161.0.0-65535.65535.65535.65535" />"
Heuristic match: "<versionentry groupname="Java(TM) 1.7" filename="jp2ssv.dll" productversion="7.0.1710.0-7.65535.65535.65535" fileversion="10.171.0.0-10.65535.65535.65535" />"
Heuristic match: "<versionentry groupname="Java(TM) 9" filename="jp2iexp.dll" productversion="9.0.4-65535.65535.65535.65535" fileversion="12.0.4.0-65535.65535.65535.65535" />"
Heuristic match: "<versionentry groupname="Java(TM) 1.8" filename="jp2iexp.dll" productversion="8.0.1610.0-65535.65535.65535.65535" fileversion="11.161.0.0-65535.65535.65535.65535" />"
Heuristic match: "<versionentry groupname="Java(TM) 1.7" filename="jp2iexp.dll" productversion="7.0.1710.0-7.65535.65535.65535" fileversion="10.171.0.0-10.65535.65535.65535" />"
Heuristic match: "<versionentry groupname="Java(TM) 1.7" filename="ssv.dll" productversion="7.0.1710.0-7.65535.65535.65535" fileversion="10.171.0.0-10.65535.65535.65535" />"
Heuristic match: "<versionentry groupname="Java(TM) 1.8" filename="ssv.dll" productversion="8.0.1610.0-65535.65535.65535.65535" fileversion="11.161.0.0-65535.65535.65535.65535" />"
Heuristic match: "<versionentry groupname="Java(TM) 1.8" filename="wsdetect.dll" productversion="11.161.0.0-65535.65535.65535.65535" fileversion="8.0.1610.0-65535.65535.65535.65535" />"
Heuristic match: "<versionentry groupname="Java(TM) 1.7" filename="wsdetect.dll" productversion="10.171.0.0-10.65535.65535.65535" fileversion="7.0.1710.0-7.65535.65535.65535" />"
Heuristic match: "<versionentry groupname="Java(TM) 1.6" filename="wsdetect.dll" productversion="1.6.0.0-1.6.65535.65535" fileversion="6.0.1810.0-6.65535.65535.65535" />"
Heuristic match: "<versionentry groupname="Java(TM) 9" filename="deployJava1.dll" productversion="9.0.4-65535.65535.65535.65535" fileversion="12.0.4.0-65535.65535.65535.65535" />"
Heuristic match: "<versionentry groupname="Java(TM) 1.8" filename="deployJava1.dll" productversion="8.0.1610.0-65535.65535.65535.65535" fileversion="11.161.0.0-65535.65535.65535.65535" />"
Heuristic match: "<versionentry groupname="Java(TM) 1.7" filename="deployJava1.dll" productversion="7.0.1710.0-7.65535.65535.65535" fileversion="10.171.0.0-10.65535.65535.65535" />"
Heuristic match: "<versionentry groupname="Java(TM) 1.7" filename="npjpi*.dll" productversion="7.0.1710.0-7.65535.65535.65535" fileversion="10.171.0.0-10.65535.65535.65535" />"
Heuristic match: "<versionentry groupname="Java(TM) 9" filename="javaws.exe" productversion="9.0.4-65535.65535.65535.65535" fileversion="12.0.4.0-65535.65535.65535.65535" />"
Heuristic match: "<versionentry groupname="Java(TM) 1.8" filename="javaws.exe" productversion="8.0.1610.0-65535.65535.65535.65535" fileversion="11.161.0.0-65535.65535.65535.65535" />"
Heuristic match: "<versionentry groupname="Java(TM) 1.7" filename="javaws.exe" productversion="7.0.1710.0-7.65535.65535.65535" fileversion="10.171.0.0-10.65535.65535.65535" />"
Heuristic match: "<versionentry groupname="Java(TM) 1.8" filename="jp2launcher.exe" productversion="8.0.1610.0-65535.65535.65535.65535" fileversion="11.161.0.0-65535.65535.65535.65535" />"
Heuristic match: "<versionentry groupname="Java(TM) 1.7" filename="jp2launcher.exe" productversion="7.0.1710.0-7.65535.65535.65535" fileversion="10.171.0.0-10.65535.65535.65535" />"
Heuristic match: "<versionentry groupname="Java(TM) 9" filename="ssvagent.exe" productversion="9.0.4-65535.65535.65535.65535" fileversion="12.0.4.0-65535.65535.65535.65535" />"
Heuristic match: "<versionentry groupname="Java(TM) 1.8" filename="ssvagent.exe" productversion="8.0.1610.0-65535.65535.65535.65535" fileversion="11.161.0.0-65535.65535.65535.65535" />"
Heuristic match: "<versionentry groupname="Java(TM) 1.7" filename="ssvagent.exe" productversion="7.0.1710.0-7.65535.65535.65535" fileversion="10.171.0.0-10.65535.65535.65535" />"
Heuristic match: "<versionentry groupname="Java(TM) 1.7" filename="unpack200.exe" productversion="7.0.1710.0-7.65535.65535.65535" fileversion="10.171.0.0-10.65535.65535.65535" />" - source
- File/Memory
- relevance
- 3/10
-
Sends traffic on typical HTTP outbound port, but without HTTP header
- details
-
TCP traffic to 5.135.138.118 on port 80 is sent without HTTP header
TCP traffic to 172.217.7.170 on port 80 is sent without HTTP header
TCP traffic to 192.229.163.25 on port 80 is sent without HTTP header
TCP traffic to 172.217.5.234 on port 80 is sent without HTTP header
TCP traffic to 74.125.192.155 on port 443 is sent without HTTP header
TCP traffic to 192.229.163.25 on port 443 is sent without HTTP header
TCP traffic to 151.139.244.29 on port 80 is sent without HTTP header
TCP traffic to 172.217.7.131 on port 80 is sent without HTTP header
TCP traffic to 104.244.42.72 on port 443 is sent without HTTP header - source
- Network Traffic
- relevance
- 5/10
-
Found potential IP address in binary/memory
-
Spyware/Information Retrieval
-
Contains ability to open the clipboard
- details
-
OpenClipboard@USER32.DLL from 6a393ecb2861a27240d322dd407f6adb7218b0a5.exe (PID: 3408) (Show Stream)
OpenClipboard@USER32.DLL from 6a393ecb2861a27240d322dd407f6adb7218b0a5.exe (PID: 3408) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 10/10
- ATT&CK ID
- T1115 (Show technique in the MITRE ATT&CK™ matrix)
-
Contains ability to retrieve keyboard strokes
- details
-
GetAsyncKeyState@USER32.DLL from 6a393ecb2861a27240d322dd407f6adb7218b0a5.exe (PID: 3408) (Show Stream)
GetAsyncKeyState@USER32.DLL from 6a393ecb2861a27240d322dd407f6adb7218b0a5.exe (PID: 3408) (Show Stream)
GetAsyncKeyState@USER32.DLL from 6a393ecb2861a27240d322dd407f6adb7218b0a5.exe (PID: 3408) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 8/10
- ATT&CK ID
- T1056 (Show technique in the MITRE ATT&CK™ matrix)
-
Contains ability to open the clipboard
-
System Destruction
-
Marks file for deletion
- details
-
"C:\6a393ecb2861a27240d322dd407f6adb7218b0a5.exe" marked "%TEMP%\nskE156.tmp" for deletion
"C:\6a393ecb2861a27240d322dd407f6adb7218b0a5.exe" marked "C:\Users\%USERNAME%\AppData\Local\Temp\nsfE187.tmp" for deletion
"C:\6a393ecb2861a27240d322dd407f6adb7218b0a5.exe" marked "C:\Program Files\Wajam\IE\IE_approveExt.exe" for deletion
"C:\6a393ecb2861a27240d322dd407f6adb7218b0a5.exe" marked "C:\install2.log" for deletion
"C:\6a393ecb2861a27240d322dd407f6adb7218b0a5.exe" marked "C:\end" for deletion
"C:\6a393ecb2861a27240d322dd407f6adb7218b0a5.exe" marked "C:\Program Files\Wajam\install.log" for deletion
"C:\6a393ecb2861a27240d322dd407f6adb7218b0a5.exe" marked "C:\Users\%USERNAME%\AppData\Local\Temp\nsfE187.tmp\DcryptDll.dll" for deletion
"C:\6a393ecb2861a27240d322dd407f6adb7218b0a5.exe" marked "C:\Users\%USERNAME%\AppData\Local\Temp\nsfE187.tmp\dummy.htm" for deletion
"C:\6a393ecb2861a27240d322dd407f6adb7218b0a5.exe" marked "C:\Users\%USERNAME%\AppData\Local\Temp\nsfE187.tmp\ExecCmd.dll" for deletion
"C:\6a393ecb2861a27240d322dd407f6adb7218b0a5.exe" marked "C:\Users\%USERNAME%\AppData\Local\Temp\nsfE187.tmp\GetVersion.dll" for deletion
"C:\6a393ecb2861a27240d322dd407f6adb7218b0a5.exe" marked "C:\Users\%USERNAME%\AppData\Local\Temp\nsfE187.tmp\image.bmp" for deletion
"C:\6a393ecb2861a27240d322dd407f6adb7218b0a5.exe" marked "C:\Users\%USERNAME%\AppData\Local\Temp\nsfE187.tmp\inetc.dll" for deletion
"C:\6a393ecb2861a27240d322dd407f6adb7218b0a5.exe" marked "C:\Users\%USERNAME%\AppData\Local\Temp\nsfE187.tmp\IpConfig.dll" for deletion
"C:\6a393ecb2861a27240d322dd407f6adb7218b0a5.exe" marked "C:\Users\%USERNAME%\AppData\Local\Temp\nsfE187.tmp\MoreInfo.dll" for deletion
"C:\6a393ecb2861a27240d322dd407f6adb7218b0a5.exe" marked "C:\Users\%USERNAME%\AppData\Local\Temp\nsfE187.tmp\nsisos.dll" for deletion
"C:\6a393ecb2861a27240d322dd407f6adb7218b0a5.exe" marked "C:\Users\%USERNAME%\AppData\Local\Temp\nsfE187.tmp\SimpleSC.dll" for deletion
"C:\6a393ecb2861a27240d322dd407f6adb7218b0a5.exe" marked "C:\Users\%USERNAME%\AppData\Local\Temp\nsfE187.tmp\System.dll" for deletion - source
- API Call
- relevance
- 10/10
- ATT&CK ID
- T1107 (Show technique in the MITRE ATT&CK™ matrix)
-
Opens file with deletion access rights
- details
-
"6a393ecb2861a27240d322dd407f6adb7218b0a5.exe" opened "%TEMP%\nskE156.tmp" with delete access
"6a393ecb2861a27240d322dd407f6adb7218b0a5.exe" opened "C:\Users\%USERNAME%\AppData\Local\Temp\nsfE187.tmp" with delete access
"6a393ecb2861a27240d322dd407f6adb7218b0a5.exe" opened "C:\Program Files\Wajam\IE\IE_approveExt.exe" with delete access
"6a393ecb2861a27240d322dd407f6adb7218b0a5.exe" opened "C:\install2.log" with delete access
"6a393ecb2861a27240d322dd407f6adb7218b0a5.exe" opened "C:\end" with delete access
"6a393ecb2861a27240d322dd407f6adb7218b0a5.exe" opened "C:\Program Files\Wajam\install.log" with delete access
"6a393ecb2861a27240d322dd407f6adb7218b0a5.exe" opened "C:\Users\%USERNAME%\AppData\Local\Temp\nsfE187.tmp\DcryptDll.dll" with delete access
"6a393ecb2861a27240d322dd407f6adb7218b0a5.exe" opened "C:\Users\%USERNAME%\AppData\Local\Temp\nsfE187.tmp\dummy.htm" with delete access
"6a393ecb2861a27240d322dd407f6adb7218b0a5.exe" opened "C:\Users\%USERNAME%\AppData\Local\Temp\nsfE187.tmp\ExecCmd.dll" with delete access
"6a393ecb2861a27240d322dd407f6adb7218b0a5.exe" opened "C:\Users\%USERNAME%\AppData\Local\Temp\nsfE187.tmp\GetVersion.dll" with delete access
"6a393ecb2861a27240d322dd407f6adb7218b0a5.exe" opened "C:\Users\%USERNAME%\AppData\Local\Temp\nsfE187.tmp\image.bmp" with delete access
"6a393ecb2861a27240d322dd407f6adb7218b0a5.exe" opened "C:\Users\%USERNAME%\AppData\Local\Temp\nsfE187.tmp\inetc.dll" with delete access
"6a393ecb2861a27240d322dd407f6adb7218b0a5.exe" opened "C:\Users\%USERNAME%\AppData\Local\Temp\nsfE187.tmp\IpConfig.dll" with delete access
"6a393ecb2861a27240d322dd407f6adb7218b0a5.exe" opened "C:\Users\%USERNAME%\AppData\Local\Temp\nsfE187.tmp\MoreInfo.dll" with delete access
"6a393ecb2861a27240d322dd407f6adb7218b0a5.exe" opened "C:\Users\%USERNAME%\AppData\Local\Temp\nsfE187.tmp\nsisos.dll" with delete access
"6a393ecb2861a27240d322dd407f6adb7218b0a5.exe" opened "C:\Users\%USERNAME%\AppData\Local\Temp\nsfE187.tmp\SimpleSC.dll" with delete access
"6a393ecb2861a27240d322dd407f6adb7218b0a5.exe" opened "C:\Users\%USERNAME%\AppData\Local\Temp\nsfE187.tmp\System.dll" with delete access
"6a393ecb2861a27240d322dd407f6adb7218b0a5.exe" opened "C:\Users\%USERNAME%\AppData\Local\Temp\nsfE187.tmp\" with delete access - source
- API Call
- relevance
- 7/10
-
Marks file for deletion
-
System Security
-
Modifies proxy settings
- details
-
"6a393ecb2861a27240d322dd407f6adb7218b0a5.exe" (Access type: "SETVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS"; Key: "PROXYENABLE"; Value: "00000000")
"6a393ecb2861a27240d322dd407f6adb7218b0a5.exe" (Access type: "DELETEVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS"; Key: "PROXYSERVER")
"6a393ecb2861a27240d322dd407f6adb7218b0a5.exe" (Access type: "DELETEVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS"; Key: "PROXYOVERRIDE")
"6a393ecb2861a27240d322dd407f6adb7218b0a5.exe" (Access type: "DELETEVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP"; Key: "PROXYBYPASS")
"6a393ecb2861a27240d322dd407f6adb7218b0a5.exe" (Access type: "DELETEVAL"; Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP"; Key: "PROXYBYPASS") - source
- Registry Access
- relevance
- 10/10
- ATT&CK ID
- T1112 (Show technique in the MITRE ATT&CK™ matrix)
-
Queries sensitive IE security settings
- details
- "6a393ecb2861a27240d322dd407f6adb7218b0a5.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SECURITY"; Key: "DISABLESECURITYSETTINGSCHECK")
- source
- Registry Access
- relevance
- 8/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Modifies proxy settings
-
Unusual Characteristics
-
CRC value set in PE header does not match actual value
- details
-
"uninstall.exe" claimed CRC 121175 while the actual is CRC 66158
"WajamUpdater.exe" claimed CRC 148835 while the actual is CRC 121175
"priam_bho.dll" claimed CRC 320203 while the actual is CRC 148835
"IE_approveExt.exe" claimed CRC 138148 while the actual is CRC 25828
"IpConfig.dll" claimed CRC 146691 while the actual is CRC 62524
"MoreInfo.dll" claimed CRC 7843 while the actual is CRC 41597 - source
- Static Parser
- relevance
- 10/10
-
Entrypoint in PE header is within an uncommon section
- details
- "GetVersion.dll" has an entrypoint in section "UPX1"
- source
- Static Parser
- relevance
- 10/10
-
Imports suspicious APIs
- details
-
RegDeleteKeyA
RegCloseKey
RegOpenKeyExA
RegDeleteValueA
RegCreateKeyExA
RegEnumKeyA
GetFileAttributesA
CopyFileA
GetModuleFileNameA
LoadLibraryA
LoadLibraryExA
GetFileSize
CreateDirectoryA
DeleteFileA
GetCommandLineA
GetProcAddress
GetTempPathA
CreateThread
GetModuleHandleA
FindFirstFileA
WriteFile
GetTempFileNameA
FindNextFileA
CreateProcessA
Sleep
CreateFileA
GetTickCount
ShellExecuteA
FindWindowExA
OpenProcessToken
StartServiceA
LookupAccountNameA
CreateServiceA
GetStartupInfoA
GetVersionExA
UnhandledExceptionFilter
VirtualAlloc
SleepEx
InternetOpenA
HttpSendRequestA
InternetWriteFile
InternetCloseHandle
FtpOpenFileA
InternetReadFile
InternetConnectA
InternetQueryOptionA
HttpQueryInfoA
InternetCrackUrlA
HttpSendRequestExA
RegCreateKeyExW
RegDeleteKeyW
RegOpenKeyExW
CreateServiceW
RegEnumKeyExW
RegDeleteValueW
StartServiceCtrlDispatcherW
LoadLibraryExW
GetModuleFileNameW
IsDebuggerPresent
ExitThread
TerminateProcess
LoadLibraryW
GetStartupInfoW
CreateFileW
LockResource
GetCommandLineW
GetModuleHandleW
FindResourceW
CreateProcessW
FindResourceExW
FindNextFileW
FindFirstFileW
OpenProcess
GetWindowThreadProcessId
VirtualProtect - source
- Static Parser
- relevance
- 1/10
-
Installs hooks/patches the running process
- details
-
"6a393ecb2861a27240d322dd407f6adb7218b0a5.exe" wrote bytes "e739f676e1a6fa762e71fa76ee29fa7685e2f5766da0fa769064f9763ad5007726e4f576d16dfa76003df876804bf87600000000ad378b758b2d8b75b6418b7500000000" to virtual address "0x74811000" (part of module "WSHIP6.DLL")
"6a393ecb2861a27240d322dd407f6adb7218b0a5.exe" wrote bytes "75006e00650078007000650063007400650064002000730068007500740064006f0077006e0020006f0066002000740068006900" to virtual address "0x03014000" (part of module "USER32.DLL.MUI")
"6a393ecb2861a27240d322dd407f6adb7218b0a5.exe" wrote bytes "c04ef8762054f976e065f976b538fa760000000000d0607500000000c5ea60750000000088ea607500000000e968e8748228fa76ee29fa7600000000d269e874000000007dbb60750000000009bee87400000000ba18607500000000" to virtual address "0x77191000" (part of module "NSI.DLL")
"6a393ecb2861a27240d322dd407f6adb7218b0a5.exe" wrote bytes "d055dc756473e5750000000051c1757594987575ee9c757575dc7775273e77750fb37b7500000000acdc60751bf76075c1086275c0d96075152e607536da6075d5d9607530c66075e0c2607542c660751bc6607586c4607572c6607500000000" to virtual address "0x704A1000" (part of module "SHFOLDER.DLL")
"6a393ecb2861a27240d322dd407f6adb7218b0a5.exe" wrote bytes "fae6f576e1a6fa762e71fa76ee29fa7685e2f5766da0fa7626e4f576d16dfa76003df876804bf87600000000ad378b758b2d8b75b6418b7500000000" to virtual address "0x742E1000" (part of module "WSHTCPIP.DLL")
"iexplore.exe" wrote bytes "a035f76f" to virtual address "0x759C131C" (part of module "SHLWAPI.DLL")
"iexplore.exe" wrote bytes "60cdfa6f" to virtual address "0x75D41E14" (part of module "SHELL32.DLL")
"iexplore.exe" wrote bytes "60d2fa6f" to virtual address "0x6B45FEC4" (part of module "IEFRAME.DLL")
"iexplore.exe" wrote bytes "b033f76f" to virtual address "0x76B9917C" (part of module "IERTUTIL.DLL")
"iexplore.exe" wrote bytes "c03af76f" to virtual address "0x6B45FE80" (part of module "IEFRAME.DLL")
"iexplore.exe" wrote bytes "60cdfa6f" to virtual address "0x6B45FEC0" (part of module "IEFRAME.DLL")
"iexplore.exe" wrote bytes "b033f76f" to virtual address "0x743F1038" (part of module "VERSION.DLL")
"iexplore.exe" wrote bytes "b033f76f" to virtual address "0x75231164" (part of module "USP10.DLL")
"iexplore.exe" wrote bytes "70ccfa6f" to virtual address "0x759C1310" (part of module "SHLWAPI.DLL")
"iexplore.exe" wrote bytes "60cdfa6f" to virtual address "0x759C130C" (part of module "SHLWAPI.DLL")
"iexplore.exe" wrote bytes "3030f76f" to virtual address "0x6B45FE90" (part of module "IEFRAME.DLL")
"iexplore.exe" wrote bytes "3030f76f" to virtual address "0x759C1380" (part of module "SHLWAPI.DLL")
"iexplore.exe" wrote bytes "80321d0170321d0100321d0160321d0150321d0140321d0130321d01000000002cc9e475c0211d010000000090171d0150231d0100181d01601f1d0120361d010000000040361d0100000000" to virtual address "0x011D8000"
"iexplore.exe" wrote bytes "b033f76f" to virtual address "0x011D70C0"
"iexplore.exe" wrote bytes "b033f76f" to virtual address "0x75CD1210" (part of module "IMM32.DLL") - source
- Hook Detection
- relevance
- 10/10
- ATT&CK ID
- T1179 (Show technique in the MITRE ATT&CK™ matrix)
-
Reads information about supported languages
- details
- "6a393ecb2861a27240d322dd407f6adb7218b0a5.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000409")
- source
- Registry Access
- relevance
- 3/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
CRC value set in PE header does not match actual value
-
Hiding 9 Suspicious Indicators
- All indicators are available only in the private webservice or standalone version
-
Informative 36
-
Anti-Reverse Engineering
-
Contains ability to register a top-level exception handler (often used as anti-debugging trick)
- details
-
SetUnhandledExceptionFilter@KERNEL32.DLL from IE_approveExt.exe (PID: 1096) (Show Stream)
SetUnhandledExceptionFilter@KERNEL32.DLL from IE_approveExt.exe (PID: 1096) (Show Stream)
SetUnhandledExceptionFilter@KERNEL32.DLL from IE_approveExt.exe (PID: 1096) (Show Stream)
SetUnhandledExceptionFilter@KERNEL32.DLL from WajamUpdater.exe (PID: 3708) (Show Stream)
SetUnhandledExceptionFilter@KERNEL32.DLL from WajamUpdater.exe (PID: 3708) (Show Stream)
SetUnhandledExceptionFilter@KERNEL32.DLL from WajamUpdater.exe (PID: 3708) (Show Stream)
SetUnhandledExceptionFilter@KERNEL32.dll (Show Stream)
SetUnhandledExceptionFilter@KERNEL32.dll (Show Stream)
SetUnhandledExceptionFilter@KERNEL32.dll (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
PE file contains zero-size sections
- details
-
Raw size of ".ndata" is zero
Raw size of "BSS" is zero
Raw size of "UPX0" is zero
Raw size of ".bss" is zero
Raw size of ".data" is zero - source
- Static Parser
- relevance
- 10/10
-
Contains ability to register a top-level exception handler (often used as anti-debugging trick)
-
Environment Awareness
-
Contains ability to query machine time
- details
-
GetSystemTimeAsFileTime@KERNEL32.DLL from IE_approveExt.exe (PID: 1096) (Show Stream)
GetSystemTimeAsFileTime@KERNEL32.DLL from WajamUpdater.exe (PID: 3708) (Show Stream)
GetSystemTimeAsFileTime@KERNEL32.DLL from WajamUpdater.exe (PID: 3708) (Show Stream)
GetSystemTimeAsFileTime@KERNEL32.dll (Show Stream)
GetSystemTimeAsFileTime@KERNEL32.dll (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
- ATT&CK ID
- T1124 (Show technique in the MITRE ATT&CK™ matrix)
-
Contains ability to query the machine timezone
- details
-
GetTimeZoneInformation@KERNEL32.DLL from WajamUpdater.exe (PID: 3708) (Show Stream)
GetTimeZoneInformation@KERNEL32.dll (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
- ATT&CK ID
- T1124 (Show technique in the MITRE ATT&CK™ matrix)
-
Contains ability to query the machine version
- details
-
GetVersion@KERNEL32.DLL from 6a393ecb2861a27240d322dd407f6adb7218b0a5.exe (PID: 3408) (Show Stream)
GetVersion@KERNEL32.DLL from 6a393ecb2861a27240d322dd407f6adb7218b0a5.exe (PID: 3408) (Show Stream)
GetVersion@KERNEL32.DLL from 6a393ecb2861a27240d322dd407f6adb7218b0a5.exe (PID: 3408) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Contains ability to query volume size
- details
-
GetDiskFreeSpaceA@KERNEL32.DLL from 6a393ecb2861a27240d322dd407f6adb7218b0a5.exe (PID: 3408) (Show Stream)
GetDiskFreeSpaceA@KERNEL32.DLL from 6a393ecb2861a27240d322dd407f6adb7218b0a5.exe (PID: 3408) (Show Stream)
GetDiskFreeSpaceA@KERNEL32.DLL from 6a393ecb2861a27240d322dd407f6adb7218b0a5.exe (PID: 3408) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 3/10
- ATT&CK ID
- T1083 (Show technique in the MITRE ATT&CK™ matrix)
-
Makes a code branch decision directly after an API that is environment aware
- details
-
Found API call GetTimeZoneInformation@KERNEL32.DLL directly followed by "cmp eax, edi" and "je 00BFA466h" from WajamUpdater.exe (PID: 3708) (Show Stream)
Found API call GetTimeZoneInformation@KERNEL32.dll directly followed by "cmp eax, edi" and "je 0040A466h" (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 10/10
-
Possibly tries to detect the presence of a debugger
- details
-
GetProcessHeap@KERNEL32.DLL from IE_approveExt.exe (PID: 1096) (Show Stream)
GetProcessHeap@KERNEL32.DLL from WajamUpdater.exe (PID: 3708) (Show Stream)
GetProcessHeap@KERNEL32.DLL from WajamUpdater.exe (PID: 3708) (Show Stream)
GetProcessHeap@KERNEL32.dll (Show Stream)
GetProcessHeap@KERNEL32.dll (Show Stream)
GetProcessHeap@KERNEL32.dll (Show Stream)
GetProcessHeap@KERNEL32.dll (Show Stream)
GetProcessHeap@KERNEL32.dll (Show Stream)
GetProcessHeap@KERNEL32.dll (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Queries volume information
- details
-
"6a393ecb2861a27240d322dd407f6adb7218b0a5.exe" queries volume information of "C:\" at 00045479-00003408-0000010C-16695777819
"6a393ecb2861a27240d322dd407f6adb7218b0a5.exe" queries volume information of "C:\" at 00045479-00003408-0000010C-51872632541
"6a393ecb2861a27240d322dd407f6adb7218b0a5.exe" queries volume information of "%PROGRAMFILES%\Wajam\uninstall.exe" at 00045479-00003408-0000010C-51892611280 - source
- API Call
- relevance
- 2/10
- ATT&CK ID
- T1120 (Show technique in the MITRE ATT&CK™ matrix)
-
Queries volume information of an entire harddrive
- details
-
"6a393ecb2861a27240d322dd407f6adb7218b0a5.exe" queries volume information of "C:\" at 00045479-00003408-0000010C-16695777819
"6a393ecb2861a27240d322dd407f6adb7218b0a5.exe" queries volume information of "C:\" at 00045479-00003408-0000010C-51872632541 - source
- API Call
- relevance
- 8/10
- ATT&CK ID
- T1120 (Show technique in the MITRE ATT&CK™ matrix)
-
Reads the registry for installed applications
- details
-
"6a393ecb2861a27240d322dd407f6adb7218b0a5.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APP PATHS\FIREFOX.EXE")
"6a393ecb2861a27240d322dd407f6adb7218b0a5.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APP PATHS\FIREFOX.EXE"; Key: ""; Value: "00000000010000005A00000043003A005C00500072006F006700720061006D002000460069006C00650073005C004D006F007A0069006C006C0061002000460069007200650066006F0078005C00660069007200650066006F0078002E006500780065000000")
"6a393ecb2861a27240d322dd407f6adb7218b0a5.exe" (Path: "HKU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APP PATHS\")
"6a393ecb2861a27240d322dd407f6adb7218b0a5.exe" (Path: "HKU\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\APP PATHS\")
"6a393ecb2861a27240d322dd407f6adb7218b0a5.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APP PATHS\")
"6a393ecb2861a27240d322dd407f6adb7218b0a5.exe" (Path: "HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\APP PATHS\")
"6a393ecb2861a27240d322dd407f6adb7218b0a5.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\WAJAM")
"6a393ecb2861a27240d322dd407f6adb7218b0a5.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APP PATHS\IEXPLORE.EXE")
"6a393ecb2861a27240d322dd407f6adb7218b0a5.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APP PATHS\IEXPLORE.EXE"; Key: ""; Value: "00000000010000006000000043003A005C00500072006F006700720061006D002000460069006C00650073005C0049006E007400650072006E006500740020004500780070006C006F007200650072005C0049004500580050004C004F00520045002E004500580045000000")
"6a393ecb2861a27240d322dd407f6adb7218b0a5.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APP PATHS\6A393ECB2861A27240D322DD407F6ADB7218B0A5.EXE")
"6a393ecb2861a27240d322dd407f6adb7218b0a5.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APP PATHS\6A393ECB2861A27240D322DD407F6ADB7218B0A5.EXE") - source
- Registry Access
- relevance
- 10/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Contains ability to query machine time
-
General
-
Contacts domains
- details
-
"www.wajam.com"
"ajax.googleapis.com"
"platform.twitter.com"
"fonts.googleapis.com" - source
- Network Traffic
- relevance
- 1/10
-
Contacts server
- details
-
"5.135.138.118:80"
"172.217.7.170:80"
"192.229.163.25:80"
"172.217.5.234:80"
"74.125.192.155:443"
"192.229.163.25:443"
"151.139.244.29:80"
"172.217.7.131:80"
"104.244.42.72:443" - source
- Network Traffic
- relevance
- 1/10
-
Contains PDB pathways
- details
-
"d:\Projects\Visual Studio\NSIS Plugins\IpConfig\Output\Plugins\IpConfig.pdb"
"%USERPROFILE%\Desktop\branches\Wajam\guillaume-update-reenable-bho\Clients\Affiliate_Executables\Util\AutoEnableBHO\Release\IE_approveExt.pdb"
"C:\Users\%USERNAME%\Desktop\svnwajam\Clients\Updater\Release\WajamUpdater.pdb"
"MoreInfo.dllGetCommentsGetCompanyNameGetFileDescriptionGetFileVersionGetInternalNameGetLegalCopyrightGetLegalTrademarksGetOSUserinterfaceLanguageGetOriginalFilenameGetPrivateBuildGetProductNameGetProductVersionGetSpecialBuildGetUserDefinedRSDSOO\_t:\untgz\MoreInfo\SRC\Release\MoreInfo.pdb(H`x0A(XB@E"hEMAINICON( wpwp"xpzpxxppxwwwwwwpxwwwwww( @wwpwpxwxwxxp'x""'p""j""x*"xx*#xxxxpxnnnnwnnwwwpwwwwwwwwxwwwwwxpwxxwwwwwwwwwpwp???a( 4VS_VERSION_INFO?VStringFileInfo2040904E4.CompanyName(none)~+FileDescriptionHelper plugin to retreive file information0FileVersion1.0.1.2RInternalNameThe MoreInfo NSIS Plugin8", "ModuleModule_RawREGISTRYAPPID^AB2@J2@P2@5@.3@U2@FFA`AA@bad exceptionHDA@aARSDSc`5JQC:\Users\%USERNAME%\Desktop\svnwajam\Clients\Updater\Release\WajamUpdater.pdbA]A]A]AA@]AA^A^A(^AD^AA@^AA@`^Ap^AD^AA`^AA^A^A
_A^A^AA@^A^A^A^AA@_A$_A^AA@^AA\_Al_A`A_A_A`AH`A`AA@_A_A_A_A`AH`A`APA@_A_A_A`AH`A`AA@(`A8`A`AH`A`AA@d`At`AH`A`AA@`A`A`AA@`AA@\_AAaAaAaAD^AA@aAPo{@Wa !?!e!!!!(""""#S###FS@.U@V@hf@|f@h@k@m@m@nn@rn@n@n@Fq@-{@@n@:@6@@@M@@@w@@@@?@@dAdAdAA@A@@@}@>@", "C:\Users\%USERNAME%\Desktop\branches\Wajam\guillaume-installer-ie11-fix\Clients\Extensions\IE_BHO\source\wajam\Release\priam_bho.pdb", "untgz\MoreInfo\SRC\Release\MoreInfo.pdb" - source
- File/Memory
- relevance
- 1/10
-
Creates a writable file in a temporary directory
- details
-
"6a393ecb2861a27240d322dd407f6adb7218b0a5.exe" created file "%TEMP%\nsqE177.tmp"
"6a393ecb2861a27240d322dd407f6adb7218b0a5.exe" created file "C:\Users\%USERNAME%\AppData\Local\Temp\nsfE187.tmp\inetc.dll"
"6a393ecb2861a27240d322dd407f6adb7218b0a5.exe" created file "C:\Users\%USERNAME%\AppData\Local\Temp\nsfE187.tmp\image.bmp"
"6a393ecb2861a27240d322dd407f6adb7218b0a5.exe" created file "C:\Users\%USERNAME%\AppData\Local\Temp\nsfE187.tmp\dummy.htm"
"6a393ecb2861a27240d322dd407f6adb7218b0a5.exe" created file "C:\Users\%USERNAME%\AppData\Local\Temp\nsfE187.tmp\System.dll"
"6a393ecb2861a27240d322dd407f6adb7218b0a5.exe" created file "C:\Users\%USERNAME%\AppData\Local\Temp\nsfE187.tmp\IpConfig.dll"
"6a393ecb2861a27240d322dd407f6adb7218b0a5.exe" created file "C:\Users\%USERNAME%\AppData\Local\Temp\nsfE187.tmp\DcryptDll.dll"
"6a393ecb2861a27240d322dd407f6adb7218b0a5.exe" created file "C:\Users\%USERNAME%\AppData\Local\Temp\nsfE187.tmp\nsisos.dll"
"6a393ecb2861a27240d322dd407f6adb7218b0a5.exe" created file "C:\Users\%USERNAME%\AppData\Local\Temp\nsfE187.tmp\GetVersion.dll" - source
- API Call
- relevance
- 1/10
-
Creates mutants
- details
-
"\Sessions\1\BaseNamedObjects\Local\ZonesCacheCounterMutex"
"\Sessions\1\BaseNamedObjects\Local\ZonesLockedCacheCounterMutex"
"Local\ZonesLockedCacheCounterMutex"
"Local\ZonesCacheCounterMutex"
"\Sessions\1\BaseNamedObjects\Local\!BrowserEmulation!SharedMemory!Mutex"
"\Sessions\1\BaseNamedObjects\Local\VERMGMTBlockListFileMutex"
"\Sessions\1\BaseNamedObjects\Local\URLBLOCK_FILEMAPSWITCH_MUTEX_2612"
"\Sessions\1\BaseNamedObjects\Local\URLBLOCK_HASHFILESWITCH_MUTEX"
"\Sessions\1\BaseNamedObjects\Local\URLBLOCK_DOWNLOAD_MUTEX"
"\Sessions\1\BaseNamedObjects\IsoScope_a34_IE_EarlyTabStart_0x4dc_Mutex"
"\Sessions\1\BaseNamedObjects\IsoScope_a34_ConnHashTable<2612>_HashTable_Mutex"
"\Sessions\1\BaseNamedObjects\{5312EE61-79E3-4A24-BFE1-132B85B23C3A}"
"\Sessions\1\BaseNamedObjects\IsoScope_a34_IESQMMUTEX_0_303"
"\Sessions\1\BaseNamedObjects\IsoScope_a34_IESQMMUTEX_0_331" - source
- Created Mutant
- relevance
- 3/10
-
Drops files marked as clean
- details
-
Antivirus vendors marked dropped file "urlblockindex_1_.bin" as clean (type is "data")
Antivirus vendors marked dropped file "SimpleSC.dll" as clean (type is "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "inetc.dll" as clean (type is "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "GetVersion.dll" as clean (type is "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows UPX compressed"), Antivirus vendors marked dropped file "IpConfig.dll" as clean (type is "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "System.dll" as clean (type is "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows") - source
- Binary File
- relevance
- 10/10
-
GETs files from a webserver
- details
-
"GET /installer/progress?section=100&aid=&aid2=&unique_id=&tv=1.92-13&install_timestamp= HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: www.wajam.com
Connection: Keep-Alive
Cache-Control: no-cache"
"GET /installer/start?aid=3673&aid2=none&unique_id=C7C92D87F1EF2BC54BF1F382E5949857&tv=1.92-13&install_timestamp=1560965831 HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: www.wajam.com
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: PHPSESSID=vmnbhu240179dbfikdpk82ajel; _wau=15609585538671540; _wal=1560958553; APPSESSID=w3|XQpWf|XQpWf"
"GET /installer/post_install?aid=3673&aid2=none&unique_id=C7C92D87F1EF2BC54BF1F382E5949857&tv=1.92-13&install_timestamp=1560965831 HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: www.wajam.com
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: PHPSESSID=vmnbhu240179dbfikdpk82ajel; _wau=15609585538671540; _wal=1560958555; APPSESSID=w3|XQpWg|XQpWf"
"GET /index.php?firstrun=1&unique_id=C7C92D87F1EF2BC54BF1F382E5949857&aid=3673&aid2=none&enabled=1&tv=1.92-13&install_timestamp=1560965831&clp= HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Accept-Language: en-US
User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
Host: www.wajam.com
DNT: 1
Connection: Keep-Alive
Cookie: _wau=15609585538671540; _wal=1560958585"
"GET /js/min_general_en.js?1.00434.0 HTTP/1.1
Accept: application/javascript, */*;q=0.8
Referer: http://www.wajam.com/index.php?firstrun=1&unique_id=C7C92D87F1EF2BC54BF1F382E5949857&aid=3673&aid2=none&enabled=1&tv=1.92-13&install_timestamp=1560965831&clp=
Accept-Language: en-US
User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
Host: www.wajam.com
DNT: 1
Connection: Keep-Alive
Cookie: _wau=15609585538671540; _wal=1560958588; PHPSESSID=239dc928casm20ommfnjagevfd; not_logged_unique_id=C7C92D87F1EF2BC54BF1F382E5949857; wajam_ie_addon_installed=1; APPSESSID=w3|XQpWp|XQpWp"
"GET /ajax/libs/jqueryui/1.8.16/jquery-ui.js?1.00434.0 HTTP/1.1
Accept: application/javascript, */*;q=0.8
Referer: http://www.wajam.com/index.php?firstrun=1&unique_id=C7C92D87F1EF2BC54BF1F382E5949857&aid=3673&aid2=none&enabled=1&tv=1.92-13&install_timestamp=1560965831&clp=
Accept-Language: en-US
User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
Host: ajax.googleapis.com
DNT: 1
Connection: Keep-Alive"
"GET /ajax/libs/jquery/1.7/jquery.min.js?1.00434.0 HTTP/1.1
Accept: application/javascript, */*;q=0.8
Referer: http://www.wajam.com/index.php?firstrun=1&unique_id=C7C92D87F1EF2BC54BF1F382E5949857&aid=3673&aid2=none&enabled=1&tv=1.92-13&install_timestamp=1560965831&clp=
Accept-Language: en-US
User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
Host: ajax.googleapis.com
DNT: 1
Connection: Keep-Alive"
"GET /widgets.js?1.00434.0 HTTP/1.1
Accept: application/javascript, */*;q=0.8
Referer: http://www.wajam.com/index.php?firstrun=1&unique_id=C7C92D87F1EF2BC54BF1F382E5949857&aid=3673&aid2=none&enabled=1&tv=1.92-13&install_timestamp=1560965831&clp=
Accept-Language: en-US
User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
Host: platform.twitter.com
DNT: 1
Connection: Keep-Alive
Cookie: personalization_id="v1_klJqB00qZ2y8VHUHD/E+KQ=="; guest_id=v1%3A151245755858269842"
"GET /js/min_fancybox.js?1.00434.0 HTTP/1.1
Accept: application/javascript, */*;q=0.8
Referer: http://www.wajam.com/index.php?firstrun=1&unique_id=C7C92D87F1EF2BC54BF1F382E5949857&aid=3673&aid2=none&enabled=1&tv=1.92-13&install_timestamp=1560965831&clp=
Accept-Language: en-US
User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
Host: www.wajam.com
DNT: 1
Connection: Keep-Alive
Cookie: _wau=15609585538671540; _wal=1560958588; PHPSESSID=239dc928casm20ommfnjagevfd; not_logged_unique_id=C7C92D87F1EF2BC54BF1F382E5949857; wajam_ie_addon_installed=1; APPSESSID=w3|XQpWp|XQpWp"
"GET /js/min_signup_page.js?1.00434.0 HTTP/1.1
Accept: application/javascript, */*;q=0.8
Referer: http://www.wajam.com/index.php?firstrun=1&unique_id=C7C92D87F1EF2BC54BF1F382E5949857&aid=3673&aid2=none&enabled=1&tv=1.92-13&install_timestamp=1560965831&clp=
Accept-Language: en-US
User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
Host: www.wajam.com
DNT: 1
Connection: Keep-Alive
Cookie: _wau=15609585538671540; _wal=1560958588; PHPSESSID=239dc928casm20ommfnjagevfd; not_logged_unique_id=C7C92D87F1EF2BC54BF1F382E5949857; wajam_ie_addon_installed=1; APPSESSID=w3|XQpWp|XQpWp"
"GET /css/min_fancybox.css?1.00434.0 HTTP/1.1
Accept: text/css, */*
Referer: http://www.wajam.com/index.php?firstrun=1&unique_id=C7C92D87F1EF2BC54BF1F382E5949857&aid=3673&aid2=none&enabled=1&tv=1.92-13&install_timestamp=1560965831&clp=
Accept-Language: en-US
User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
Host: www.wajam.com
DNT: 1
Connection: Keep-Alive
Cookie: _wau=15609585538671540; _wal=1560958588; PHPSESSID=239dc928casm20ommfnjagevfd; not_logged_unique_id=C7C92D87F1EF2BC54BF1F382E5949857; wajam_ie_addon_installed=1; APPSESSID=w3|XQpWp|XQpWp"
"GET /css/min_signup.css?1.00434.0 HTTP/1.1
Accept: text/css, */*
Referer: http://www.wajam.com/index.php?firstrun=1&unique_id=C7C92D87F1EF2BC54BF1F382E5949857&aid=3673&aid2=none&enabled=1&tv=1.92-13&install_timestamp=1560965831&clp=
Accept-Language: en-US
User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
Host: www.wajam.com
DNT: 1
Connection: Keep-Alive
Cookie: _wau=15609585538671540; _wal=1560958588; PHPSESSID=239dc928casm20ommfnjagevfd; not_logged_unique_id=C7C92D87F1EF2BC54BF1F382E5949857; wajam_ie_addon_installed=1; APPSESSID=w3|XQpWp|XQpWp"
"GET /css/min_general.css?1.00434.0 HTTP/1.1
Accept: text/css, */*
Referer: http://www.wajam.com/index.php?firstrun=1&unique_id=C7C92D87F1EF2BC54BF1F382E5949857&aid=3673&aid2=none&enabled=1&tv=1.92-13&install_timestamp=1560965831&clp=
Accept-Language: en-US
User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
Host: www.wajam.com
DNT: 1
Connection: Keep-Alive
Cookie: _wau=15609585538671540; _wal=1560958588; PHPSESSID=239dc928casm20ommfnjagevfd; not_logged_unique_id=C7C92D87F1EF2BC54BF1F382E5949857; wajam_ie_addon_installed=1; APPSESSID=w3|XQpWp|XQpWp"
"GET /imgs/feedback.png HTTP/1.1
Accept: image/png, image/svg+xml, image/*;q=0.8, */*;q=0.5
Referer: http://www.wajam.com/index.php?firstrun=1&unique_id=C7C92D87F1EF2BC54BF1F382E5949857&aid=3673&aid2=none&enabled=1&tv=1.92-13&install_timestamp=1560965831&clp=
Accept-Language: en-US
User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
Host: www.wajam.com
DNT: 1
Connection: Keep-Alive
Cookie: _wau=15609585538671540; _wal=1560958588; PHPSESSID=239dc928casm20ommfnjagevfd; not_logged_unique_id=C7C92D87F1EF2BC54BF1F382E5949857; wajam_ie_addon_installed=1; APPSESSID=w3|XQpWp|XQpWp"
"GET /update/Updater/wajam_update.exe HTTP/1.1
Accept: */*
If-Modified-Since: Tue, 18 Jun 2019 15:49:00 +0000
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Host: www.wajam.com
Connection: Keep-Alive"
"GET /css?family=Signika:400,300,600,700 HTTP/1.1
Accept: text/css, */*
Referer: http://www.wajam.com/index.php?firstrun=1&unique_id=C7C92D87F1EF2BC54BF1F382E5949857&aid=3673&aid2=none&enabled=1&tv=1.92-13&install_timestamp=1560965831&clp=
Accept-Language: en-US
User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
Host: fonts.googleapis.com
DNT: 1
Connection: Keep-Alive"
"GET /css/webfonts/F37F5_0.eot? HTTP/1.1
Accept: */*
Referer: http://www.wajam.com/index.php?firstrun=1&unique_id=C7C92D87F1EF2BC54BF1F382E5949857&aid=3673&aid2=none&enabled=1&tv=1.92-13&install_timestamp=1560965831&clp=
Accept-Language: en-US
User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko
Origin: http://www.wajam.com
Accept-Encoding: gzip, deflate
Host: www.wajam.com
DNT: 1
Connection: Keep-Alive
Cookie: _wau=15609585538671540; _wal=1560958626; PHPSESSID=239dc928casm20ommfnjagevfd; not_logged_unique_id=C7C92D87F1EF2BC54BF1F382E5949857; wajam_ie_addon_installed=1; APPSESSID=w3|XQpWp|XQpWp"
"GET /css/webfonts/F37F5_1.eot? HTTP/1.1
Accept: */*
Referer: http://www.wajam.com/index.php?firstrun=1&unique_id=C7C92D87F1EF2BC54BF1F382E5949857&aid=3673&aid2=none&enabled=1&tv=1.92-13&install_timestamp=1560965831&clp=
Accept-Language: en-US
User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko
Origin: http://www.wajam.com
Accept-Encoding: gzip, deflate
Host: www.wajam.com
DNT: 1
Connection: Keep-Alive
Cookie: _wau=15609585538671540; _wal=1560958626; PHPSESSID=239dc928casm20ommfnjagevfd; not_logged_unique_id=C7C92D87F1EF2BC54BF1F382E5949857; wajam_ie_addon_installed=1; APPSESSID=w3|XQpWp|XQpWp"
"GET /installer/finish?aid=3673&aid2=none&unique_id=C7C92D87F1EF2BC54BF1F382E5949857&tv=1.92-13&install_timestamp=1560965831 HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: www.wajam.com
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: PHPSESSID=vmnbhu240179dbfikdpk82ajel; _wau=15609585538671540; _wal=1560958626; not_logged_unique_id=C7C92D87F1EF2BC54BF1F382E5949857; APPSESSID=w3|XQpWo|XQpWf"
"GET /imgs/app/wajam/mainSprite.png HTTP/1.1
Accept: image/png, image/svg+xml, image/*;q=0.8, */*;q=0.5
Referer: http://www.wajam.com/index.php?firstrun=1&unique_id=C7C92D87F1EF2BC54BF1F382E5949857&aid=3673&aid2=none&enabled=1&tv=1.92-13&install_timestamp=1560965831&clp=
Accept-Language: en-US
User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
Host: media-c9hg3zwqygdshhtrps.stackpathdns.com
DNT: 1
Connection: Keep-Alive" - source
- Network Traffic
- relevance
- 5/10
-
Launches a browser
- details
-
Launches browser "iexplore.exe" (Show Process)
Launches browser "iexplore.exe" (Show Process) - source
- Monitored Target
- relevance
- 3/10
-
Loads rich edit control libraries
- details
- "6a393ecb2861a27240d322dd407f6adb7218b0a5.exe" loaded module "%WINDIR%\System32\riched20.dll" at 6F120000
- source
- Loaded Module
- ATT&CK ID
- T1179 (Show technique in the MITRE ATT&CK™ matrix)
-
Overview of unique CLSIDs touched in registry
- details
-
"6a393ecb2861a27240d322dd407f6adb7218b0a5.exe" touched "Shortcut" (Path: "HKCU\CLSID\{00021401-0000-0000-C000-000000000046}")
"6a393ecb2861a27240d322dd407f6adb7218b0a5.exe" touched "WinInetBroker Class" (Path: "HKCU\CLSID\{C39EE728-D419-4BD4-A3EF-EDA059DBD935}")
"6a393ecb2861a27240d322dd407f6adb7218b0a5.exe" touched "PSFactoryBuffer" (Path: "HKCR\SOFTWARE\CLASSES\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}")
"6a393ecb2861a27240d322dd407f6adb7218b0a5.exe" touched "Computer" (Path: "HKCU\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\SHELLFOLDER")
"6a393ecb2861a27240d322dd407f6adb7218b0a5.exe" touched "Memory Mapped Cache Mgr" (Path: "HKCU\CLSID\{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D}\TREATAS")
"6a393ecb2861a27240d322dd407f6adb7218b0a5.exe" touched "WBEM Locator" (Path: "HKCU\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\TREATAS")
"6a393ecb2861a27240d322dd407f6adb7218b0a5.exe" touched "Windows Management and Instrumentation" (Path: "HKCU\CLSID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\TREATAS")
"6a393ecb2861a27240d322dd407f6adb7218b0a5.exe" touched "Microsoft WBEM (non)Standard Marshaling for IWbemServices" (Path: "HKCU\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\TREATAS")
"6a393ecb2861a27240d322dd407f6adb7218b0a5.exe" touched "Microsoft WBEM (non)Standard Marshaling for IEnumWbemClassObject" (Path: "HKCU\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\TREATAS")
"6a393ecb2861a27240d322dd407f6adb7218b0a5.exe" touched "NetworkListManager" (Path: "HKCU\CLSID\{DCB00C01-570F-4A9B-8D69-199FDBA5723B}\TREATAS")
"6a393ecb2861a27240d322dd407f6adb7218b0a5.exe" touched "Network List Manager" (Path: "HKCU\CLSID\{A47979D2-C419-11D9-A5B4-001185AD2B89}\TREATAS") - source
- Registry Access
- relevance
- 3/10
-
Runs shell commands
- details
- "/C IE_approveExt.exe {A7A6995D-6EE1-4FD1-A258-49395D5BF99C}" on 2019-6-19.17:38:52.183
- source
- Monitored Target
- relevance
- 5/10
-
Scanning for window names
- details
-
"6a393ecb2861a27240d322dd407f6adb7218b0a5.exe" searching for class "#32770"
"6a393ecb2861a27240d322dd407f6adb7218b0a5.exe" searching for class "IEFrame"
"6a393ecb2861a27240d322dd407f6adb7218b0a5.exe" searching for class "MozillaContentWindowClass"
"6a393ecb2861a27240d322dd407f6adb7218b0a5.exe" searching for class "MozillaDropShadowWindowClass"
"6a393ecb2861a27240d322dd407f6adb7218b0a5.exe" searching for class "MozillaWindowClass"
"6a393ecb2861a27240d322dd407f6adb7218b0a5.exe" searching for class "MozillaUIWindowClass" - source
- API Call
- relevance
- 10/10
- ATT&CK ID
- T1010 (Show technique in the MITRE ATT&CK™ matrix)
-
Spawns new processes
- details
-
Spawned process "cmd.exe" with commandline "/C IE_approveExt.exe {A7A6995D-6EE1-4FD1-A258-49395D5BF99C}" (Show Process)
Spawned process "IE_approveExt.exe" with commandline "{A7A6995D-6EE1-4FD1-A258-49395D5BF99C}" (Show Process)
Spawned process "iexplore.exe" with commandline ""http://www.wajam.com/index.php?firstrun=1&unique_id=C7C92D87F1E ..." (Show Process), Spawned process "WajamUpdater.exe" with commandline "/Service" (Show Process), Spawned process "iexplore.exe" with commandline "SCODEF:2612 CREDAT:275457 /prefetch:2" (Show Process) - source
- Monitored Target
- relevance
- 3/10
-
Spawns new processes that are not known child processes
- details
-
Spawned process "cmd.exe" with commandline "/C IE_approveExt.exe {A7A6995D-6EE1-4FD1-A258-49395D5BF99C}" (Show Process)
Spawned process "IE_approveExt.exe" with commandline "{A7A6995D-6EE1-4FD1-A258-49395D5BF99C}" (Show Process)
Spawned process "iexplore.exe" with commandline ""http://www.wajam.com/index.php?firstrun=1&unique_id=C7C92D87F1E ..." (Show Process), Spawned process "WajamUpdater.exe" with commandline "/Service" (Show Process), Spawned process "iexplore.exe" with commandline "SCODEF:2612 CREDAT:275457 /prefetch:2" (Show Process) - source
- Monitored Target
- relevance
- 3/10
-
Contacts domains
-
Installation/Persistance
-
Connects to LPC ports
- details
-
"6a393ecb2861a27240d322dd407f6adb7218b0a5.exe" connecting to "\ThemeApiPort"
"IE_approveExt.exe" connecting to "\ThemeApiPort" - source
- API Call
- relevance
- 1/10
-
Dropped files
- details
-
"urlblockindex_1_.bin" has type "data"
"SimpleSC.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"inetc.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"uninstall.exe" has type "PE32 executable (GUI) Intel 80386 for MS Windows Nullsoft Installer self-extracting archive"
"WajamUpdater.exe" has type "PE32 executable (GUI) Intel 80386 for MS Windows"
"priam_bho.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"ExecCmd.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"DcryptDll.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"IE_approveExt.exe" has type "PE32 executable (console) Intel 80386 for MS Windows"
"GetVersion.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows UPX compressed"
"IpConfig.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"nsisos.dll" has type "PE32 executable (DLL) (console) Intel 80386 for MS Windows"
"uninstall.lnk" has type "MS Windows shortcut Item id list present Points to a file or directory Has Relative path Has Working directory Archive ctime=Wed Sep 18 20:17:38 2013 mtime=Wed Jun 19 15:38:51 2019 atime=Wed Sep 18 20:17:38 2013 length=64296 window=hide"
"System.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"MoreInfo.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"nsqE177.tmp" has type "data"
"F5F320A94D4D2B4465D8F17E2BB2D351_E0B0930DA81DB590D1C74605A7640D62" has type "data"
"min_general_1_.css" has type "ASCII text with very long lines with no line terminators"
"6BADA8974A10C4BD62CC921D13E43B18_BEB37ABADF39714871232B4792417E04" has type "data" - source
- Binary File
- relevance
- 3/10
-
Opens the MountPointManager (often used to detect additional infection locations)
- details
- "iexplore.exe" opened "\Device\MountPointManager"
- source
- API Call
- relevance
- 5/10
-
Touches files in the Windows directory
- details
-
"6a393ecb2861a27240d322dd407f6adb7218b0a5.exe" touched file "%LOCALAPPDATA%\Microsoft\Windows\Temporary Internet Files\counters.dat"
"6a393ecb2861a27240d322dd407f6adb7218b0a5.exe" touched file "C:\Windows\System32\rsaenh.dll"
"6a393ecb2861a27240d322dd407f6adb7218b0a5.exe" touched file "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\Temporary Internet Files"
"6a393ecb2861a27240d322dd407f6adb7218b0a5.exe" touched file "C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Windows\Cookies"
"6a393ecb2861a27240d322dd407f6adb7218b0a5.exe" touched file "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\History"
"6a393ecb2861a27240d322dd407f6adb7218b0a5.exe" touched file "C:\Windows\System32\wshqos.dll"
"6a393ecb2861a27240d322dd407f6adb7218b0a5.exe" touched file "C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Windows\Cookies\AI3MDJGU.txt"
"6a393ecb2861a27240d322dd407f6adb7218b0a5.exe" touched file "C:\Windows\Globalization\Sorting\SortDefault.nls"
"6a393ecb2861a27240d322dd407f6adb7218b0a5.exe" touched file "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\Caches"
"6a393ecb2861a27240d322dd407f6adb7218b0a5.exe" touched file "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\Caches\cversions.1.db"
"6a393ecb2861a27240d322dd407f6adb7218b0a5.exe" touched file "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x000000000000001f.db"
"6a393ecb2861a27240d322dd407f6adb7218b0a5.exe" touched file "C:\Windows\Fonts\StaticCache.dat"
"6a393ecb2861a27240d322dd407f6adb7218b0a5.exe" touched file "C:\Windows\System32\en-US\msctf.dll.mui"
"6a393ecb2861a27240d322dd407f6adb7218b0a5.exe" touched file "C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Windows\Cookies\QRQHVVP5.txt"
"6a393ecb2861a27240d322dd407f6adb7218b0a5.exe" touched file "C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Windows\Cookies\YPJTL9V3.txt" - source
- API Call
- relevance
- 7/10
-
Connects to LPC ports
-
Network Related
-
Found potential URL in binary/memory
- details
-
Pattern match: "http://nsis.sf.net/NSIS_Error"
Pattern match: "www.wajam.com"
Heuristic match: "ajax.googleapis.com"
Heuristic match: "platform.twitter.com"
Heuristic match: "fonts.googleapis.com"
Heuristic match: "media-c9hg3zwqygdshhtrps.stackpathdns.com"
Heuristic match: "stats.g.doubleclick.net"
Heuristic match: "syndication.twitter.com"
Pattern match: "https://platform.twitter.com"
Pattern match: "http://go.microsoft.com/fwlink/?LinkId=159651"
Pattern match: "http://www.wajam.com/installer/start?aid=3673&aid2=none&unique_id=C7C92D87F1EF2BC54BF1F382E5949857"
Pattern match: "http://www.wajam.com/contact_us.php"
Pattern match: "http://www.wajam.com"
Pattern match: "http://www.wajam.com/index.php?firstrun=1&unique_id=C7C92D87F1EF2BC54BF1F382E5949857&aid=3673&aid2=none&enabled=1&tv=1.92-13&install_timestamp=1560965831&clp="
Pattern match: "http://www.wajam.com/update/Updater/wajam_update.exe"
Pattern match: "http://downloadfallback.wajam.com/update/Updater/wajam_update.exe"
Pattern match: "inetc.dll/endhttp://www.wajam.com/installer/progress?section=&aid=&aid2=&unique_id=&tv=1.92-13&install_timestamp=getDTRACK"
Pattern match: "http://www.wajam.com/faq.\par"
Pattern match: "http://www.wajam.com/terms-of-service"
Pattern match: "www.wajam.com/update/Updater/wajam_update.exeS"
Pattern match: "http://nsis.sf.net/NSIS_ErrorError"
Heuristic match: "#w.iO"
Heuristic match: "r`>*3@T,Y|-1jACX8|X}imTCcCO_s}b}kMwa^ul5}Vy7gy=hO~;!|-Os&[-.jp"
Pattern match: "www.usertrust.com10UUTN-USERFirst-Object0"
Pattern match: "fonts.googleapis.com/css?family=Signika:400,300,600,700"
Pattern match: "http://web1sb.wajam.com"
Pattern match: "http://s.waj.am/"
Pattern match: "http://waj.am/"
Pattern match: "http://web1sb.wajam.com/shorturl.php"
Pattern match: "http://www.wajam.com/shorturl.php"
Pattern match: "http://www.wajam.com/update/InternetExplorer/update_bho.xml"
Pattern match: "http://www.wajam.com/"
Pattern match: "wajam.com/update/InternetExplorer/update_bho.xml"
Heuristic match: "/web1sb.wajam.com"
Pattern match: "1sb.wajam.com/shorturl.php"
Pattern match: "www.wajam.com/"
Pattern match: "www.priam.com/"
Pattern match: "http://msdn.microsoft.com/en-us/library/aa385465.aspx"
Pattern match: "https://go.microsoft.com/fwlink/?LinkID=401352"
Pattern match: "https://go.microsoft.com/fwlink/?LinkID=513071" - source
- File/Memory
- relevance
- 10/10
-
HTTP request contains Base64 encoded artifacts
- details
-
"{-jYmg"
"?;Qu6x{"
"{-jYmg"
"?;Qu6x{"
"J('FM4" - source
- Network Traffic
- relevance
- 7/10
- ATT&CK ID
- T1132 (Show technique in the MITRE ATT&CK™ matrix)
-
Found potential URL in binary/memory
-
Spyware/Information Retrieval
-
Found a reference to a known community page
- details
-
"platform.twitter.com" (Indicator: "twitter")
"syndication.twitter.com" (Indicator: "twitter")
"HTTP/1.1 200 OK
access-control-allow-credentials: true
access-control-allow-origin: https://platform.twitter.com
cache-control: must-revalidate, max-age=600
content-encoding: gzip
content-length: 125
content-type: application/json; charset=utf-8
date: Wed, 19 Jun 2019 15:37:10 GMT
last-modified: Wed, 19 Jun 2019 15:37:10 GMT
server: tsa_a
set-cookie: tfw_exp=1; Max-Age=1209600; Expires=Wed, 3 Jul 2019 15:37:10 GMT; Path=/; Domain=.twitter.com
strict-transport-security: max-age=631138519
vary: Origin
x-connection-hash: e206d73eacc08a29c993493a718f3b30
x-response-time: 6" (Indicator: "twitter")
"{\*\generator Msftedit 5.41.21.2510;}\viewkind4\uc1\pard\lang1033\fs16 Facebook and Twitter user data is used by Wajam to give you personal results from friends based on what you search.\par" (Indicator: "twitter") - source
- File/Memory
- relevance
- 7/10
-
Found a reference to a known community page
-
System Security
-
Creates or modifies windows services
- details
-
"6a393ecb2861a27240d322dd407f6adb7218b0a5.exe" (Access type: "CREATE"; Path: "HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\TCPIP\PARAMETERS")
"WajamUpdater.exe" (Access type: "CREATE"; Path: "HKLM\SYSTEM\CONTROLSET001\SERVICES\EVENTLOG\APPLICATION\WAJAMUPDATER")
"WajamUpdater.exe" (Access type: "SETVAL"; Path: "HKLM\SYSTEM\CONTROLSET001\SERVICES\EVENTLOG\APPLICATION\WAJAMUPDATER"; Key: "EVENTMESSAGEFILE"; Value: "%PROGRAMFILES%\Wajam\Updater\WajamUpdater.exe")
"WajamUpdater.exe" (Access type: "SETVAL"; Path: "HKLM\SYSTEM\CONTROLSET001\SERVICES\EVENTLOG\APPLICATION\WAJAMUPDATER"; Key: "TYPESSUPPORTED"; Value: "07000000") - source
- Registry Access
- relevance
- 10/10
- ATT&CK ID
- T1112 (Show technique in the MITRE ATT&CK™ matrix)
-
Opens the Kernel Security Device Driver (KsecDD) of Windows
- details
-
"6a393ecb2861a27240d322dd407f6adb7218b0a5.exe" opened "\Device\KsecDD"
"IE_approveExt.exe" opened "\Device\KsecDD" - source
- API Call
- relevance
- 10/10
- ATT&CK ID
- T1215 (Show technique in the MITRE ATT&CK™ matrix)
-
Creates or modifies windows services
-
Unusual Characteristics
-
Found Delphi 4 - Delphi 2006 artifact
- details
- "SimpleSC.dll" has a PE timestamp using the buggy magic timestamp 0x2A425E19. The real compilation date is probably Thu Jan 1 00:00:00 1970
- source
- Static Parser
- relevance
- 10/10
-
Matched Compiler/Packer signature
- details
-
"f8989dce269bb3b7c0c9361421ec82199c0cb1094621bd5e3d6a3825c0e3e71c.bin" was detected as "Nullsoft PiMP Stub -> SFX"
"SimpleSC.dll" was detected as "Borland Delphi 4.0"
"inetc.dll" was detected as "Microsoft visual C++ 6.0 DLL"
"uninstall.exe" was detected as "Nullsoft PiMP Stub -> SFX"
"WajamUpdater.exe" was detected as "VC8 -> Microsoft Corporation"
"priam_bho.dll" was detected as "Visual C++ 2005 DLL -> Microsoft"
"ExecCmd.dll" was detected as "Morphine v1.2 (DLL)"
"IE_approveExt.exe" was detected as "VC8 -> Microsoft Corporation"
"GetVersion.dll" was detected as "ACProtect v1.3x - v1.4x DLL -> Risco Software Inc."
"IpConfig.dll" was detected as "Visual C++ 2005 DLL -> Microsoft"
"nsisos.dll" was detected as "LCC-Win32 DLL" - source
- Static Parser
- relevance
- 10/10
- ATT&CK ID
- T1002 (Show technique in the MITRE ATT&CK™ matrix)
-
Found Delphi 4 - Delphi 2006 artifact
File Details
6a393ecb2861a27240d322dd407f6adb7218b0a5.exe
- Filename
- 6a393ecb2861a27240d322dd407f6adb7218b0a5.exe
- Size
- 518KiB (529993 bytes)
- Type
- peexe executable
- Description
- PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
- Architecture
- WINDOWS
- SHA256
- f8989dce269bb3b7c0c9361421ec82199c0cb1094621bd5e3d6a3825c0e3e71c
- MD5
- b38af493a4b5beaf6f2f3c1fec981fda
- SHA1
- 6a393ecb2861a27240d322dd407f6adb7218b0a5
- ssdeep
- 12288:eHISnM6kGaGHFC0l+zRhP4+7GP/fof613pbYF:eHe6kGTVlsRex3flZbYF
- imphash
- dfb06052e74b26a42b0e490bd1c07959
- authentihash
- dcfa8fb50417138712fee62db095bb2ba4a9cf45e1f498b3201102030b2915c9
- Compiler/Packer
- Nullsoft PiMP Stub -> SFX
Version Info
- LegalCopyright
- Wajam. All right reserved.
- ProductName
- Wajam
- LegalTrademarks
- Wajam Great minds search alike.
- FileVersion
- 1.92
- FileDescription
- -
- Translation
- 0x0409 0x0000
Classification (TrID)
- 91.7% (.EXE) NSIS - Nullsoft Scriptable Install System
- 3.3% (.EXE) Win32 Executable MS Visual C++ (generic)
- 2.9% (.EXE) Win64 Executable (generic)
- 0.7% (.DLL) Win32 Dynamic Link Library (generic)
- 0.4% (.EXE) Win32 Executable (generic)
File Metadata
- 1 .RES Files linked with CVTRES.EXE 5.00 (Visual Studio 5) (build: 1735)
- 10 .C Files compiled with CL.EXE (Visual Studio 6 Processor Pack) (build: 9044)
- 17 .LIB Files generated with LIB.EXE 7.10 (Visual Studio .NET 2003) (build: 4035)
- 2 .C Files compiled with CL.EXE 13.10 (Visual Studio .NET 2003) (build: 4035)
File Sections
Details | ||||||
---|---|---|---|---|---|---|
File Resources
Details | ||||
---|---|---|---|---|
File Imports
Screenshots
Loading content, please wait...
Hybrid Analysis
Tip: Click an analysed process below to view more details.
Analysed 6 processes in total (System Resource Monitor).
-
6a393ecb2861a27240d322dd407f6adb7218b0a5.exe
(PID: 3408)
34/81
-
cmd.exe
/C IE_approveExt.exe {A7A6995D-6EE1-4FD1-A258-49395D5BF99C}
(PID: 3880)
- IE_approveExt.exe {A7A6995D-6EE1-4FD1-A258-49395D5BF99C} (PID: 1096) 4/78
-
iexplore.exe
"http://www.wajam.com/index.php?firstrun=1&unique_id=C7C92D87F1EF2BC54BF1F382E5949857&aid=3673&aid2=none&enabled=1&tv=1.92-13&install_timestamp=1560965831&clp="
(PID: 2612)
- iexplore.exe SCODEF:2612 CREDAT:275457 /prefetch:2 (PID: 4652)
- WajamUpdater.exe /Service (PID: 3708) 19/75
-
cmd.exe
/C IE_approveExt.exe {A7A6995D-6EE1-4FD1-A258-49395D5BF99C}
(PID: 3880)
Network Analysis
DNS Requests
Domain | Address | Registrar | Country |
---|---|---|---|
ajax.googleapis.com
OSINT |
172.217.7.170
TTL: 3599 |
MarkMonitor, Inc. | United States |
crl.pki.goog
OSINT |
172.217.7.131
TTL: 1 |
- | United States |
fonts.googleapis.com
OSINT |
172.217.5.234
TTL: 3313 |
MarkMonitor, Inc. | United States |
media-c9hg3zwqygdshhtrps.stackpathdns.com
OSINT |
151.139.244.29
TTL: 299 |
MarkMonitor, Inc. | United States |
ocsp.pki.goog
OSINT |
172.217.7.131
TTL: 297 |
- | United States |
platform.twitter.com
OSINT |
192.229.163.25
TTL: 20 |
CSC CORPORATE DOMAINS, INC. | United States |
stats.g.doubleclick.net
OSINT |
172.217.195.155
TTL: 21599 |
MarkMonitor, Inc. | United States |
syndication.twitter.com
OSINT |
104.244.42.8
TTL: 689 |
CSC CORPORATE DOMAINS, INC. | United States |
www.wajam.com
OSINT |
5.135.138.118
TTL: 20695 |
Moniker Online Services LLC
Organization: Moniker Privacy Services Name Server: NS10.DNSMADEEASY.COM Creation Date: Thu, 09 Aug 2007 00:00:00 GMT |
France |
Contacted Hosts
IP Address | Port/Protocol | Associated Process | Details |
---|---|---|---|
5.135.138.118 |
80
TCP |
6a393ecb2861a27240d322dd407f6adb7218b0a5.exe PID: 3408 iexplore.exe PID: 4652 wajamupdater.exe PID: 4780 |
France |
172.217.7.170 |
80
TCP |
iexplore.exe PID: 4652 |
United States |
192.229.163.25 |
80
TCP |
iexplore.exe PID: 4652 |
United States |
172.217.5.234 |
80
TCP |
iexplore.exe PID: 4652 |
United States |
74.125.192.155 |
443
TCP |
iexplore.exe PID: 4652 |
United States |
192.229.163.25 |
443
TCP |
iexplore.exe PID: 4652 |
United States |
151.139.244.29 |
80
TCP |
iexplore.exe PID: 4652 |
United States |
172.217.7.131 |
80
TCP |
iexplore.exe PID: 4652 |
United States |
104.244.42.72 |
443
TCP |
iexplore.exe PID: 4652 |
United States |
Contacted Countries
HTTP Traffic
Endpoint | Request | URL | |
---|---|---|---|
5.135.138.118:80 (www.wajam.com) | GET | www.wajam.com/installer/progress?section=100&aid=&aid2=&unique_id=&tv=1.92-13&install_timestamp= | GET /installer/progress?section=100&aid=&aid2=&unique_id=&tv=1.92-13&install_timestamp= HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: www.wajam.com
Connection: Keep-Alive
Cache-Control: no-cache More Details |
5.135.138.118:80 (www.wajam.com) | GET | www.wajam.com/installer/start?aid=3673&aid2=none&unique_id=C7C92D87F1EF2BC54BF1F382E5949857&tv=1.92-13&install_timestamp=1560965831 | GET /installer/start?aid=3673&aid2=none&unique_id=C7C92D87F1EF2BC54BF1F382E5949857&tv=1.92-13&install_timestamp=1560965831 HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: www.wajam.com
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: PHPSESSID=vmnbhu240179dbfikdpk82ajel; _wau=15609585538671540; _wal=1560958553; APPSESSID=w3|XQpWf|XQpWf More Details |
5.135.138.118:80 (www.wajam.com) | GET | www.wajam.com/installer/post_install?aid=3673&aid2=none&unique_id=C7C92D87F1EF2BC54BF1F382E5949857&tv=1.92-13&install_timestamp=1560965831 | GET /installer/post_install?aid=3673&aid2=none&unique_id=C7C92D87F1EF2BC54BF1F382E5949857&tv=1.92-13&install_timestamp=1560965831 HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: www.wajam.com
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: PHPSESSID=vmnbhu240179dbfikdpk82ajel; _wau=15609585538671540; _wal=1560958555; APPSESSID=w3|XQpWg|XQpWf More Details |
5.135.138.118:80 (www.wajam.com) | GET | www.wajam.com/index.php?firstrun=1&unique_id=C7C92D87F1EF2BC54BF1F382E5949857&aid=3673&aid2=none&enabled=1&tv=1.92-13&install_timestamp=15... | GET /index.php?firstrun=1&unique_id=C7C92D87F1EF2BC54BF1F382E5949857&aid=3673&aid2=none&enabled=1&tv=1.92-13&install_timestamp=1560965831&clp= HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Accept-Language: en-US
User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
Host: www.wajam.com
DNT: 1
Connection: Keep-Alive
Cookie: _wau=15609585538671540; _wal=1560958585 More Details |
5.135.138.118:80 (www.wajam.com) | GET | www.wajam.com/js/min_general_en.js?1.00434.0 | GET /js/min_general_en.js?1.00434.0 HTTP/1.1
Accept: application/javascript, */*;q=0.8
Referer: http://www.wajam.com/index.php?firstrun=1&unique_id=C7C92D87F1EF2BC54BF1F382E5949857&aid=3673&aid2=none&enabled=1&tv=1.92-13&install_timestamp=1560965831&clp=
Accept-Language: en-US
User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
Host: www.wajam.com
DNT: 1
Connection: Keep-Alive
Cookie: _wau=15609585538671540; _wal=1560958588; PHPSESSID=239dc928casm20ommfnj... More Details |
172.217.7.170:80 (ajax.googleapis.com) | GET | ajax.googleapis.com/ajax/libs/jqueryui/1.8.16/jquery-ui.js?1.00434.0 | GET /ajax/libs/jqueryui/1.8.16/jquery-ui.js?1.00434.0 HTTP/1.1
Accept: application/javascript, */*;q=0.8
Referer: http://www.wajam.com/index.php?firstrun=1&unique_id=C7C92D87F1EF2BC54BF1F382E5949857&aid=3673&aid2=none&enabled=1&tv=1.92-13&install_timestamp=1560965831&clp=
Accept-Language: en-US
User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
Host: ajax.googleapis.com
DNT: 1
Connection: Keep-Alive More Details |
172.217.7.170:80 (ajax.googleapis.com) | GET | ajax.googleapis.com/ajax/libs/jquery/1.7/jquery.min.js?1.00434.0 | GET /ajax/libs/jquery/1.7/jquery.min.js?1.00434.0 HTTP/1.1
Accept: application/javascript, */*;q=0.8
Referer: http://www.wajam.com/index.php?firstrun=1&unique_id=C7C92D87F1EF2BC54BF1F382E5949857&aid=3673&aid2=none&enabled=1&tv=1.92-13&install_timestamp=1560965831&clp=
Accept-Language: en-US
User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
Host: ajax.googleapis.com
DNT: 1
Connection: Keep-Alive More Details |
192.229.163.25:80 (platform.twitter.com) | GET | platform.twitter.com/widgets.js?1.00434.0 | GET /widgets.js?1.00434.0 HTTP/1.1
Accept: application/javascript, */*;q=0.8
Referer: http://www.wajam.com/index.php?firstrun=1&unique_id=C7C92D87F1EF2BC54BF1F382E5949857&aid=3673&aid2=none&enabled=1&tv=1.92-13&install_timestamp=1560965831&clp=
Accept-Language: en-US
User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
Host: platform.twitter.com
DNT: 1
Connection: Keep-Alive
Cookie: personalization_id="v1_klJqB00qZ2y8VHUHD/E+KQ=="; guest_id=v1%3A1512457558... More Details |
5.135.138.118:80 (www.wajam.com) | GET | www.wajam.com/js/min_fancybox.js?1.00434.0 | GET /js/min_fancybox.js?1.00434.0 HTTP/1.1
Accept: application/javascript, */*;q=0.8
Referer: http://www.wajam.com/index.php?firstrun=1&unique_id=C7C92D87F1EF2BC54BF1F382E5949857&aid=3673&aid2=none&enabled=1&tv=1.92-13&install_timestamp=1560965831&clp=
Accept-Language: en-US
User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
Host: www.wajam.com
DNT: 1
Connection: Keep-Alive
Cookie: _wau=15609585538671540; _wal=1560958588; PHPSESSID=239dc928casm20ommfnjag... More Details |
5.135.138.118:80 (www.wajam.com) | GET | www.wajam.com/js/min_signup_page.js?1.00434.0 | GET /js/min_signup_page.js?1.00434.0 HTTP/1.1
Accept: application/javascript, */*;q=0.8
Referer: http://www.wajam.com/index.php?firstrun=1&unique_id=C7C92D87F1EF2BC54BF1F382E5949857&aid=3673&aid2=none&enabled=1&tv=1.92-13&install_timestamp=1560965831&clp=
Accept-Language: en-US
User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
Host: www.wajam.com
DNT: 1
Connection: Keep-Alive
Cookie: _wau=15609585538671540; _wal=1560958588; PHPSESSID=239dc928casm20ommfn... More Details |
5.135.138.118:80 (www.wajam.com) | GET | www.wajam.com/css/min_fancybox.css?1.00434.0 | GET /css/min_fancybox.css?1.00434.0 HTTP/1.1
Accept: text/css, */*
Referer: http://www.wajam.com/index.php?firstrun=1&unique_id=C7C92D87F1EF2BC54BF1F382E5949857&aid=3673&aid2=none&enabled=1&tv=1.92-13&install_timestamp=1560965831&clp=
Accept-Language: en-US
User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
Host: www.wajam.com
DNT: 1
Connection: Keep-Alive
Cookie: _wau=15609585538671540; _wal=1560958588; PHPSESSID=239dc928casm20ommfnjagevfd; not_logged_u... More Details |
5.135.138.118:80 (www.wajam.com) | GET | www.wajam.com/css/min_signup.css?1.00434.0 | GET /css/min_signup.css?1.00434.0 HTTP/1.1
Accept: text/css, */*
Referer: http://www.wajam.com/index.php?firstrun=1&unique_id=C7C92D87F1EF2BC54BF1F382E5949857&aid=3673&aid2=none&enabled=1&tv=1.92-13&install_timestamp=1560965831&clp=
Accept-Language: en-US
User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
Host: www.wajam.com
DNT: 1
Connection: Keep-Alive
Cookie: _wau=15609585538671540; _wal=1560958588; PHPSESSID=239dc928casm20ommfnjagevfd; not_logged_uni... More Details |
5.135.138.118:80 (www.wajam.com) | GET | www.wajam.com/css/min_general.css?1.00434.0 | GET /css/min_general.css?1.00434.0 HTTP/1.1
Accept: text/css, */*
Referer: http://www.wajam.com/index.php?firstrun=1&unique_id=C7C92D87F1EF2BC54BF1F382E5949857&aid=3673&aid2=none&enabled=1&tv=1.92-13&install_timestamp=1560965831&clp=
Accept-Language: en-US
User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
Host: www.wajam.com
DNT: 1
Connection: Keep-Alive
Cookie: _wau=15609585538671540; _wal=1560958588; PHPSESSID=239dc928casm20ommfnjagevfd; not_logged_un... More Details |
5.135.138.118:80 (www.wajam.com) | GET | www.wajam.com/imgs/feedback.png | GET /imgs/feedback.png HTTP/1.1
Accept: image/png, image/svg+xml, image/*;q=0.8, */*;q=0.5
Referer: http://www.wajam.com/index.php?firstrun=1&unique_id=C7C92D87F1EF2BC54BF1F382E5949857&aid=3673&aid2=none&enabled=1&tv=1.92-13&install_timestamp=1560965831&clp=
Accept-Language: en-US
User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
Host: www.wajam.com
DNT: 1
Connection: Keep-Alive
Cookie: _wau=15609585538671540; _wal=1560958588; PHPSESSID=239dc928casm20om... More Details |
5.135.138.118:80 (www.wajam.com) | POST | www.wajam.com/client_send_debug_info.php?v=i1.92&unique_id=C7C92D87F1EF2BC54BF1F382E5949857&aid=3673&aid2=none&major_version=6&minor_versi... | POST /client_send_debug_info.php?v=i1.92&unique_id=C7C92D87F1EF2BC54BF1F382E5949857&aid=3673&aid2=none&major_version=6&minor_version=1 HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Filename: install.log
User-Agent: NSIS_Inetc (Mozilla)
Host: www.wajam.com
Content-Length: 10769
Connection: Keep-Alive
Cache-Control: no-cache More Details |
5.135.138.118:80 (www.wajam.com) | GET | www.wajam.com/update/Updater/wajam_update.exe | GET /update/Updater/wajam_update.exe HTTP/1.1
Accept: */*
If-Modified-Since: Tue, 18 Jun 2019 15:49:00 +0000
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Host: www.wajam.com
Connection: Keep-Alive More Details |
172.217.5.234:80 (fonts.googleapis.com) | GET | fonts.googleapis.com/css?family=Signika:400,300,600,700 | GET /css?family=Signika:400,300,600,700 HTTP/1.1
Accept: text/css, */*
Referer: http://www.wajam.com/index.php?firstrun=1&unique_id=C7C92D87F1EF2BC54BF1F382E5949857&aid=3673&aid2=none&enabled=1&tv=1.92-13&install_timestamp=1560965831&clp=
Accept-Language: en-US
User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
Host: fonts.googleapis.com
DNT: 1
Connection: Keep-Alive More Details |
5.135.138.118:80 (www.wajam.com) | GET | www.wajam.com/css/webfonts/F37F5_0.eot? | GET /css/webfonts/F37F5_0.eot? HTTP/1.1
Accept: */*
Referer: http://www.wajam.com/index.php?firstrun=1&unique_id=C7C92D87F1EF2BC54BF1F382E5949857&aid=3673&aid2=none&enabled=1&tv=1.92-13&install_timestamp=1560965831&clp=
Accept-Language: en-US
User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko
Origin: http://www.wajam.com
Accept-Encoding: gzip, deflate
Host: www.wajam.com
DNT: 1
Connection: Keep-Alive
Cookie: _wau=15609585538671540; _wal=1560958626; PHPSESSID=239dc928casm20ommfnjagevfd... More Details |
5.135.138.118:80 (www.wajam.com) | GET | www.wajam.com/css/webfonts/F37F5_1.eot? | GET /css/webfonts/F37F5_1.eot? HTTP/1.1
Accept: */*
Referer: http://www.wajam.com/index.php?firstrun=1&unique_id=C7C92D87F1EF2BC54BF1F382E5949857&aid=3673&aid2=none&enabled=1&tv=1.92-13&install_timestamp=1560965831&clp=
Accept-Language: en-US
User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko
Origin: http://www.wajam.com
Accept-Encoding: gzip, deflate
Host: www.wajam.com
DNT: 1
Connection: Keep-Alive
Cookie: _wau=15609585538671540; _wal=1560958626; PHPSESSID=239dc928casm20ommfnjagevfd... More Details |
5.135.138.118:80 (www.wajam.com) | GET | www.wajam.com/installer/finish?aid=3673&aid2=none&unique_id=C7C92D87F1EF2BC54BF1F382E5949857&tv=1.92-13&install_timestamp=1560965831 | GET /installer/finish?aid=3673&aid2=none&unique_id=C7C92D87F1EF2BC54BF1F382E5949857&tv=1.92-13&install_timestamp=1560965831 HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: www.wajam.com
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: PHPSESSID=vmnbhu240179dbfikdpk82ajel; _wau=15609585538671540; _wal=1560958626; not_logged_unique_id=C7C92D87F1EF2BC54BF1F382E5949857; APPSESSID=w3|XQpWo|XQpWf More Details |
151.139.244.29:80 (media-c9hg3zwqygdshhtrps.stackpathdns.com) | GET | media-c9hg3zwqygdshhtrps.stackpathdns.com/imgs/app/wajam/mainSprite.png | GET /imgs/app/wajam/mainSprite.png HTTP/1.1
Accept: image/png, image/svg+xml, image/*;q=0.8, */*;q=0.5
Referer: http://www.wajam.com/index.php?firstrun=1&unique_id=C7C92D87F1EF2BC54BF1F382E5949857&aid=3673&aid2=none&enabled=1&tv=1.92-13&install_timestamp=1560965831&clp=
Accept-Language: en-US
User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
Host: media-c9hg3zwqygdshhtrps.stackpathdns.com
DNT: 1
Connection: Keep-Alive More Details |
151.139.244.29:80 (media-c9hg3zwqygdshhtrps.stackpathdns.com) | GET | media-c9hg3zwqygdshhtrps.stackpathdns.com/imgs/subHeader_bkg.png | GET /imgs/subHeader_bkg.png HTTP/1.1
Accept: image/png, image/svg+xml, image/*;q=0.8, */*;q=0.5
Referer: http://www.wajam.com/index.php?firstrun=1&unique_id=C7C92D87F1EF2BC54BF1F382E5949857&aid=3673&aid2=none&enabled=1&tv=1.92-13&install_timestamp=1560965831&clp=
Accept-Language: en-US
User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
Host: media-c9hg3zwqygdshhtrps.stackpathdns.com
DNT: 1
Connection: Keep-Alive More Details |
151.139.244.29:80 (media-c9hg3zwqygdshhtrps.stackpathdns.com) | GET | media-c9hg3zwqygdshhtrps.stackpathdns.com/imgs/fancybox/blank.gif | GET /imgs/fancybox/blank.gif HTTP/1.1
Accept: image/png, image/svg+xml, image/*;q=0.8, */*;q=0.5
Referer: http://www.wajam.com/index.php?firstrun=1&unique_id=C7C92D87F1EF2BC54BF1F382E5949857&aid=3673&aid2=none&enabled=1&tv=1.92-13&install_timestamp=1560965831&clp=
Accept-Language: en-US
User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
Host: media-c9hg3zwqygdshhtrps.stackpathdns.com
DNT: 1
Connection: Keep-Alive More Details |
151.139.244.29:80 (media-c9hg3zwqygdshhtrps.stackpathdns.com) | GET | media-c9hg3zwqygdshhtrps.stackpathdns.com/imgs/header_bkg.png | GET /imgs/header_bkg.png HTTP/1.1
Accept: image/png, image/svg+xml, image/*;q=0.8, */*;q=0.5
Referer: http://www.wajam.com/index.php?firstrun=1&unique_id=C7C92D87F1EF2BC54BF1F382E5949857&aid=3673&aid2=none&enabled=1&tv=1.92-13&install_timestamp=1560965831&clp=
Accept-Language: en-US
User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
Host: media-c9hg3zwqygdshhtrps.stackpathdns.com
DNT: 1
Connection: Keep-Alive More Details |
172.217.7.131:80 (ocsp.pki.goog) | GET | ocsp.pki.goog/gsr2/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBTgXIsxbvr2lBkPpoIEVRE6gHlCnAQUm%2BIHV2ccHsBqBt5ZtJot39wZhi4CDQHjqTAc%2FHIGOD%2BaUx0%3D | GET /gsr2/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBTgXIsxbvr2lBkPpoIEVRE6gHlCnAQUm%2BIHV2ccHsBqBt5ZtJot39wZhi4CDQHjqTAc%2FHIGOD%2BaUx0%3D HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.pki.goog More Details |
172.217.7.131:80 (ocsp.pki.goog) | GET | ocsp.pki.goog/GTSGIAG3/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT27bBjYjKBmjX2jXWgnQJKEapsrQQUd8K4UJpndnaxLcKG0IOgfqZ%2BuksCEAz%2B6ADJSnR5hSyii3PbeQE... | GET /GTSGIAG3/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT27bBjYjKBmjX2jXWgnQJKEapsrQQUd8K4UJpndnaxLcKG0IOgfqZ%2BuksCEAz%2B6ADJSnR5hSyii3PbeQE%3D HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.pki.goog More Details |
172.217.7.131:80 (crl.pki.goog) | GET | crl.pki.goog/GTSGIAG3.crl | GET /GTSGIAG3.crl HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: crl.pki.goog More Details |
5.135.138.118:80 (www.wajam.com) | GET | www.wajam.com/addon/flags?v=b1.22&unique_id=C7C92D87F1EF2BC54BF1F382E5949857&aid=3673&r=42465 | GET /addon/flags?v=b1.22&unique_id=C7C92D87F1EF2BC54BF1F382E5949857&aid=3673&r=42465 HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko
Host: www.wajam.com
DNT: 1
Connection: Keep-Alive
Cookie: PHPSESSID=239dc928casm20ommfnjagevfd; _wau=15609585538671540; _wal=1560958593; not_logged_unique_id=C7C92D87F1EF2BC54BF1F382E5949857; __utma=112079874.1104058905.1560959461.1560959461.1560959461.1; __utmb=112079874.1.10.1560959461; __utmc=1120... More Details |
5.135.138.118:80 (www.wajam.com) | GET | www.wajam.com/favicon.ico | GET /favicon.ico HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko
Host: www.wajam.com
DNT: 1
Connection: Keep-Alive
Cookie: PHPSESSID=239dc928casm20ommfnjagevfd; _wau=15609585538671540; _wal=1560958593; not_logged_unique_id=C7C92D87F1EF2BC54BF1F382E5949857; __utma=112079874.1104058905.1560959461.1560959461.1560959461.1; __utmb=112079874.1.10.1560959461; __utmc=112079874; __utmz=112079874.1560959461.1.1.utmcsr=(direct)|utmccn=(direc... More Details |
5.135.138.118:80 (www.wajam.com) | GET | www.wajam.com/index.php?v=b1.22&unique_id=C7C92D87F1EF2BC54BF1F382E5949857&aid=3673&firstrun=1&install_timestamp=1560965831&r=22927 | GET /index.php?v=b1.22&unique_id=C7C92D87F1EF2BC54BF1F382E5949857&aid=3673&firstrun=1&install_timestamp=1560965831&r=22927 HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko
Host: www.wajam.com
DNT: 1
Connection: Keep-Alive
Cookie: PHPSESSID=239dc928casm20ommfnjagevfd; _wau=15609585538671540; _wal=1560958593; not_logged_unique_id=C7C92D87F1EF2BC54BF1F382E5949857; __utma=112079874.1104058905.1560959461.1560959461.1560959461.1; __utmb=... More Details |
5.135.138.118:80 (www.wajam.com) | GET | www.wajam.com/supported_urls_list.php?v=b1.22&unique_id=C7C92D87F1EF2BC54BF1F382E5949857&aid=3673&r=76714 | GET /supported_urls_list.php?v=b1.22&unique_id=C7C92D87F1EF2BC54BF1F382E5949857&aid=3673&r=76714 HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko
Host: www.wajam.com
DNT: 1
Connection: Keep-Alive
Cookie: PHPSESSID=239dc928casm20ommfnjagevfd; _wau=15609585538671540; _wal=1560958593; not_logged_unique_id=C7C92D87F1EF2BC54BF1F382E5949857; __utma=112079874.1104058905.1560959461.1560959461.1560959461.1; __utmb=112079874.1.10.1560959461;... More Details |
Memory Forensics
String | Context | Stream UID |
---|---|---|
http://downloadfallback.wajam.com/update/updater/wajam_update.exe | Domain/IP reference | 00047804-00003708-10921-613-00BF1057 |
http://nsis.sf.net/nsis_error | Domain/IP reference | 00045479-00003408-62267-60-004030D6 |
http://go.microsoft.com/fwlink/?linkid=159651 | Domain/IP reference | 00047133-00001096-5531-120-002011D0 |
Suricata Alerts
Event | Category | Description | SID |
---|---|---|---|
local -> 5.135.138.118:80 (TCP) | A Network Trojan was detected | ET POLICY User-Agent (NSIS_Inetc (Mozilla)) - Sometimes used by hostile installers | 2011227 |
local -> 5.135.138.118:80 (TCP) | A Network Trojan was detected | ET POLICY User-Agent (NSIS_Inetc (Mozilla)) - Sometimes used by hostile installers | 2011227 |
local -> 5.135.138.118:80 (TCP) | A Network Trojan was detected | ET POLICY User-Agent (NSIS_Inetc (Mozilla)) - Sometimes used by hostile installers | 2011227 |
local -> 5.135.138.118:80 (TCP) | A Network Trojan was detected | ET POLICY User-Agent (NSIS_Inetc (Mozilla)) - Sometimes used by hostile installers | 2011227 |
local -> 5.135.138.118:80 (TCP) | A Network Trojan was detected | ET POLICY User-Agent (NSIS_Inetc (Mozilla)) - Sometimes used by hostile installers | 2011227 |
Extracted Strings
Extracted Files
Displaying 35 extracted file(s). The remaining 79 file(s) are available in the full version and XML/JSON reports.
-
Malicious 8
-
-
IE_approveExt.exe
- Size
- 79KiB (80384 bytes)
- Type
- peexe executable
- Description
- PE32 executable (console) Intel 80386, for MS Windows
- AV Scan Result
- Labeled as "Pua.Wajam" (4/78)
- Runtime Process
- 6a393ecb2861a27240d322dd407f6adb7218b0a5.exe (PID: 3408)
- MD5
- e3affa05acf7b24a8405806510a3d246
- SHA1
- 7912d17f9d3743bb8784fa6ab0f7d8bb19b0fc30
- SHA256
- 1950d5cf80cdbe40fcaa51763e13f0a23a301db5c08e79c693c1040572aafecd
-
priam_bho.dll
- Size
- 290KiB (297096 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
- AV Scan Result
- Labeled as "PUA.Wajam" (22/73)
- Runtime Process
- 6a393ecb2861a27240d322dd407f6adb7218b0a5.exe (PID: 3408)
- MD5
- b04bd9b8dffdf74fbebb0c2e4fe2691e
- SHA1
- 7a45f4c7a7eeaa6ef97c036a7bfc992d405cd270
- SHA256
- 7469f30013a5e7c202eaf545834bd458a0a11a4be1da459dad2c88c2c22affe6
-
WajamUpdater.exe
- Size
- 107KiB (109064 bytes)
- Type
- peexe executable
- Description
- PE32 executable (GUI) Intel 80386, for MS Windows
- AV Scan Result
- Labeled as "Adware.Wajam" (19/75)
- Runtime Process
- 6a393ecb2861a27240d322dd407f6adb7218b0a5.exe (PID: 3408)
- MD5
- 4aa2cc5979aff984227364f2c23b04f3
- SHA1
- a252fedceedca1655d593982040cceed07812def
- SHA256
- b23112ae291efae80aa7f9b1b119eb0da4e426930a23ee77a6a43288f3c0cbb9
-
uninstall.exe
- Size
- 63KiB (64296 bytes)
- Type
- peexe executable
- Description
- PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
- AV Scan Result
- Labeled as "Wajam" (8/56)
- Runtime Process
- 6a393ecb2861a27240d322dd407f6adb7218b0a5.exe (PID: 3408)
- MD5
- e7350d6c4f9bd533ca67d231fb1ea0a8
- SHA1
- 7bf13e6709c7905a1391ac7fd71b5bb7f03220f8
- SHA256
- 6ec3087999bb46a65596b8d7cd832f6477bc88c861342ad76a1408ce3276a811
-
DcryptDll.dll
- Size
- 15KiB (14848 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
- AV Scan Result
- Labeled as "DNSChanger.aho" (2/79)
- Runtime Process
- 6a393ecb2861a27240d322dd407f6adb7218b0a5.exe (PID: 3408)
- MD5
- 904beebec2790ee2ca0c90fc448ac7e0
- SHA1
- 40fabf1eb0a3b7168351c4514c5288216cb1566d
- SHA256
- f730d9385bf72eac5d579bcf1f7e4330f1d239ca1054d4ead48e9e363d9f4222
-
ExecCmd.dll
- Size
- 4.5KiB (4608 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
- AV Scan Result
- Labeled as "Suspicious" (1/78)
- Runtime Process
- 6a393ecb2861a27240d322dd407f6adb7218b0a5.exe (PID: 3408)
- MD5
- b9380b0bea8854fd9f93cc1fda0dfeac
- SHA1
- edb8d58074e098f7b5f0d158abedc7fc53638618
- SHA256
- 1f4bd9c9376fe1b6913baeca7fb6df6467126f27c9c2fe038206567232a0e244
-
MoreInfo.dll
- Size
- 7KiB (7168 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
- AV Scan Result
- Labeled as "Unavailable" (3/79)
- Runtime Process
- 6a393ecb2861a27240d322dd407f6adb7218b0a5.exe (PID: 3408)
- MD5
- 80e34b7f576b710d100f6e7c0bed0c2e
- SHA1
- 2b5b895034d41ee0d0d01bf650594ad0d1346662
- SHA256
- 569d62345f6c915236772fa2575d1806cd2bfe089505807cb477618f1eeccf99
-
nsisos.dll
- Size
- 5.5KiB (5632 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (console) Intel 80386, for MS Windows
- AV Scan Result
- Labeled as "Suspicious" (1/79)
- Runtime Process
- 6a393ecb2861a27240d322dd407f6adb7218b0a5.exe (PID: 3408)
- MD5
- 69806691d649ef1c8703fd9e29231d44
- SHA1
- e2193fcf5b4863605eec2a5eb17bf84c7ac00166
- SHA256
- ba79ab7f63f02ed5d5d46b82b11d97dac5b7ef7e9b9a4df926b43ceac18483b6
-
-
Clean 6
-
-
GetVersion.dll
- Size
- 6KiB (6144 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, UPX compressed
- AV Scan Result
- 0/79
- Runtime Process
- 6a393ecb2861a27240d322dd407f6adb7218b0a5.exe (PID: 3408)
- MD5
- dc9562578490df8bc464071f125bfc19
- SHA1
- 56301a36ae4e3f92883f89f86b5d04da1e52770d
- SHA256
- 0351fe33a6eb13417437c1baaee248442fb1ecc2c65940c9996bcda574677c3f
-
IpConfig.dll
- Size
- 115KiB (117248 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
- AV Scan Result
- 0/81
- Runtime Process
- 6a393ecb2861a27240d322dd407f6adb7218b0a5.exe (PID: 3408)
- MD5
- a3ed6f7ea493b9644125d494fbf9a1e6
- SHA1
- ebeee67fb0b5b3302c69f47c5e7fca62e1a809d8
- SHA256
- ec0f85f8a9d6b77081ba0103f967ef6705b547bf27bcd866d77ac909d21a1e08
-
SimpleSC.dll
- Size
- 62KiB (62976 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
- AV Scan Result
- 0/79
- Runtime Process
- 6a393ecb2861a27240d322dd407f6adb7218b0a5.exe (PID: 3408)
- MD5
- d63975ce28f801f236c4aca5af726961
- SHA1
- 3d93ad9816d3b3dba1e63dfcbfa3bd05f787a8c9
- SHA256
- e0c580bbe48a483075c21277c6e0f23f3cbd6ce3eb2ccd3bf48cf68f05628f43
-
System.dll
- Size
- 11KiB (11264 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
- AV Scan Result
- 0/81
- Runtime Process
- 6a393ecb2861a27240d322dd407f6adb7218b0a5.exe (PID: 3408)
- MD5
- c17103ae9072a06da581dec998343fc1
- SHA1
- b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d
- SHA256
- dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f
-
inetc.dll
- Size
- 21KiB (20992 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
- AV Scan Result
- 0/76
- Runtime Process
- 6a393ecb2861a27240d322dd407f6adb7218b0a5.exe (PID: 3408)
- MD5
- 4c01fdfd2b57b32046b3b3635a4f4df8
- SHA1
- e0af8e418cbe2b2783b5de93279a3b5dcb73490e
- SHA256
- b98e21645910f82b328f30c644b86c112969b42697e797671647b09eb40ad014
-
urlblockindex_1_.bin
- Size
- 16B (16 bytes)
- Type
- data
- AV Scan Result
- 0/62
- MD5
- fa518e3dfae8ca3a0e495460fd60c791
- SHA1
- e4f30e49120657d37267c0162fd4a08934800c69
- SHA256
- 775853600060162c4b4e5f883f9fd5a278e61c471b3ee1826396b6d129499aa7
-
-
Informative 21
-
-
1YJ08Z9W.txt
- Size
- 153B (153 bytes)
- Runtime Process
- iexplore.exe (PID: 4652)
- MD5
- b2e45038f452b4ce14dead69240d1577
- SHA1
- bf4d2d0bec5a50f93ceca3db7f2553784fb148e7
- SHA256
- 2f494f6034d78d184d47ab4c5d8afd80a704d958bbd4b8a39c6b4429cb37f754
-
2T099F21.txt
- Size
- 678B (678 bytes)
- Runtime Process
- iexplore.exe (PID: 4652)
- MD5
- dbeff3abc8109a5bcf14861483c669e7
- SHA1
- 72a5875f5b9b6abc253e4724868a3904f8807dca
- SHA256
- 0434e3ae3e3d7f1954de3ae9889d5f168266b963ee9a544b697f169450a62c3f
-
2WGAQVFB.txt
- Size
- 97B (97 bytes)
- Runtime Process
- iexplore.exe (PID: 2612)
- MD5
- 264a26829f20cca78b289c5ee5678f53
- SHA1
- 56c888b65b6235b33f585856011dd0d9f6236e40
- SHA256
- eb35ca442e9ffa3cb27afbf8e1241293ef1505bb5774a30c794f41a158bf0a45
-
308INO8U.txt
- Size
- 680B (680 bytes)
- Runtime Process
- iexplore.exe (PID: 4652)
- MD5
- 27db059f4ff02641c75356c44def6be0
- SHA1
- 448f702d64a1818d7626dc808208aa42a886b916
- SHA256
- cb65614619ed19ba83bcdf5fe257f9a6240106ea5c8278a40aa62cc76765bfe4
-
3ED1W9UR.txt
- Size
- 65B (65 bytes)
- Runtime Process
- iexplore.exe (PID: 2612)
- MD5
- 097ef68646cbe4aa67eb587dc89b537d
- SHA1
- 9b52f956bb382ed1dcaf33f0534b5a3dff48743b
- SHA256
- 47a989a09fcc2bf47b5193e51148ed30ee72f8792b6842c46d5a23cc82959645
-
3GXTEQN8.txt
- Size
- 197B (197 bytes)
- Runtime Process
- iexplore.exe (PID: 2612)
- MD5
- f13cf27cd97fce8d9bcac440de88c230
- SHA1
- 56a5a7a9ebb388adbc104b8f3dbd44095a56c63a
- SHA256
- d04cbb7f8cb1568c1d93b1c5797d44e70174f06bcd5d31b20ac1baabe109466e
-
3V1A037A.txt
- Size
- 678B (678 bytes)
- Runtime Process
- iexplore.exe (PID: 4652)
- MD5
- ad7cd6b2242e02cf7621c053e9b33356
- SHA1
- 1238b0a6d6123a35396ae011bbf7cda7baaaeb93
- SHA256
- 32c5446def787343fafb0bf6a4e1e1acb8b99d4becb11cbcd5df0d5e75c6fa51
-
4XIJ0WM9.txt
- Size
- 278B (278 bytes)
- Runtime Process
- iexplore.exe (PID: 2612)
- MD5
- a5eb0c95eecc07b1091fcbb86c394427
- SHA1
- 4ec2297149e25cd49e9602b92144d9e38d01706f
- SHA256
- 7fbf375802265abd7eec67a6df95960c6a13088ff9bcc6529986a642188b3372
-
5SUPAS32.txt
- Size
- 266B (266 bytes)
- Runtime Process
- 6a393ecb2861a27240d322dd407f6adb7218b0a5.exe (PID: 3408)
- MD5
- 4f98bcd8d1b13fb306dbf541ba877a18
- SHA1
- 2329c8d1494a7ad52a00537104d7dfd2d161d969
- SHA256
- 30c3e289a46242c3e3b56da3364dda20057747890ad5325e31f31265986f07a0
-
AI3MDJGU.txt
- Size
- 80B (80 bytes)
- Runtime Process
- 6a393ecb2861a27240d322dd407f6adb7218b0a5.exe (PID: 3408)
- MD5
- 4f017756a0ad9bf83ae100cd68580fc3
- SHA1
- 6acb8434d73cf6ff2c3c16b57e2614d50b19e780
- SHA256
- 00b33bb899087d3dc12d64949979abec2dd627734d6346e74ff78b1b9ada7687
-
ASDCA81Z.txt
- Size
- 523B (523 bytes)
- Runtime Process
- iexplore.exe (PID: 4652)
- MD5
- 18ecdc5cb8b5c9aed44befc89c27e2f2
- SHA1
- 23a36ddc0848856375f08864edd7f5a957a6204b
- SHA256
- 5fc233ec0b93a2c3548c3b3cd8dd9710c1803640df2cddcde7ef6e4f7cddd142
-
B3LKLNNC.txt
- Size
- 214B (214 bytes)
- Runtime Process
- iexplore.exe (PID: 4652)
- MD5
- 4de802eede749c263ee76f0501601865
- SHA1
- 1cb0898b5a062551858855ab32ca08283d16dfe1
- SHA256
- f60322259863b3d904b54fdcd13a630c36eefe3be732701d5812f6b75a4aafa6
-
BQRMC150.txt
- Size
- 680B (680 bytes)
- Runtime Process
- iexplore.exe (PID: 4652)
- MD5
- 78787a011e19a618293e2b3584a153f6
- SHA1
- 243f70ed34ea8aa8cbc7426775e3fb43cb9c6c21
- SHA256
- 1a08e1fda8643a9e74a620dd3b268ff0d825587a8e0a5b52f73022c0f14bb7c8
-
E4O0EOXN.txt
- Size
- 266B (266 bytes)
- Runtime Process
- 6a393ecb2861a27240d322dd407f6adb7218b0a5.exe (PID: 3408)
- MD5
- b862f03eb5e0f9a10d6a1fc441b91257
- SHA1
- a9dff6435a83724ad6457bba1b692d02b9713315
- SHA256
- 84ab251051aed69ee0efc00e67cfc3f14646c4b55899c15de25197386fabc9df
-
EOOZ1NSZ.txt
- Size
- 266B (266 bytes)
- Runtime Process
- iexplore.exe (PID: 4652)
- MD5
- 9f86131815837e042cd305e45b5abb97
- SHA1
- 7f177a4a05a0abb4480229cf3e8fa84b54b66af3
- SHA256
- 1a81257f3e6bb4c77cfbffd85577a292dfbbd0b0b358e84d178925a0ae1c29b1
-
FD7BSLOH.txt
- Size
- 680B (680 bytes)
- Runtime Process
- iexplore.exe (PID: 4652)
- MD5
- 3a976475c06d6669a174148f988e392e
- SHA1
- 7938de0ccfd7a095624e35148087f4bbccaa549f
- SHA256
- 91b137b222695237830af864d92fb9edb7a7e99cf1e32b247be66ee92657254c
-
G0OOBPUP.txt
- Size
- 266B (266 bytes)
- Runtime Process
- iexplore.exe (PID: 4652)
- MD5
- 3755c591bcd26175a16ecee3c9ea9db7
- SHA1
- 8ae74eaf7fe18039e2645323c8d8508de8cc4a69
- SHA256
- e8c9f52e57ceedb3a709d407d475af834140c7b6b67cab954d4921a3d694cbf6
-
IH92S768.txt
- Size
- 387B (387 bytes)
- Runtime Process
- iexplore.exe (PID: 4652)
- MD5
- daa6cf30ba58fe361224b26ded06e82a
- SHA1
- 0171243d60057fb6443d703db976a9ba0c33ed60
- SHA256
- 826d190bc9ebb4ca64922d13c25b1cc933a172df9406d98cb4f89d144ab5321a
-
ILAJSI2H.txt
- Size
- 265B (265 bytes)
- Runtime Process
- iexplore.exe (PID: 4652)
- MD5
- 6a09f41d624670f180658405125a0dd2
- SHA1
- 588252c1b2b1489d837e8f22913fbbb32b647efe
- SHA256
- 9c210fce52f0d5cc02af92d3766b9972a4f3cd399ff927090fe987c661151f31
-
IU8QG1NK.txt
- Size
- 680B (680 bytes)
- Runtime Process
- iexplore.exe (PID: 4652)
- MD5
- c4f2f9a93cd626fe4cd700c436d69884
- SHA1
- db5ebf58e68812b357323de0253cdc409fc34261
- SHA256
- e9c8ad84da54b636f3e53c2cdaa601b42329d9cec15e747f87eba71c48a93947
-
uninstall.lnk
- Size
- 981B (981 bytes)
- Type
- lnk
- Description
- MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Archive, ctime=Wed Sep 18 20:17:38 2013, mtime=Wed Jun 19 15:38:51 2019, atime=Wed Sep 18 20:17:38 2013, length=64296, window=hide
- Runtime Process
- 6a393ecb2861a27240d322dd407f6adb7218b0a5.exe (PID: 3408)
- MD5
- 5fc26732b443bd8af3c34735e20c6679
- SHA1
- de8db4682d38589eb6f97e2999b89e67f9b3672c
- SHA256
- 99e329053e23b189001152dfe3e51ea1aa3b6ed945bb518e2c1186dda56ce375
-
Notifications
-
Runtime
- Not all IP/URL string resources were checked online
- Not all file accesses are visible for cmd.exe (PID: 3880)
- Not all file accesses are visible for iexplore.exe (PID: 2612)
- Not all file accesses are visible for iexplore.exe (PID: 4652)
- Not all sources for indicator ID "api-4" are available in the report
- Not all sources for indicator ID "api-55" are available in the report
- Not all sources for indicator ID "binary-0" are available in the report
- Not all sources for indicator ID "hooks-8" are available in the report
- Not all sources for indicator ID "mutant-0" are available in the report
- Not all sources for indicator ID "network-0" are available in the report
- Not all sources for indicator ID "network-2" are available in the report
- Not all sources for indicator ID "static-6" are available in the report
- Some low-level data is hidden, as this is only a slim report