577a7ec9e58665b9b840ce9618e2d330c065dc9a7d7b2109f52e392b77e839c4

Analysis

max time kernel
125s
max time network
126s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
20/06/2024, 03:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

02620653340ad8d2a425b5e5f8af258f_JaffaCakes118.exe
Size

1.5MB
MD5

02620653340ad8d2a425b5e5f8af258f
SHA1

94f8d4cc9ec4615cfd4a790549e23870f7c8f7a8
SHA256

577a7ec9e58665b9b840ce9618e2d330c065dc9a7d7b2109f52e392b77e839c4
SHA512

cbf3d33fde12a9d2347550a4a462d1d604fea3b72ffc60ccd51234241b8f1f79ee7923c00b4c762204b473411f082726c2daa950736ada322b8f6baf4c9cb6d3
SSDEEP

24576:V2xjlqM8GzLDG8tTo2Rig30oPQ1xTufJLckEY/fudN9GQcCeIRLhlAB2lX:ErqYzGRoqChcC/fkGQwIRLhlKS

Score

7^/10

adware discovery stealer

Malware Config

Signatures

Executes dropped EXE 7 IoCs

pid	Process
2672	urld.exe
1776	nnlogon.exe
3672	nnlogon.exe
1620	UrlUpdate.exe
4000	urlupdate1.exe
3648	ntmurl.exe
2260	iewindow.exe

Loads dropped DLL 20 IoCs

pid	Process
2428	02620653340ad8d2a425b5e5f8af258f_JaffaCakes118.exe
2428	02620653340ad8d2a425b5e5f8af258f_JaffaCakes118.exe
2428	02620653340ad8d2a425b5e5f8af258f_JaffaCakes118.exe
2428	02620653340ad8d2a425b5e5f8af258f_JaffaCakes118.exe
2428	02620653340ad8d2a425b5e5f8af258f_JaffaCakes118.exe
2428	02620653340ad8d2a425b5e5f8af258f_JaffaCakes118.exe
2428	02620653340ad8d2a425b5e5f8af258f_JaffaCakes118.exe
2428	02620653340ad8d2a425b5e5f8af258f_JaffaCakes118.exe
2428	02620653340ad8d2a425b5e5f8af258f_JaffaCakes118.exe
2428	02620653340ad8d2a425b5e5f8af258f_JaffaCakes118.exe
2428	02620653340ad8d2a425b5e5f8af258f_JaffaCakes118.exe
4000	urlupdate1.exe
4556	regsvr32.exe
2844	regsvr32.exe
3648	ntmurl.exe
2260	iewindow.exe
2260	iewindow.exe
2260	iewindow.exe
2260	iewindow.exe
2260	iewindow.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Installs/modifies Browser Helper Object 2 TTPs 5 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D815AB8A-E840-4054-B37D-943893116452}\NoExplorer	ntmurl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D815AB8A-E840-4054-B37D-943893116452}	REG.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{72CEEE43-C350-4932-B3DC-B6201F01EFCB}	ntmurl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{72CEEE43-C350-4932-B3DC-B6201F01EFCB}\NoExplorer	ntmurl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D815AB8A-E840-4054-B37D-943893116452}	ntmurl.exe

Drops file in System32 directory 11 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\MSVBVM60.DLL	02620653340ad8d2a425b5e5f8af258f_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\dwshengine80.dll	02620653340ad8d2a425b5e5f8af258f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	urlupdate1.exe
File created	C:\Windows\SysWOW64\NSearcher.exe	ntmurl.exe
File opened for modification	C:\Windows\SysWOW64\NSearcher.exe	ntmurl.exe
File created	C:\Windows\SysWOW64\VB6KO.DLL	02620653340ad8d2a425b5e5f8af258f_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\dwsbc80.OCX	02620653340ad8d2a425b5e5f8af258f_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DWSHK80.OCX	02620653340ad8d2a425b5e5f8af258f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	urlupdate1.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	urlupdate1.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	urlupdate1.exe

Drops file in Program Files directory 39 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\netimo\Common Shared\URLHelper\autoup.ini	02620653340ad8d2a425b5e5f8af258f_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\netimo\Common Shared\URLHelper\nnlogon.ini	02620653340ad8d2a425b5e5f8af258f_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\netimo\Common Shared\URLHelper\nnlogon.log	nnlogon.exe
File created	C:\Program Files (x86)\netimo\Common Shared\URLHelper\tmp.mdb	ntmurl.exe
File opened for modification	C:\Program Files (x86)\netimo\Common Shared\URLHelper\sslaunch.log	ntmurl.exe
File created	C:\Program Files (x86)\netimo\Common Shared\URLHelper\iewindow.exe	02620653340ad8d2a425b5e5f8af258f_JaffaCakes118.exe
File created	C:\Program Files (x86)\netimo\Common Shared\URLHelper\navigator.ico	02620653340ad8d2a425b5e5f8af258f_JaffaCakes118.exe
File created	C:\Program Files (x86)\netimo\Common Shared\URLHelper\efsbar.dll	02620653340ad8d2a425b5e5f8af258f_JaffaCakes118.exe
File created	C:\Program Files (x86)\netimo\Common Shared\URLHelper\efbbar.dll	02620653340ad8d2a425b5e5f8af258f_JaffaCakes118.exe
File created	C:\Program Files (x86)\netimo\Common Shared\URLHelper\uninst.exe	02620653340ad8d2a425b5e5f8af258f_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\netimo\Common Shared\URLHelper\urlupdate1.exe	UrlUpdate.exe
File opened for modification	C:\Program Files (x86)\netimo\Common Shared\URLHelper\nautoup.log	urlupdate1.exe
File created	C:\Program Files\Netimo\NSearcher\NSearcher.exe	ntmurl.exe
File opened for modification	C:\Program Files (x86)\netimo\Common Shared\URLHelper\tags.mdb	iewindow.exe
File created	C:\Program Files (x86)\netimo\Common Shared\URLHelper\nnlogon.exe	02620653340ad8d2a425b5e5f8af258f_JaffaCakes118.exe
File created	C:\Program Files (x86)\netimo\Common Shared\URLHelper\sslaunch.dll	02620653340ad8d2a425b5e5f8af258f_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\netimo\Common Shared\URLHelper\autoup.ini	02620653340ad8d2a425b5e5f8af258f_JaffaCakes118.exe
File created	C:\Program Files (x86)\netimo\Common Shared\URLHelper\urlupdate1.exe	UrlUpdate.exe
File opened for modification	C:\Program Files (x86)\netimo\Common Shared\URLHelper\tags.ldb	ntmurl.exe
File opened for modification	C:\Program Files (x86)\netimo\Common Shared\URLHelper\bbuninstall.reg	ntmurl.exe
File created	C:\Program Files (x86)\netimo\Common Shared\URLHelper\tagstemp.mdb	02620653340ad8d2a425b5e5f8af258f_JaffaCakes118.exe
File created	C:\Program Files (x86)\netimo\Common Shared\URLHelper\ntmurl.dll	02620653340ad8d2a425b5e5f8af258f_JaffaCakes118.exe
File created	C:\Program Files (x86)\netimo\Common Shared\URLHelper\bhocfg.ini	02620653340ad8d2a425b5e5f8af258f_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\netimo\Common Shared\URLHelper\nnlogon.log	nnlogon.exe
File opened for modification	C:\Program Files (x86)\netimo\Common Shared\URLHelper\tags.ldb	iewindow.exe
File opened for modification	C:\Program Files (x86)\netimo\Common Shared\URLHelper\nautoup.log	UrlUpdate.exe
File opened for modification	C:\Program Files (x86)\netimo\Common Shared\URLHelper\autoup.ini	urlupdate1.exe
File opened for modification	C:\Program Files (x86)\netimo\Common Shared\URLHelper\system.mdb	ntmurl.exe
File created	C:\Program Files (x86)\netimo\Common Shared\URLHelper\ntmurl.exe	02620653340ad8d2a425b5e5f8af258f_JaffaCakes118.exe
File created	C:\Program Files (x86)\netimo\Common Shared\URLHelper\nnlogon.ini	02620653340ad8d2a425b5e5f8af258f_JaffaCakes118.exe
File created	C:\Program Files (x86)\netimo\Common Shared\URLHelper\urld.exe	02620653340ad8d2a425b5e5f8af258f_JaffaCakes118.exe
File created	C:\Program Files (x86)\netimo\Common Shared\URLHelper\UrlUpdate.exe	02620653340ad8d2a425b5e5f8af258f_JaffaCakes118.exe
File created	C:\Program Files (x86)\netimo\Common Shared\URLHelper\tags.mdb	ntmurl.exe
File opened for modification	C:\Program Files (x86)\netimo\Common Shared\URLHelper\tags.mdb	ntmurl.exe
File opened for modification	C:\Program Files (x86)\netimo\Common Shared\URLHelper\sbinstall.reg	ntmurl.exe
File opened for modification	C:\Program Files (x86)\netimo\Common Shared\URLHelper\system.mdb	iewindow.exe
File created	C:\Program Files (x86)\netimo\Common Shared\URLHelper\ntmEnd.exe	02620653340ad8d2a425b5e5f8af258f_JaffaCakes118.exe
File created	C:\Program Files (x86)\netimo\Common Shared\URLHelper\bhocode.ini	02620653340ad8d2a425b5e5f8af258f_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\netimo\Common Shared\URLHelper\bhoexe.log	ntmurl.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2632	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 17 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\DefaultScope = "{72CEEE43-C350-4932-B3DC-B6201F01EFCB}"	ntmurl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Explorer Bars	REG.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars	REG.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\Internet Explorer\Main	ntmurl.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\Internet Explorer\MenuExt\ÀÌ ´Ü¾î °Ë»ö(&S)	ntmurl.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{6A294C45-07CC-426C-9512-6742053E462C}	REG.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\Internet Explorer\SearchScopes\{72CEEE43-C350-4932-B3DC-B6201F01EFCB}	ntmurl.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{72CEEE43-C350-4932-B3DC-B6201F01EFCB}\URL = "http://search.netimo.net/ntmsearch.html?where=all&cp=ezsearch&adv=yahoo&type=forward&ssupply=1&q={searchTerms}"	ntmurl.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Enable Browser Extensions = "yes"	ntmurl.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\MenuExt\ÀÌ ´Ü¾î °Ë»ö(&S)\ = "res://C:\\Program Files (x86)\\netimo\\Common Shared\\URLHelper\\ntmurl.dll/SEARCH.HTM"	ntmurl.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\Internet Explorer\Explorer Bars\{6A294C45-07CC-426C-9512-6742053E462C}	REG.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{6A294C45-07CC-426C-9512-6742053E462C}\BarSize = dc00000000000000	REG.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\Internet Explorer\SearchScopes	ntmurl.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{72CEEE43-C350-4932-B3DC-B6201F01EFCB}\Codepage = "949"	ntmurl.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{72CEEE43-C350-4932-B3DC-B6201F01EFCB}\DisplayName = "¾ßÈÄ"	ntmurl.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\MenuExt\ÀÌ ´Ü¾î °Ë»ö(&S)\contexts = "48"	ntmurl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Explorer Bars\{6A294C45-07CC-426C-9512-6742053E462C}	REG.exe

Modifies data under HKEY_USERS 16 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	ntmurl.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	urlupdate1.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	ntmurl.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	urlupdate1.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	urlupdate1.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	urlupdate1.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	ntmurl.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	urlupdate1.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	urlupdate1.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	urlupdate1.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	urlupdate1.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	ntmurl.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	ntmurl.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	ntmurl.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	ntmurl.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	ntmurl.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C36516DD-9577-4347-B0DC-D3641BDBEB36}	02620653340ad8d2a425b5e5f8af258f_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72CEEE43-C350-4932-B3DC-B6201F01EFCB}\ProgID	02620653340ad8d2a425b5e5f8af258f_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\dwSbc80.Advanced	02620653340ad8d2a425b5e5f8af258f_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C866B2C5-14CF-4908-8D11-7FA85FD63EC2}	02620653340ad8d2a425b5e5f8af258f_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DD8BFC7F-4A69-4C23-B496-78B301B5193F}\ProxyStubClsid	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F8A3508D-B8F0-4619-94D1-A85A54B9ABAE}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6A294C45-07CC-426C-9512-6742053E462C}\Implemented Categories	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E43FD401-8715-11D1-98E7-00A0C9702442}\TypeLib\ = "{EA544A21-C82D-11D1-A3E4-00A0C90AEA82}"	02620653340ad8d2a425b5e5f8af258f_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C8FEC666-6DE0-4B67-977C-50CBC0E61E56}\8.0	02620653340ad8d2a425b5e5f8af258f_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\dwshk80.KeyPage.1\CLSID\ = "{651520F0-B9D9-46CE-987F-C8697222B4B8}"	02620653340ad8d2a425b5e5f8af258f_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{149BD92F-B28E-4C04-8B4D-46CDD176B7E4}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}"	02620653340ad8d2a425b5e5f8af258f_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{45046D60-08CA-11CF-A90F-00AA0062BB4C}\TypeLib\ = "{EA544A21-C82D-11D1-A3E4-00A0C90AEA82}"	02620653340ad8d2a425b5e5f8af258f_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C0324960-2AAA-11CF-AD67-00AA00614F3E}\TypeLib\Version = "6.0"	02620653340ad8d2a425b5e5f8af258f_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7E1A422E-C5D0-41E7-BC80-DEDDB49E1FCF}\1.0\ = "dwSHEngine80 1.0 Type Library"	02620653340ad8d2a425b5e5f8af258f_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E9ECAA7A-3EAC-4F41-8375-84AC9D2AC3AF}\Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502}	02620653340ad8d2a425b5e5f8af258f_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C4D651F1-7697-11D1-A1E9-00A0C90F2731}\ = "EventParameters"	02620653340ad8d2a425b5e5f8af258f_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\dwSbc80.Advanced.1\ = "Advanced PropertyPage"	02620653340ad8d2a425b5e5f8af258f_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F6968E7F-3422-4CB7-8F37-3951F4880511}\MiscStatus	02620653340ad8d2a425b5e5f8af258f_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\dwshk80.HookPage.1\CLSID\ = "{C866B2C5-14CF-4908-8D11-7FA85FD63EC2}"	02620653340ad8d2a425b5e5f8af258f_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7FB96837-674C-407F-BBA0-CDC0D501512C}\TypeLib\ = "{70CA7ADF-1545-4085-A81F-260C365C5EF2}"	02620653340ad8d2a425b5e5f8af258f_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BEA1FA35-AC92-4978-8556-0AFCD9B52FA2}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C6E6B197-9348-449E-A149-384B208874B1}	02620653340ad8d2a425b5e5f8af258f_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ntmURL.CSideBar\Clsid\ = "{884DA533-61D6-43BD-AF00-BB3E961BFD29}"	02620653340ad8d2a425b5e5f8af258f_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4D27FC4A-5C49-45AD-A953-644738E3081B}\InprocServer32\ = "C:\\Windows\\SysWow64\\dwsbc80.OCX"	02620653340ad8d2a425b5e5f8af258f_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\dwshk80.MsgList	02620653340ad8d2a425b5e5f8af258f_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BEA1FA35-AC92-4978-8556-0AFCD9B52FA2}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{26893EEF-3781-4234-8D71-EF9C394156A3}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	02620653340ad8d2a425b5e5f8af258f_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1E81505D-47A7-471B-B348-07BDA6159756}\ProxyStubClsid	02620653340ad8d2a425b5e5f8af258f_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2CE46480-1A08-11CF-AD63-00AA00614F3E}	02620653340ad8d2a425b5e5f8af258f_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5FC14064-8342-4D18-947E-3BD813100F99}\ = "_DDwshkEvents"	02620653340ad8d2a425b5e5f8af258f_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{884DA533-61D6-43BD-AF00-BB3E961BFD29}\Programmable	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C8FEC666-6DE0-4B67-977C-50CBC0E61E56}\8.0\0\win32	02620653340ad8d2a425b5e5f8af258f_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3F16DB30-C562-41AD-A3B3-4D405BBBEFEE}\ProxyStubClsid	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{738A3C47-189C-4B96-8ACE-985DD34AFF17}\Programmable	02620653340ad8d2a425b5e5f8af258f_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EB41E8C3-4442-11D1-8906-00A0C9110049}\TypeLib\Version = "6.0"	02620653340ad8d2a425b5e5f8af258f_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{37273445-885F-4C35-A953-73AC3A9F93F1}\TypeLib	02620653340ad8d2a425b5e5f8af258f_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\dwshk80.MsgList.1\CLSID	02620653340ad8d2a425b5e5f8af258f_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E9ECAA7A-3EAC-4F41-8375-84AC9D2AC3AF}\InprocServer32\ = "C:\\Program Files (x86)\\netimo\\Common Shared\\URLHelper\\ntmurl.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1E81505D-47A7-471B-B348-07BDA6159756}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1E81505D-47A7-471B-B348-07BDA6159756}\Forward	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ntmURL.CTimer\Clsid	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6A294C45-07CC-426C-9512-6742053E462C}\Implemented Categories\{00021493-0000-0000-C000-000000000046}	REG.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E72183BD-2FD6-4FEC-A806-BB3DE07A5E35}\ProxyStubClsid32	02620653340ad8d2a425b5e5f8af258f_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{738A3C47-189C-4B96-8ACE-985DD34AFF17}\VERSION\ = "1045.4"	02620653340ad8d2a425b5e5f8af258f_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EB41E8C2-4442-11D1-8906-00A0C9110049}\TypeLib	02620653340ad8d2a425b5e5f8af258f_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{446F2D1F-88B2-4928-ADCD-7B23714C00AD}\TypeLib	02620653340ad8d2a425b5e5f8af258f_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{044D0F63-C274-40B2-8F50-F09A06DCFBE1}\ = "IURLHelper"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\efindersidebar.CSideBar\ = "efindersidebar.CSideBar"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B28FA150-0FF0-11CF-A911-00AA0062BB4C}\TypeLib\Version = "6.0"	02620653340ad8d2a425b5e5f8af258f_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{83C49FF0-B294-11D0-9488-00A0C91110ED}\TypeLib\Version = "6.0"	02620653340ad8d2a425b5e5f8af258f_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3B07FABA-099B-4D62-9780-D254A04E32F5}\ = "IInputObjectCallback"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{884DA533-61D6-43BD-AF00-BB3E961BFD29}\InprocServer32	ntmurl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C6E6B197-9348-449E-A149-384B208874B1}\415.4\HELPDIR	02620653340ad8d2a425b5e5f8af258f_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{41A7D761-6018-11CF-9016-00AA0068841E}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	02620653340ad8d2a425b5e5f8af258f_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EB41E8C4-4442-11D1-8906-00A0C9110049}\TypeLib\ = "{EA544A21-C82D-11D1-A3E4-00A0C90AEA82}"	02620653340ad8d2a425b5e5f8af258f_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F6968E7F-3422-4CB7-8F37-3951F4880511}\ProgID	02620653340ad8d2a425b5e5f8af258f_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F6968E7F-3422-4CB7-8F37-3951F4880511}\ProgID\ = "dwshk80.WinHook.8"	02620653340ad8d2a425b5e5f8af258f_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C36516DD-9577-4347-B0DC-D3641BDBEB36}	02620653340ad8d2a425b5e5f8af258f_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2CE46480-1A08-11CF-AD63-00AA00614F3E}\TypeLib\ = "{EA544A21-C82D-11D1-A3E4-00A0C90AEA82}"	02620653340ad8d2a425b5e5f8af258f_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E43FD401-8715-11D1-98E7-00A0C9702442}\ProxyStubClsid32	02620653340ad8d2a425b5e5f8af258f_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\dwSbc80.Advanced.1	02620653340ad8d2a425b5e5f8af258f_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72CEEE43-C350-4932-B3DC-B6201F01EFCB}\Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A625F501-206F-4713-9DE1-DD3AF4AC4BF9}\ = "GSubclass"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0E9BF828-7362-4850-9FE7-59E26521AC34}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}"	02620653340ad8d2a425b5e5f8af258f_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
3672	nnlogon.exe
3672	nnlogon.exe
4000	urlupdate1.exe
4000	urlupdate1.exe
4000	urlupdate1.exe
4000	urlupdate1.exe
4000	urlupdate1.exe
4000	urlupdate1.exe
4000	urlupdate1.exe
4000	urlupdate1.exe
4000	urlupdate1.exe
4000	urlupdate1.exe
4000	urlupdate1.exe
4000	urlupdate1.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3672	nnlogon.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
2672	urld.exe
1620	UrlUpdate.exe
4000	urlupdate1.exe
3648	ntmurl.exe
2260	iewindow.exe
2260	iewindow.exe
2260	iewindow.exe
2260	iewindow.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2428 wrote to memory of 2672	2428	02620653340ad8d2a425b5e5f8af258f_JaffaCakes118.exe	89
PID 2428 wrote to memory of 2672	2428	02620653340ad8d2a425b5e5f8af258f_JaffaCakes118.exe	89
PID 2428 wrote to memory of 2672	2428	02620653340ad8d2a425b5e5f8af258f_JaffaCakes118.exe	89
PID 2428 wrote to memory of 1776	2428	02620653340ad8d2a425b5e5f8af258f_JaffaCakes118.exe	90
PID 2428 wrote to memory of 1776	2428	02620653340ad8d2a425b5e5f8af258f_JaffaCakes118.exe	90
PID 2428 wrote to memory of 1776	2428	02620653340ad8d2a425b5e5f8af258f_JaffaCakes118.exe	90
PID 2428 wrote to memory of 2632	2428	02620653340ad8d2a425b5e5f8af258f_JaffaCakes118.exe	92
PID 2428 wrote to memory of 2632	2428	02620653340ad8d2a425b5e5f8af258f_JaffaCakes118.exe	92
PID 2428 wrote to memory of 2632	2428	02620653340ad8d2a425b5e5f8af258f_JaffaCakes118.exe	92
PID 3672 wrote to memory of 1620	3672	nnlogon.exe	96
PID 3672 wrote to memory of 1620	3672	nnlogon.exe	96
PID 3672 wrote to memory of 1620	3672	nnlogon.exe	96
PID 1620 wrote to memory of 4000	1620	UrlUpdate.exe	97
PID 1620 wrote to memory of 4000	1620	UrlUpdate.exe	97
PID 1620 wrote to memory of 4000	1620	UrlUpdate.exe	97
PID 4000 wrote to memory of 3648	4000	urlupdate1.exe	102
PID 4000 wrote to memory of 3648	4000	urlupdate1.exe	102
PID 4000 wrote to memory of 3648	4000	urlupdate1.exe	102
PID 3648 wrote to memory of 4556	3648	ntmurl.exe	106
PID 3648 wrote to memory of 4556	3648	ntmurl.exe	106
PID 3648 wrote to memory of 4556	3648	ntmurl.exe	106
PID 3648 wrote to memory of 2844	3648	ntmurl.exe	107
PID 3648 wrote to memory of 2844	3648	ntmurl.exe	107
PID 3648 wrote to memory of 2844	3648	ntmurl.exe	107
PID 3648 wrote to memory of 2020	3648	ntmurl.exe	108
PID 3648 wrote to memory of 2020	3648	ntmurl.exe	108
PID 3648 wrote to memory of 2020	3648	ntmurl.exe	108
PID 3648 wrote to memory of 2672	3648	ntmurl.exe	110
PID 3648 wrote to memory of 2672	3648	ntmurl.exe	110
PID 3648 wrote to memory of 2672	3648	ntmurl.exe	110
PID 3648 wrote to memory of 1068	3648	ntmurl.exe	112
PID 3648 wrote to memory of 1068	3648	ntmurl.exe	112
PID 3648 wrote to memory of 1068	3648	ntmurl.exe	112
PID 3648 wrote to memory of 2260	3648	ntmurl.exe	114
PID 3648 wrote to memory of 2260	3648	ntmurl.exe	114
PID 3648 wrote to memory of 2260	3648	ntmurl.exe	114

C:\Users\Admin\AppData\Local\Temp\02620653340ad8d2a425b5e5f8af258f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\02620653340ad8d2a425b5e5f8af258f_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2428
- C:\Program Files (x86)\netimo\Common Shared\URLHelper\urld.exe
  "C:\Program Files (x86)\netimo\Common Shared\URLHelper\urld.exe" http://search.netimo.net/gmtoolbar/log/m_install_counter.php?pcode=ezsearch&isinstall=1
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2672
- C:\Program Files (x86)\netimo\Common Shared\URLHelper\nnlogon.exe
  "C:\Program Files (x86)\netimo\Common Shared\URLHelper\nnlogon.exe" -i
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:1776
- C:\Windows\SysWOW64\sc.exe
  "sc" start efinderservice
  2⤵
  - Launches sc.exe
  PID:2632

C:\Program Files (x86)\netimo\Common Shared\URLHelper\nnlogon.exe
"C:\Program Files (x86)\netimo\Common Shared\URLHelper\nnlogon.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3672
- C:\Program Files (x86)\netimo\Common Shared\URLHelper\UrlUpdate.exe
  "C:\Program Files (x86)\netimo\Common Shared\URLHelper\UrlUpdate.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1620
- - C:\Program Files (x86)\netimo\Common Shared\URLHelper\urlupdate1.exe
    "C:\Program Files (x86)\netimo\Common Shared\URLHelper\urlupdate1.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4000
  - - C:\Program Files (x86)\netimo\Common Shared\URLHelper\ntmurl.exe
      "C:\Program Files (x86)\netimo\Common Shared\URLHelper\ntmurl.exe" install scope addressbar
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Installs/modifies Browser Helper Object
      Drops file in System32 directory
      Drops file in Program Files directory
      Modifies Internet Explorer settings
      Modifies data under HKEY_USERS
      Modifies registry class
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:3648
    - - C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s "C:\Program Files (x86)\netimo\Common Shared\URLHelper\ntmurl.dll"
        5⤵
        Loads dropped DLL
        Modifies registry class
        
        PID:4556
    - - C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s "C:\Program Files (x86)\netimo\Common Shared\URLHelper\efsbar.dll"
        5⤵
        Loads dropped DLL
        Modifies registry class
        
        PID:2844
    - - C:\Windows\SysWOW64\REG.exe
        
        REG IMPORT "C:\Program Files (x86)\netimo\Common Shared\URLHelper\sbinstall.reg"
        5⤵
        Installs/modifies Browser Helper Object
        Modifies Internet Explorer settings
        Modifies registry class
        
        PID:2020
    - - C:\Windows\SysWOW64\REG.exe
        
        REG IMPORT "C:\Program Files (x86)\netimo\Common Shared\URLHelper\sbinstall.reg"
        5⤵
        Modifies Internet Explorer settings
        
        PID:2672
    - - C:\Windows\SysWOW64\REG.exe
        
        REG IMPORT "C:\Program Files (x86)\netimo\Common Shared\URLHelper\bbuninstall.reg"
        5⤵
        
        PID:1068
    - - C:\Program Files (x86)\netimo\Common Shared\URLHelper\iewindow.exe
        
        "C:\Program Files (x86)\netimo\Common Shared\URLHelper\iewindow.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:2260

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3988,i,18168883380598738769,14202261231630113808,262144 --variations-seed-version --mojo-platform-channel-handle=4300 /prefetch:8
1⤵
PID:4896

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\netimo\Common Shared\URLHelper\UrlUpdate.exe

Filesize
152KB

MD5
df4c70adfe3ee8e7d0a7d396754681ea

SHA1
86d6bc8e6961a01aa689909d678512e0e3bc202c

SHA256
94a6a81ad5c12aec33d7274e43ed8197cd476bb9680724995631fd971e8a3d86

SHA512
94e8fa6c92cbb30320b2067158549e6079be66489c4a2c8008ec7675d9135cddd477137b3c08fe7e7a41d2da6fcc3732d9ae10e8bc47226108938249fa33fa4e

Download Submit
C:\Program Files (x86)\netimo\Common Shared\URLHelper\autoup.ini

Filesize
755B

MD5
f82cc945d023cf65d884252c34e87c50

SHA1
a08ce4b8cfc06d7f5c43c9156735b84b0a5a687f

SHA256
c4cd6af1a5603a37a6bd63a0c3eed36b3f348688f783d5512ea40cbdcc18788b

SHA512
8f88125981213df738282bd5da48446f9715264b888e8bc5fa6677120b2b8abf44ad5b5639fa7aa785a84d709a73ca00b8779ed97cd609d4db1883dbf8deab65

Download Submit
C:\Program Files (x86)\netimo\Common Shared\URLHelper\autoup.ini

Filesize
755B

MD5
0d11873653f416a4d174eec179138902

SHA1
aa365a464498317b19aab75c678f2ef8dff1b047

SHA256
debb5f120a21ddd59a0887d017b05aedfb9eaa681011323eb3a30f9c1c1437f1

SHA512
3edae3e08d3772a995b7642cbab8816490167b2c9a3fca6c2abc3866ede7284a0fbdeda6532975f894ec9feb25f199b1bc04eab79fd21e8dfb2cae53c3ede75c

Download Submit
C:\Program Files (x86)\netimo\Common Shared\URLHelper\bbuninstall.reg

Filesize
442B

MD5
d1b9ce8ba9d227e61b8200e837a791da

SHA1
5ae250f8c2191376d9a07d80c356cedf976a7575

SHA256
3f0c9bf08a9cdcdb96c2401271dc2bf0316adc6d4b01dde12c0d9da32594690d

SHA512
265d60be34fa0457e7a7073ccfacf7748b8bddf003589cc53e6e9f2d055a0b442fe21521b78d2e2321faeab7f401eeca7d7f32b3ba65c8d64fdaa521b243965c

Download Submit
C:\Program Files (x86)\netimo\Common Shared\URLHelper\bhocfg.ini

Filesize
10KB

MD5
8eb1f202b12256dc732a17590d7d508e

SHA1
8b032c6f45112d2aa3e72bcdfbcbd00144418e54

SHA256
d865151fc6bd08ae20c1252b197b658fc293a5183ec1f294a05d305c714070f5

SHA512
3ef8dfae492a5dd2887e7ea2e41a879322cdce86f8ee97e3438a47164c39d11349559c18e8bb27017f6ede0c4c5c69dfe05bb870657468f2faa9431de105f7bd

Download Submit
C:\Program Files (x86)\netimo\Common Shared\URLHelper\bhocode.ini

Filesize
27B

MD5
90f148367abbd9f6304f2cf05b91a490

SHA1
e63b00e3e7d337e26639205c25c1028426b3dbef

SHA256
bb31532a370f3325aeb125720cd1f1cf3834a3d07e8dbf963f3bccb7649da7a0

SHA512
e5cba1708ae8fabe42c4687f043e67354b45a06eca583e489f87228a33df1edaa311fcfdb1e44b8aa225f3ac1927f99eec39f89ae5623dc8eadb0bdd683a2a8d

Download Submit
C:\Program Files (x86)\netimo\Common Shared\URLHelper\efsbar.dll

Filesize
149KB

MD5
26eccc32791911ccdfe0aec05f733cf8

SHA1
cf0ffd6ee73c6dcb7cd52f4a863b6a5e44c29cbd

SHA256
b4f5d03f1649f2631e122dba48a18e3ee705d073ce5800bda90730d0ad6a35c1

SHA512
6841d08827476416bdc8ee2a224c0f2aaa8827acc32a78e1ecd3fecd796fadc2fc4aaf78af11f9e14a6ffcbc70bf7205c482f34a36ec07d3cc412d45d62cdf35

Download Submit
C:\Program Files (x86)\netimo\Common Shared\URLHelper\iewindow.exe

Filesize
405KB

MD5
c586e5bf4514ad24b6a0002e13d6452b

SHA1
6d22ea2e2ae087864c0f91a602cf5b588c54126e

SHA256
813be8eb3e53948faa20f051023fa132fd564e977c7932d130f5ea7a19c0d5dd

SHA512
a917390bda68c91f82764eb93ea5d9ce9d330fda9fe24b6956ee16312f342bf4213e0c8f737d83feb8bbf70f82df41d2c7720d4cbaa92982a9584987ea2327e1

Download Submit
C:\Program Files (x86)\netimo\Common Shared\URLHelper\nautoup.log

Filesize
391B

MD5
14996057c3a8acd9b75466456ddb3cc8

SHA1
65f6f9f36e8baf15cf27d907d9fc958da63af817

SHA256
fc3bff18b469ebbfc80773b9c1717c6e9479b5335628989a68ee2d9cf856d0c2

SHA512
3dd23ecabb1ccf44a1495d4f296ec84803d0fa1aa641bff540adad0c4343524825fdaf8b3fd44eb48928d43ab5174e294a2a951da9c6a989040e507a1139d19f

Download Submit
C:\Program Files (x86)\netimo\Common Shared\URLHelper\nnlogon.exe

Filesize
68KB

MD5
4f8ec9279ce71a9feafd811a2a0fe8fc

SHA1
8c5e103eeb3dec74297b41739a28eb0c1b4d0478

SHA256
8a730e05ec59ca9c2bea7b950b7178c5174da28d0843ba1f3f10b47e352b219d

SHA512
61c0b531b0530afba51138bc8d876a715e059fa716652b9155bead099c1e6dea9a972f219bc593d6e0ef4d7bc849a9108cb6cd99eb72e61d8d0f45e3199908c9

Download Submit
C:\Program Files (x86)\netimo\Common Shared\URLHelper\nnlogon.ini

Filesize
362B

MD5
3352808839a5d78e7ba644eee3baee26

SHA1
74e8e0558fac4fa9b4b6edb4cd965c3a48611493

SHA256
b5f551b88b1c76f9b54ccec5f3c19e4f91ea1705320dccbcb1f75d5a9c5cc9b9

SHA512
c3ac39b6b4feccb4da905cf79c40e00d332fcb420759d089eba13baa13fa6e70569e2ad24656648523557b8c5542cdef57ac71d18a5d233899b34b6c8d9bca93

Download Submit
C:\Program Files (x86)\netimo\Common Shared\URLHelper\nnlogon.log

Filesize
1KB

MD5
b331d32fd210c22f3964d94bea41229d

SHA1
0b5c8db09efdd33e049df373b3bfec02a20d4d35

SHA256
0d1673020bc2f1541e0f70063e4a2044c195c23f208780bb74afad849396155e

SHA512
7533d0ac8cc1acdf9ba7dab44b12cdb435f6f47210381ec750a4cad630cfef5e470e424e92347844fb9d37bc82df32bc4a5aa6f195c04683fee14e514954315a

Download Submit
C:\Program Files (x86)\netimo\Common Shared\URLHelper\nnlogon.log

Filesize
442B

MD5
903fb57e586de6a73ff0f925d1e37285

SHA1
c4ad036091079d29671470fd601022baef435098

SHA256
8d25f8ff347ff5c36139efda5f0209e44ea283bdc166c9901ccd7869c6d03362

SHA512
59c20a493940faa9f793613fb2f3e7a6e5be8ee098c32effca5c479e372185be9f7ec944ebb0ac10684bd0748197c9d4ba5598f17c4767075affd789643006c6

Download Submit
C:\Program Files (x86)\netimo\Common Shared\URLHelper\ntmurl.dll

Filesize
173KB

MD5
ed9849f48772d4ec5e908d734c00c961

SHA1
b0a0f33eceefcdc18da32a67297637610fe9054c

SHA256
8899425303feb63b583a562189f50458d16c805f1d363a61fdee0444833ab644

SHA512
3ce061c449c6379fa0f7178280b69aea3ebeb97fec24eb54984fc78f1fd1d8fa66be8a3347a07982bfae566feb93b28da662061cee8ddee5cfa6f34811ae3190

Download Submit
C:\Program Files (x86)\netimo\Common Shared\URLHelper\ntmurl.exe

Filesize
221KB

MD5
4776b67e6c7f6bcd3d713b84fbe08f65

SHA1
a42a88fd3510b160f3ced8434b524281cb99f6d6

SHA256
1bedf458f12e8cb8347197fe992661532c2bb5d517065c3f2c5bf000483a1bf1

SHA512
9e0aa04c87e8b5d79c90b4821c0ab8dad2821ecfe40a72c2a93046873841af86e5d78f3759fec5ce329c68c2d3bb77f049a8249685a0594ef541a07a2182cbb5

Download Submit
C:\Program Files (x86)\netimo\Common Shared\URLHelper\sbinstall.reg

Filesize
830B

MD5
99efeac3859992432d0973cbac6e9b30

SHA1
6f987006f2fe72031084bb86e18ed2f7ba4807e6

SHA256
a89c9dcc2775d7b98f177fd55c553e5b00d1800a59322e1e1e854a79620868ae

SHA512
42c441aade296c8acce5d424b919e14476d0da84a552dba118c7487415540020687fe290849214dc8067fdbc35a7a6002cd687faf048d7d2e495fd476b3788e3

Download Submit
C:\Program Files (x86)\netimo\Common Shared\URLHelper\sbinstall.reg

Filesize
324B

MD5
058f2758bb8063271a5c5c6257ea9cd2

SHA1
6928513ee55a2a32871c08f1a3aa890c6147b074

SHA256
2e58e8a351d814537317d27c339272ec69e611daa63c7df80a3dc8666096fc98

SHA512
0bc4a847b8aaf00f596ef97a9942882a224397b5af52628417695724d4b9dec07547f48003c902493e71832c1622305736d7119e5a278822ab55cfccef1df1a7

Download Submit
C:\Program Files (x86)\netimo\Common Shared\URLHelper\sslaunch.dll

Filesize
60KB

MD5
412706c54d6ed78c5cd624dc55ef293f

SHA1
a4edb4fe218916ed2294458e7829ed608d6eb4f0

SHA256
572b99582027ac31ea036ddb8066bb4118e7c44ab98125a35f863cc710a4ebcf

SHA512
1e8fb64759f17223f93260ce27d6e877ff8f704391703457e52925582d88b1b094f824708157aa336291cefff478041986a223ee5ffc03af1b6c9563512bc6c2

Download Submit
C:\Program Files (x86)\netimo\Common Shared\URLHelper\tags.mdb

Filesize
232KB

MD5
c97a84a59cdb6dff2fc2f128db36e002

SHA1
6a0a13a4ad80ae1fcf42ab6697f0163d62ec4f75

SHA256
f4fd69bbb2790905788294ccebe55acd2016d3abe08fb21ff53a81bc4d4580d5

SHA512
4d264f94b99844cf3cb1e0abec7d3ace8593d7d2fcd6bdd017f2e271a5f53bc2ffc7093955960c232011e6b8ae853cfcc8ed0c83236142a9699f36420ef52f09

Download Submit
C:\Program Files (x86)\netimo\Common Shared\URLHelper\tagstemp.mdb

Filesize
184KB

MD5
499943ab2d6a704f9d7dbb8ec1aeed61

SHA1
f98e08c95e7229e3e32d587e061c8548e0e4d411

SHA256
504890d04367979ba23222b15892df6b75f140fde436219bb4d49ac5e949597a

SHA512
c4c7d8ec105fc77e6e109fb1e6aed317a41b794b2c87d55d84e23e74fb4fca546f8e95b590fdedbfbd3295f0ee08bb6cca2f8979022ced29e62a6851f26b2d3d

Download Submit
C:\Program Files (x86)\netimo\Common Shared\URLHelper\urld.exe

Filesize
24KB

MD5
7976109acc6cdb26f4a547d8c6dfd883

SHA1
a44f84119c307ff84c2af9e36e4c997c9477eacc

SHA256
c9d815568b137badd66801375fa45a84059b54091e6b41736168d5e8ff014924

SHA512
57a906fc649c13dab773c2f09d5945b2b56a3a26a8df2c922fa120175b7115076dda11b9367101e3853758be478b61bdfd46457735522e73f68ae7a5de39833f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsbE262.tmp\TypeLib.dll

Filesize
3KB

MD5
56abaa41368ddf53d01421760f9d72f4

SHA1
68a4e41d46366e8116bdfeba34d94b628fc6fb45

SHA256
75c206fba2ec5d344ca514e6451d8892f939f15e8afc1c132bbc9eca886ed1de

SHA512
98aaee865ee756f6193fb89f35aaf019953c597f92f0e6d3f4a8ead27d5c09f8ac9d39b547a655f2eb4ce6b8867b4e12a20f43749bce3bc2a5f7e668378649d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsbE262.tmp\nsExec.dll

Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
C:\Windows\SysWOW64\DWSHK80.OCX

Filesize
200KB

MD5
956041a95acf9738b712c71c55672094

SHA1
84959e2c0b07d631de4f71da32e1c3c301285e68

SHA256
8413fe7000baca9e7a2fdef33922d17d97ef9d16799444b945b3c73fee953c6b

SHA512
c93085f6e4159e3a75e9167e036214930a3ec3960d5eb3e0812f164a841f60b1c3454bcc7a2227b7d0e80c303db11d322a1e6862d643a614c32e4d6b1798b298

Download Submit
C:\Windows\SysWOW64\dwsbc80.OCX

Filesize
167KB

MD5
456b24a38b8e2d2f3303e0b4d05cc929

SHA1
3c981bbac31706cc9189605959f9eba7acbb17a7

SHA256
242934d4d92948817dd00eec4e8592f7044f5bfc7b2ad2603c826c5cea7b09e5

SHA512
4476f50a9ade47c848f882b56758111d39a79e61ac62cebf09c8b8d7baaaa77767c11da6e6732caa383b372d0d8a49be116e111299f637e2ea722fa5fd978385

Download Submit
C:\Windows\SysWOW64\dwshengine80.dll

Filesize
137KB

MD5
df901a23e6da0cad1981f0a7c13fbf24

SHA1
78f8f8e857e5ce4dce9fdc6658b5780b07167df7

SHA256
a8ab488c1ffeed943a68ce7f72fa2eb1b9b21b62c01fbd405a93906a4b357621

SHA512
1d530caccd728006b1c169a9684044b45384ff4caca02f95c26e15339c4bcfad00f70a85b9f3b6d6d84aed242536ecea454636688e33fa6c6558f67378fc8228

Download Submit
C:\Windows\SysWOW64\vb6ko.dll

Filesize
99KB

MD5
84742b5754690ed667372be561cf518d

SHA1
ef97aa43f804f447498568fc33704800b91a7381

SHA256
52b64e2bfc9ee0b807f2095726ace9e911bcd907054ac15686a4e7d2fd4dc751

SHA512
72ac19a3665a01519dac2ad43eb6178a66ad7f4e167f2a882cbca242978f8debe3e15d0e210c3b0391590699999f33a1fd5de4ca6559ff894b4e6cb4ac1415a0

Download Submit
C:\nautoup.log

Filesize
218B

MD5
edb9fb8c8af51c8d664e772ffe851944

SHA1
44a3a6b819f57a967fbaefb3bac3d0cd302c0d6e

SHA256
7fb6ecea112d4995f6c0ff61ca57c0566311f442441a175d8b8526cdfb000304

SHA512
ebdda1e028a9a703dab17056a93400c2b7afb119c2b0c925b2e60a3d09a9d7759be76d672bfe85ce4b53c4923a92c4dc72a6e32a96592a264f24ce6ecc2d106c

Download Submit