Analysis
-
max time kernel
51s -
max time network
51s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
22-06-2024 12:55
Static task
static1
Behavioral task
behavioral1
Sample
0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe
-
Size
530KB
-
MD5
0237f17f99d9ebe657b2542897a64c19
-
SHA1
a19e78c85ee53614a1ff6b640a42389db27e9e29
-
SHA256
e8a2cc4cc538c9c382d6978293101d3788728532666dad5e5f6eaf5e0313ef96
-
SHA512
52796cf6b12c050695158060ce58b3bedbadc3568295b84b3a3f7be1fff79779a69869882bcd939a2ebab52f974cf579a686a97a7aa07b42885bc43d30000c33
-
SSDEEP
12288:oSOT2JTqD9G6+gO9psKeeZYVy3h2ijdmmsjWMXDnN9:oSOrZETsZeZYVyR2zjWeLP
Malware Config
Signatures
-
Executes dropped EXE 22 IoCs
pid Process 2964 cb8034_ICMEDIAX.exe 5108 nls8034_ICMEDIAX.exe 2808 adp8034_ICMEDIAX.exe 3580 exdl.exe 972 exdl.exe 4148 exdl.exe 3356 cashback.exe 5052 nls.exe 2352 bargains.exe 4592 exdl1.exe 1636 exdl2.exe 2756 exdl3.exe 1096 autoheal.exe 2996 angelex.exe 1168 instsrv.exe 4860 msexreg.exe 4216 msexreg.exe 4812 msexreg.exe 1296 msexreg.exe 2492 msexreg.exe 3224 msexreg.exe 3268 msexreg.exe -
Loads dropped DLL 9 IoCs
pid Process 4608 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe 4608 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe 4608 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe 4608 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe 4608 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe 4608 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe 3012 regsvr32.exe 2152 regsvr32.exe 1216 regsvr32.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CashBack = "C:\\Program Files (x86)\\CashBack\\bin\\cashback.exe" cb8034_ICMEDIAX.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\NaviSearch = "C:\\Program Files (x86)\\NaviSearch\\bin\\nls.exe" nls8034_ICMEDIAX.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\BullsEye Network = "C:\\Program Files (x86)\\BullsEye Network\\bin\\bargains.exe" adp8034_ICMEDIAX.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Installs/modifies Browser Helper Object 2 TTPs 18 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344} 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{CE188402-6EE7-4022-8868-AB25173A3E14}\ 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344}\ regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F4E04583-354E-4076-BE7D-ED6A80FD66DA} 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344}\ 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{CE188402-6EE7-4022-8868-AB25173A3E14} 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{CE188402-6EE7-4022-8868-AB25173A3E14} 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F4E04583-354E-4076-BE7D-ED6A80FD66DA} regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{CE188402-6EE7-4022-8868-AB25173A3E14} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{CE188402-6EE7-4022-8868-AB25173A3E14} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{CE188402-6EE7-4022-8868-AB25173A3E14}\ regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F4E04583-354E-4076-BE7D-ED6A80FD66DA} 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344} 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F4E04583-354E-4076-BE7D-ED6A80FD66DA}\ regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F4E04583-354E-4076-BE7D-ED6A80FD66DA}\ 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F4E04583-354E-4076-BE7D-ED6A80FD66DA} regsvr32.exe -
Drops file in System32 directory 34 IoCs
description ioc Process File created C:\Windows\SysWOW64\javexulm.vxd 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe File created C:\Windows\SysWOW64\trkgif.exe 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\exdl1.exe bargains.exe File opened for modification C:\Windows\SysWOW64\exdl2.exe nls.exe File created C:\Windows\SysWOW64\mac80ex.idf angelex.exe File created C:\Windows\SysWOW64\mscb.dll 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\exdl3.exe cashback.exe File created C:\Windows\SysWOW64\vx1.nls msexreg.exe File created C:\Windows\SysWOW64\bbchk.exe 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe File created C:\Windows\SysWOW64\msbe.dll 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\instsrv.exe autoheal.exe File created C:\Windows\SysWOW64\javex80.vxd angelex.exe File created C:\Windows\SysWOW64\netut80ex.vxd angelex.exe File created C:\Windows\SysWOW64\exdl2.exe nls.exe File opened for modification C:\Windows\SysWOW64\msexreg.exe autoheal.exe File created C:\Windows\SysWOW64\vx1x.nls msexreg.exe File created C:\Windows\SysWOW64\vx3.nls msexreg.exe File created C:\Windows\SysWOW64\psis80ex.ax angelex.exe File created C:\Windows\SysWOW64\vx2.nls msexreg.exe File created C:\Windows\SysWOW64\vx3x.nls msexreg.exe File created C:\Windows\SysWOW64\exclean.exe 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe File created C:\Windows\SysWOW64\exdl3.exe cashback.exe File opened for modification C:\Windows\SysWOW64\angelex.exe autoheal.exe File created C:\Windows\SysWOW64\angelex.exe autoheal.exe File created C:\Windows\SysWOW64\instsrv.exe autoheal.exe File created C:\Windows\SysWOW64\vx0.nls msexreg.exe File created C:\Windows\SysWOW64\exdl.exe 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\exdl.exe 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe File created C:\Windows\SysWOW64\mqexdlm.srg 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe File created C:\Windows\SysWOW64\exdl1.exe bargains.exe File created C:\Windows\SysWOW64\vx2x.nls msexreg.exe File created C:\Windows\SysWOW64\exul.exe 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe File created C:\Windows\SysWOW64\nvms.dll 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe File created C:\Windows\SysWOW64\msexreg.exe autoheal.exe -
Drops file in Program Files directory 54 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\BullsEye Network\adv.exe adp8034_ICMEDIAX.exe File created C:\Program Files (x86)\BullsEye Network\adv.exe adp8034_ICMEDIAX.exe File opened for modification C:\Program Files (x86)\NaviSearch\t1719060918.dec nls.exe File opened for modification C:\Program Files (x86)\CashBack\cashback.exe cb8034_ICMEDIAX.exe File created C:\Program Files (x86)\CashBack\template.html cb8034_ICMEDIAX.exe File opened for modification C:\Program Files (x86)\CashBack\template2.html cb8034_ICMEDIAX.exe File created C:\Program Files (x86)\CashBack\template2.html cb8034_ICMEDIAX.exe File created C:\Program Files (x86)\CashBack\bb_welcome1.swf cb8034_ICMEDIAX.exe File created C:\Program Files (x86)\CashBack\t1719060918.dec cashback.exe File opened for modification C:\Program Files (x86)\CashBack\bb_click_wider.swf cb8034_ICMEDIAX.exe File created C:\Program Files (x86)\CashBack\Uninstall.exe cb8034_ICMEDIAX.exe File opened for modification C:\Program Files (x86)\NaviSearch\nls.exe nls8034_ICMEDIAX.exe File created C:\Program Files (x86)\CashBack\bin\cb.exe cb8034_ICMEDIAX.exe File created C:\Program Files (x86)\BullsEye Network\bin\bargains.exe adp8034_ICMEDIAX.exe File opened for modification C:\Program Files (x86)\BullsEye Network\bin\bargains.exe adp8034_ICMEDIAX.exe File created C:\Program Files (x86)\BullsEye Network\bin\adx.exe adp8034_ICMEDIAX.exe File created C:\Program Files (x86)\BullsEye Network\t1719060918.dec bargains.exe File created C:\Program Files (x86)\NaviSearch\t1719060918.dec nls.exe File opened for modification C:\Program Files (x86)\NaviSearch\ad-nls.dat nls8034_ICMEDIAX.exe File created C:\Program Files (x86)\NaviSearch\Uninstall.exe nls8034_ICMEDIAX.exe File opened for modification C:\Program Files (x86)\BullsEye Network\bargains.exe adp8034_ICMEDIAX.exe File opened for modification C:\Program Files (x86)\CashBack\bb_welcome.html cb8034_ICMEDIAX.exe File created C:\Program Files (x86)\CashBack\bb_welcome.html cb8034_ICMEDIAX.exe File opened for modification C:\Program Files (x86)\CashBack\bin\cashback.exe cb8034_ICMEDIAX.exe File opened for modification C:\Program Files (x86)\CashBack\cb.exe cb8034_ICMEDIAX.exe File opened for modification C:\Program Files (x86)\CashBack\bb_auto_wider.swf cb8034_ICMEDIAX.exe File created C:\Program Files (x86)\CashBack\bb_auto_wider.swf cb8034_ICMEDIAX.exe File created C:\Program Files (x86)\CashBack\icon.gif cb8034_ICMEDIAX.exe File opened for modification C:\Program Files (x86)\NaviSearch\bin\nls.exe nls8034_ICMEDIAX.exe File created C:\Program Files (x86)\NaviSearch\bin\nls.exe nls8034_ICMEDIAX.exe File created C:\Program Files (x86)\BullsEye Network\bargains.exe adp8034_ICMEDIAX.exe File created C:\Program Files (x86)\BullsEye Network\Uninstall.exe adp8034_ICMEDIAX.exe File opened for modification C:\Program Files (x86)\CashBack\flash.exe cb8034_ICMEDIAX.exe File opened for modification C:\Program Files (x86)\CashBack\blank.gif cb8034_ICMEDIAX.exe File opened for modification C:\Program Files (x86)\CashBack\logo.gif cb8034_ICMEDIAX.exe File created C:\Program Files (x86)\CashBack\logo.gif cb8034_ICMEDIAX.exe File created C:\Program Files (x86)\CashBack\bin\cashback.exe cb8034_ICMEDIAX.exe File created C:\Program Files (x86)\BullsEye Network\adx.exe adp8034_ICMEDIAX.exe File created C:\Program Files (x86)\CashBack\bb_click_wider.swf cb8034_ICMEDIAX.exe File created C:\Program Files (x86)\NaviSearch\nvms.dll nls8034_ICMEDIAX.exe File created C:\Program Files (x86)\NaviSearch\nls.exe nls8034_ICMEDIAX.exe File created C:\Program Files (x86)\NaviSearch\ad.dat nls8034_ICMEDIAX.exe File opened for modification C:\Program Files (x86)\BullsEye Network\adx.exe adp8034_ICMEDIAX.exe File opened for modification C:\Program Files (x86)\NaviSearch\nvms.dll nls8034_ICMEDIAX.exe File created C:\Program Files (x86)\CashBack\cashback.exe cb8034_ICMEDIAX.exe File created C:\Program Files (x86)\CashBack\flash.exe cb8034_ICMEDIAX.exe File created C:\Program Files (x86)\CashBack\blank.gif cb8034_ICMEDIAX.exe File created C:\Program Files (x86)\CashBack\bin\flash.exe cb8034_ICMEDIAX.exe File created C:\Program Files (x86)\CashBack\cb.exe cb8034_ICMEDIAX.exe File opened for modification C:\Program Files (x86)\CashBack\template.html cb8034_ICMEDIAX.exe File created C:\Program Files (x86)\NaviSearch\ad-nls.dat nls8034_ICMEDIAX.exe File opened for modification C:\Program Files (x86)\CashBack\bb_welcome1.swf cb8034_ICMEDIAX.exe File opened for modification C:\Program Files (x86)\CashBack\icon.gif cb8034_ICMEDIAX.exe File created C:\Program Files (x86)\BullsEye Network\bin\adv.exe adp8034_ICMEDIAX.exe -
Drops file in Windows directory 29 IoCs
description ioc Process File opened for modification C:\Windows\exclean.exe 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe File created C:\Windows\exclean.exe 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe File created C:\Windows\cb8034_ICMEDIAX.exe 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe File created C:\Windows\nls8034_ICMEDIAX.exe 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe File created C:\Windows\adp8034_ICMEDIAX.exe 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe File created C:\Windows\exdl.exe 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe File opened for modification C:\Windows\exul.exe 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe File created C:\Windows\trkgif.exe 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe File opened for modification C:\Windows\cb8034_ICMEDIAX.exe 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe File opened for modification C:\Windows\zeta.exe autoheal.exe File opened for modification C:\Windows\exdl.exe 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe File created C:\Windows\autoheal.exe 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe File opened for modification C:\Windows\nls8034_ICMEDIAX.exe 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe File created C:\Windows\nvms.dll 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe File opened for modification C:\Windows\mscb.dll 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe File opened for modification C:\Windows\bbchk.exe 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe File created C:\Windows\mscb.dll 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe File created C:\Windows\exul.exe 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe File opened for modification C:\Windows\adp8034_ICMEDIAX.exe adp8034_ICMEDIAX.exe File opened for modification C:\Windows\msbe.dll 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe File opened for modification C:\Windows\nvms.dll 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe File created C:\Windows\bbchk.exe 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe File opened for modification C:\Windows\trkgif.exe 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe File opened for modification C:\Windows\autoheal.exe 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe File opened for modification C:\Windows\adp8034_ICMEDIAX.exe 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe File created C:\Windows\zeta.exe autoheal.exe File created C:\Windows\msbe.dll 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe File opened for modification C:\Windows\cb8034_ICMEDIAX.exe cb8034_ICMEDIAX.exe File opened for modification C:\Windows\nls8034_ICMEDIAX.exe nls8034_ICMEDIAX.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
NSIS installer 4 IoCs
resource yara_rule behavioral2/files/0x0007000000023418-104.dat nsis_installer_1 behavioral2/files/0x0008000000023418-199.dat nsis_installer_1 behavioral2/files/0x0009000000023418-229.dat nsis_installer_1 behavioral2/files/0x000700000002343f-351.dat nsis_installer_1 -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\Main nls8034_ICMEDIAX.exe Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Use Search Asst = "no" nls8034_ICMEDIAX.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Search nls8034_ICMEDIAX.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Search\SearchAssistant = "http://www.exactsearch.net/sidesearch" nls8034_ICMEDIAX.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C6906A23-4717-4E1F-B6FD-F06EBED11357}\TypeLib 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8EEE58D5-130E-4CBD-9C83-35A0564E1357}\TypeLib\Version = "1.0" 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F4E04583-354E-4076-BE7D-ED6A80FD66DA}\ProgID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F4E04583-354E-4076-BE7D-ED6A80FD66DA}\VersionIndependentProgID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C6906A23-4717-4E1F-B6FD-F06EBED11357} 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344}\Programmable 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CB.UrlCatcher\CLSID 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C6906A23-4717-4E1F-B6FD-F06EBED12468} 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8EEE58D5-130E-4CBD-9C83-35A0564E2468}\ = "IXYZ" 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\NLS.UrlCatcher.1\CLSID\ = " {AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8EEE58D5-130E-4CBD-9C83-35A0564E5678}\ProxyStubClsid32 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344}\VersionIndependentProgID regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344}\VersionIndependentProgID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CE188402-6EE7-4022-8868-AB25173A3E14}\InprocServer32 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CB.UrlCatcher.1\ = "CB UrlCatcher Class" 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CE188402-6EE7-4022-8868-AB25173A3E14}\InprocServer32\ThreadingModel = "Apartment" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C6906A23-4717-4E1F-B6FD-F06EBED11357}\ProxyStubClsid32 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8EEE58D5-130E-4CBD-9C83-35A0564E1357}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8EEE58D5-130E-4CBD-9C83-35A0564E1357}\TypeLib\ = "{4EB7BBE8-2E15-424B-9DDB-2CDB9516C2E3}" 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ADP.UrlCatcher\ = "ADP UrlCatcher Class" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4EB7BBE8-2E15-424B-9DDB-2CDB9516C2E3}\1.0\HELPDIR\ = "C:\\Windows\\SysWow64\\" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C6906A23-4717-4E1F-B6FD-F06EBED15678}\TypeLib 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ADP.UrlCatcher.1\ = "ADP UrlCatcher Class" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4EB7BBE8-2E15-424B-9DDB-2CDB9516E2A3}\1.0\0 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4EB7BBE8-2E15-424B-9DDB-2CDB9516C2E3}\1.0 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C6906A23-4717-4E1F-B6FD-F06EBED11357}\TypeLib\ = "{4EB7BBE8-2E15-424B-9DDB-2CDB9516C2E3}" 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4EB7BBE8-2E15-424B-9DDB-2CDB9516E2A3}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\mscb.dll" 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ADP.UrlCatcher.1\CLSID\ = "{F4E04583-354E-4076-BE7D-ED6A80FD66DA}" regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F4E04583-354E-4076-BE7D-ED6A80FD66DA}\Programmable regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344}\ProgID\ = "NLS.UrlCatcher.1" 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C6906A23-4717-4E1F-B6FD-F06EBED15678}\ = "IUrlCatcher" 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8EEE58D5-130E-4CBD-9C83-35A0564E5678} 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8EEE58D5-130E-4CBD-9C83-35A0564E5678}\TypeLib 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ADP.UrlCatcher 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C6906A23-4717-4E1F-B6FD-F06EBED15678}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C6906A23-4717-4E1F-B6FD-F06EBED15678}\ProxyStubClsid32 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344}\ProgID 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CE188402-6EE7-4022-8868-AB25173A3E14}\InprocServer32\ = "C:\\Windows\\SysWow64\\mscb.dll" 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C6906A23-4717-4E1F-B6FD-F06EBED12468}\ = "IUrlCatcher" 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C6906A23-4717-4E1F-B6FD-F06EBED12468}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C6906A23-4717-4E1F-B6FD-F06EBED12468}\ = "IUrlCatcher" 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ADP.UrlCatcher\CLSID\ = "{F4E04583-354E-4076-BE7D-ED6A80FD66DA}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F4E04583-354E-4076-BE7D-ED6A80FD66DA}\InprocServer32\ThreadingModel = "Apartment" 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C6906A23-4717-4E1F-B6FD-F06EBED11357}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F4E04583-354E-4076-BE7D-ED6A80FD66DA}\InprocServer32\ThreadingModel = "Apartment" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CE188402-6EE7-4022-8868-AB25173A3E14}\VersionIndependentProgID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CE188402-6EE7-4022-8868-AB25173A3E14}\VersionIndependentProgID\ = "CB.UrlCatcher" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C6906A23-4717-4E1F-B6FD-F06EBED15678}\TypeLib\ = "{4EB7BBE8-2E15-424B-9DDB-2CDB9516B2C3}" 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8EEE58D5-130E-4CBD-9C83-35A0564E1357}\ = "IXYZ" 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CE188402-6EE7-4022-8868-AB25173A3E14}\Programmable regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\NLS.UrlCatcher\CLSID\ = "{AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344}" 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C6906A23-4717-4E1F-B6FD-F06EBED12468}\ProxyStubClsid32 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C6906A23-4717-4E1F-B6FD-F06EBED12468}\TypeLib\ = "{4EB7BBE8-2E15-424B-9DDB-2CDB9516E2A3}" 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8EEE58D5-130E-4CBD-9C83-35A0564E2468}\TypeLib 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8EEE58D5-130E-4CBD-9C83-35A0564E2468}\TypeLib\ = "{4EB7BBE8-2E15-424B-9DDB-2CDB9516E2A3}" 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CE188402-6EE7-4022-8868-AB25173A3E14}\InprocServer32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\NLS.UrlCatcher.1\CLSID 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8EEE58D5-130E-4CBD-9C83-35A0564E1357} 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F4E04583-354E-4076-BE7D-ED6A80FD66DA}\VersionIndependentProgID 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F4E04583-354E-4076-BE7D-ED6A80FD66DA}\InprocServer32 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C6906A23-4717-4E1F-B6FD-F06EBED11357}\TypeLib\ = "{4EB7BBE8-2E15-424B-9DDB-2CDB9516C2E3}" 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344}\InprocServer32 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8EEE58D5-130E-4CBD-9C83-35A0564E2468} 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
description pid Process Token: SeBackupPrivilege 4860 msexreg.exe Token: SeBackupPrivilege 4216 msexreg.exe Token: SeBackupPrivilege 4812 msexreg.exe Token: SeBackupPrivilege 1296 msexreg.exe Token: SeBackupPrivilege 2492 msexreg.exe Token: SeBackupPrivilege 3224 msexreg.exe Token: SeBackupPrivilege 3268 msexreg.exe -
Suspicious use of FindShellTrayWindow 16 IoCs
pid Process 4608 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe 4608 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe 4608 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe 4608 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe 4608 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe 4608 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe 4608 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe 2964 cb8034_ICMEDIAX.exe 2964 cb8034_ICMEDIAX.exe 2964 cb8034_ICMEDIAX.exe 2964 cb8034_ICMEDIAX.exe 2964 cb8034_ICMEDIAX.exe 2964 cb8034_ICMEDIAX.exe 2808 adp8034_ICMEDIAX.exe 3356 cashback.exe 1096 autoheal.exe -
Suspicious use of SendNotifyMessage 1 IoCs
pid Process 3356 cashback.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4608 wrote to memory of 3012 4608 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe 81 PID 4608 wrote to memory of 3012 4608 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe 81 PID 4608 wrote to memory of 3012 4608 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe 81 PID 4608 wrote to memory of 1216 4608 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe 82 PID 4608 wrote to memory of 1216 4608 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe 82 PID 4608 wrote to memory of 1216 4608 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe 82 PID 4608 wrote to memory of 2152 4608 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe 83 PID 4608 wrote to memory of 2152 4608 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe 83 PID 4608 wrote to memory of 2152 4608 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe 83 PID 4608 wrote to memory of 2964 4608 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe 84 PID 4608 wrote to memory of 2964 4608 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe 84 PID 4608 wrote to memory of 2964 4608 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe 84 PID 4608 wrote to memory of 5108 4608 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe 85 PID 4608 wrote to memory of 5108 4608 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe 85 PID 4608 wrote to memory of 5108 4608 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe 85 PID 4608 wrote to memory of 2808 4608 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe 86 PID 4608 wrote to memory of 2808 4608 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe 86 PID 4608 wrote to memory of 2808 4608 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe 86 PID 4608 wrote to memory of 3580 4608 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe 87 PID 4608 wrote to memory of 3580 4608 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe 87 PID 4608 wrote to memory of 3580 4608 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe 87 PID 4608 wrote to memory of 972 4608 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe 88 PID 4608 wrote to memory of 972 4608 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe 88 PID 4608 wrote to memory of 972 4608 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe 88 PID 4608 wrote to memory of 4148 4608 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe 89 PID 4608 wrote to memory of 4148 4608 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe 89 PID 4608 wrote to memory of 4148 4608 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe 89 PID 4608 wrote to memory of 3356 4608 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe 90 PID 4608 wrote to memory of 3356 4608 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe 90 PID 4608 wrote to memory of 3356 4608 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe 90 PID 4608 wrote to memory of 5052 4608 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe 91 PID 4608 wrote to memory of 5052 4608 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe 91 PID 4608 wrote to memory of 5052 4608 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe 91 PID 4608 wrote to memory of 2352 4608 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe 92 PID 4608 wrote to memory of 2352 4608 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe 92 PID 4608 wrote to memory of 2352 4608 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe 92 PID 2352 wrote to memory of 4592 2352 bargains.exe 93 PID 2352 wrote to memory of 4592 2352 bargains.exe 93 PID 2352 wrote to memory of 4592 2352 bargains.exe 93 PID 5052 wrote to memory of 1636 5052 nls.exe 94 PID 5052 wrote to memory of 1636 5052 nls.exe 94 PID 5052 wrote to memory of 1636 5052 nls.exe 94 PID 3356 wrote to memory of 2756 3356 cashback.exe 95 PID 3356 wrote to memory of 2756 3356 cashback.exe 95 PID 3356 wrote to memory of 2756 3356 cashback.exe 95 PID 4608 wrote to memory of 1096 4608 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe 96 PID 4608 wrote to memory of 1096 4608 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe 96 PID 4608 wrote to memory of 1096 4608 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe 96 PID 1096 wrote to memory of 2996 1096 autoheal.exe 97 PID 1096 wrote to memory of 2996 1096 autoheal.exe 97 PID 1096 wrote to memory of 2996 1096 autoheal.exe 97 PID 2996 wrote to memory of 1168 2996 angelex.exe 98 PID 2996 wrote to memory of 1168 2996 angelex.exe 98 PID 2996 wrote to memory of 1168 2996 angelex.exe 98 PID 2996 wrote to memory of 4860 2996 angelex.exe 100 PID 2996 wrote to memory of 4860 2996 angelex.exe 100 PID 2996 wrote to memory of 4860 2996 angelex.exe 100 PID 2996 wrote to memory of 4216 2996 angelex.exe 101 PID 2996 wrote to memory of 4216 2996 angelex.exe 101 PID 2996 wrote to memory of 4216 2996 angelex.exe 101 PID 2996 wrote to memory of 4812 2996 angelex.exe 104 PID 2996 wrote to memory of 4812 2996 angelex.exe 104 PID 2996 wrote to memory of 4812 2996 angelex.exe 104 PID 2996 wrote to memory of 1296 2996 angelex.exe 105
Processes
-
C:\Users\Admin\AppData\Local\Temp\0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4608 -
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s C:\Windows\system32\msbe.dll2⤵
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Modifies registry class
PID:3012
-
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s C:\Windows\system32\nvms.dll2⤵
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Modifies registry class
PID:1216
-
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s C:\Windows\system32\mscb.dll2⤵
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Modifies registry class
PID:2152
-
-
C:\Windows\cb8034_ICMEDIAX.exeC:\Windows\cb8034_ICMEDIAX.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of FindShellTrayWindow
PID:2964
-
-
C:\Windows\nls8034_ICMEDIAX.exeC:\Windows\nls8034_ICMEDIAX.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
PID:5108
-
-
C:\Windows\adp8034_ICMEDIAX.exeC:\Windows\adp8034_ICMEDIAX.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of FindShellTrayWindow
PID:2808
-
-
C:\Windows\exdl.exeexdl 1~No2⤵
- Executes dropped EXE
PID:3580
-
-
C:\Windows\exdl.exeexdl 2~No2⤵
- Executes dropped EXE
PID:972
-
-
C:\Windows\exdl.exeexdl 3~No2⤵
- Executes dropped EXE
PID:4148
-
-
C:\Program Files (x86)\CashBack\bin\cashback.exe"C:\Program Files (x86)\CashBack\bin\cashback.exe"2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3356 -
C:\Windows\SysWOW64\exdl3.exeC:\Windows\system32\exdl3.exe 3~03⤵
- Executes dropped EXE
PID:2756
-
-
-
C:\Program Files (x86)\NaviSearch\bin\nls.exe"C:\Program Files (x86)\NaviSearch\bin\nls.exe"2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:5052 -
C:\Windows\SysWOW64\exdl2.exeC:\Windows\system32\exdl2.exe 2~03⤵
- Executes dropped EXE
PID:1636
-
-
-
C:\Program Files (x86)\BullsEye Network\bin\bargains.exe"C:\Program Files (x86)\BullsEye Network\bin\bargains.exe"2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2352 -
C:\Windows\SysWOW64\exdl1.exeC:\Windows\system32\exdl1.exe 1~03⤵
- Executes dropped EXE
PID:4592
-
-
-
C:\Windows\autoheal.exeC:\Windows\autoheal.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1096 -
C:\Windows\SysWOW64\angelex.exeC:\Windows\system32\angelex.exe 03⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2996 -
C:\Windows\SysWOW64\instsrv.exeinstsrv.exe ZESOFT C:\Windows\zeta.exe4⤵
- Executes dropped EXE
PID:1168
-
-
C:\Windows\SysWOW64\msexreg.exeC:\Windows\system32\msexreg.exe /S HKLM SOFTWARE\Bargains C:\Windows\system32\vx1.nls4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:4860
-
-
C:\Windows\SysWOW64\msexreg.exeC:\Windows\system32\msexreg.exe /S HKLM SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\BargainBuddy C:\Windows\system32\vx1x.nls4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:4216
-
-
C:\Windows\SysWOW64\msexreg.exeC:\Windows\system32\msexreg.exe /S HKLM SOFTWARE\NaviSearch C:\Windows\system32\vx2.nls4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:4812
-
-
C:\Windows\SysWOW64\msexreg.exeC:\Windows\system32\msexreg.exe /S HKLM SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\NaviSearch C:\Windows\system32\vx2x.nls4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:1296
-
-
C:\Windows\SysWOW64\msexreg.exeC:\Windows\system32\msexreg.exe /S HKLM SOFTWARE\CashBack C:\Windows\system32\vx3.nls4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:2492
-
-
C:\Windows\SysWOW64\msexreg.exeC:\Windows\system32\msexreg.exe /S HKLM SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\CashBack C:\Windows\system32\vx3x.nls4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:3224
-
-
C:\Windows\SysWOW64\msexreg.exeC:\Windows\system32\msexreg.exe /S HKLM SOFTWARE\eXactUtil C:\Windows\system32\vx0.nls4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:3268
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60KB
MD5861f3a1b7d4a9819ef1b7a8eda73e23e
SHA1858b74e6f0668de09daef963b54a39f528933416
SHA256a2aa9844a53aa48a825c14aaed05e2ed15dde7ba73d5edf8aa210d5ab49ad902
SHA5128c71abe9d422e2c80b86e1090afceee557f0b8b5d0f48b6c40b46de38fca371fb09bd3d5f2ab04ea5ef057360fb9c919ed2498c3906b5a8a5a91030eaf5d126d
-
Filesize
44KB
MD556979b69b9ff449b792e53f7e956cecc
SHA16a63738d767cca38582ca84b355510a1cecb188f
SHA256d8e3e92fff45f70b62034c754201f42d71ee8e443cdfa550219623b24281aefc
SHA512772ceaa4967c57645ecfb0985a1b72f624a2e4ec09f0fbaca75abd98c639bd8609eb2864d45d499c35bd99863915ca1ffcc7505d2a77dd46cc664aee6f96fefc
-
Filesize
32KB
MD5812def7df63838ed0be0a2b6a3fbcdb0
SHA15c5aa6bd7e118b6a9d9f18c6ffd3d2b4c9cac18f
SHA2560376b21c8f4bb3231aa4c1afda7f491b20690cdd30ed4dd1680800e5e2a58d20
SHA512664a8cc8e2e27e4e2974221c3be842d7307facd93008cfc0c870d452d035abda1e810cfcfc20fb4cfe1d7266251ca1d4a79dba436d6769bf2ee8accc48a10be1
-
Filesize
216KB
MD5293b8f27d5ede0b27ef2ad2f9ecedf6d
SHA1994d3af24ea51f0dc326840a735a632d8569ead8
SHA25699bf422be6c81b10b423d0f33ff08b04397020b3b4b045024c36ed91d12cb490
SHA512b49ddfe6d357ea466c1e5771b67e6bd8e1e737db29b92e94712de11495c9b2572d7e999a6282446f4f6c54852b612fffbe8509dcc88bda5bc07cd03da8432f20
-
Filesize
4KB
MD56d15e76001accd8fe663d52cba4ef2e5
SHA1936329eec5cd422644bc15e2db33fdaf0172ba98
SHA2563db760d72de2d28630aa47bf2dc932ed99563f414e14a508758609dc6e3bd714
SHA51277972112b618680301f996546c098066eb43f63a0680bf419b2d37733177a80dc103b1efbc2425fa47f7b9edb44c8c58eb4b92ee4ec57378e9b23caea1180c87
-
Filesize
5KB
MD50feb450c9aaf40e8a1ac4a3d81f7cff9
SHA13ca296665e29c866d9a36571f43b9da721be4d9a
SHA2560220d00b6d0073ed527cd835fb8fe392b96e4a0d138d69dc9adf697121230c97
SHA5121c0c3bd5fa2d4357876421f56cf9e34751ff9c6faaa51e62a460ef5b033abfa1cad3d112d4d28b4f44b90bfcc3300379c057d200667b5f4ece3ffb5adc7ba451
-
Filesize
1015B
MD5d299a27a210b338e5229785b941cfdef
SHA1bf7d6f95922d7882f32c9718beaed1efe50e6ac1
SHA256625dc00715f006824984271660f829dc310ceb4cb45f8af401c304a3e5aae631
SHA512661c579b98c52191bf6d8fb79e98d91f24626dcfef36c33e31a3937623acb929a7eaf481dea7ccd56998b3bd8764287cf3f2970947c0928aca59c63727116d6b
-
Filesize
5KB
MD5c0affacb99623c4f9a2a878f12d02647
SHA1900c8d00e12fc1ac3af7a037fe4f1d33b15eed14
SHA256f698303cde4e0a6d6309107c72c3274fac5a9d0634ff470b977a78602305f518
SHA512acfcd619cf703222c3c25e1bf328cb2ac4e7497cbdf46b49ce273fd37551e7bb835c867ce072c50fe7214628c6a1a28288ee363f64de74f2c832b1bc23f7558e
-
Filesize
43B
MD5325472601571f31e1bf00674c368d335
SHA12daeaa8b5f19f0bc209d976c02bd6acb51b00b0a
SHA256b1442e85b03bdcaf66dc58c7abb98745dd2687d86350be9a298a1d9382ac849b
SHA512717ea0ff7f3f624c268eccb244e24ec1305ab21557abb3d6f1a7e183ff68a2d28f13d1d2af926c9ef6d1fb16dd8cbe34cd98cacf79091dddc7874dcee21ecfdc
-
Filesize
128KB
MD56facb09c2ea09a439c911515a2f32456
SHA11e26a2c37e06724f723080be15e67f516b9a2877
SHA25633a3f6628277aeba874c08cd94a9e559de2c13aa4179ed5fd5e570121a3ee042
SHA512a59b15eaf2a3cc68c183e883c4fd49a4d250201f2d09c42b9aa3ee03dc6311bc0cedaa5ec70eba3d4fefced3072cceac0657891d530522b1ecd52b35c52e02f3
-
Filesize
40KB
MD59899f2dd68fd636833ef144228ee3e8b
SHA1c770f0e7645d4d3262620bd52e0e557c700dd36e
SHA25640a105d2236e1ab6376edbd6c8611818853fbd8f3d851368def1b9fb9688862a
SHA5122c0968492161a3176049c122c7de18baab8456c2cfbf6cc4a8bd87a1cd56f378ea590129e6cf9aa98e0b2eff962ba54515ab0caddc9dec79904a16f5ec9d9606
-
Filesize
40KB
MD5e4d97541176ac53baca22e48cbda1acd
SHA1a3c0cfe8915e4a3de609eb4ba1b3d6f3e20fd072
SHA2563d8b609d207d3c4397e5db1bb083725eafbe45e043a639325d37f4d96feb8013
SHA51299bcc270aae61d59d0af32da09581ff98bd9f1b05cb7b93d4f333924bf4a2f712a798951e98b39f8d6a0fa42b91474533ce36706625572f1bf2bd00f81fccae7
-
Filesize
636B
MD5c2cb3f56cb075c22d7dbbb6dcca40f8e
SHA1eab286c5466c03cf0ec8f35c53e3468229ab58b9
SHA25659c4b81e937d00208a5b280af4eca09ea8ddacac57c79fb138f12713e4af1514
SHA51225738608e5f87b1e3069712359e81d2558294f5e0892026a1f3628fc5cd91075f6d55bde33ccec6c15610f68106d379ac29180cf0c3df884c48805c32cab03b0
-
Filesize
2KB
MD55b48ebbd988ace67c6d203657fb9225a
SHA1da0f8eedce95e19d25faf9668839c7bfa5cc97ad
SHA256a30f9227138042bcfbd601863ea6e2f8b3657f305efb8c77ad691ac279ca8019
SHA5125b4755537b7f95eb31e5f04aa51e01430123acac3d56a4f925dd76588bcc33c3b3b1a788ea1edfee584d8bf69e79daa470f674e5404bc04212ad3ae654d026a3
-
Filesize
878B
MD5d7ff52ea75594a565fac58da5a66f041
SHA110677adeab52b900ff7a242f8ae4f7710c79512e
SHA256b7edbc2853b8fce6ff23de355b41667efcb3274d9a4b6d6fd4e6dbe29baceaa2
SHA5127204b7f425a8d803f7d5e9db9f8ed86bea7e575dd71cadd63100d7ad2b2681ec08d715bcc776c8435c247c1924304d737c4d7249e3edf829b8d06203239b9433
-
Filesize
84KB
MD53e4a8942089709e8d79392a0957a8ea8
SHA186c601f6b9101bb588b8819e71e5044422ea0f50
SHA25635f7bf41136f7820889c06f0ee016ed2758632004db44eba7bbef9d006f1912e
SHA512ce6180f7d6d4ffbfad9f001c306fecefca20c0ff366e498cf0483bdd338888dfab8e38db1294ee2ba4ae9ef995e2cda1948ebe4acfb59f7efa2b53dc6525c24a
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\f01b4d95cf55d32a.automaticDestinations-ms
Filesize9KB
MD5b76507661c80ec25c4bd2affbe2ea88f
SHA1b023e84d392d8e22708ad4a3710464af1752526e
SHA256bfbcebc8b1720470cc51aa6416420c43aaf2c3f942159cd49ed4239c86b20a74
SHA512c2fb38427eb6f123b973ef54664ae4bc1bccd30f82cc640621080b7a02340cefb182528f9d3ef269993f778bc7fdb76d847368cd747bd2528e57ebc650fa0f4d
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\f01b4d95cf55d32a.automaticDestinations-ms
Filesize12KB
MD544cabd750b87cfc4c2c63b3ab28c9348
SHA1c00617c8c1ae1f476d9e5b42cdd5148cb21c7243
SHA256202842d9e26d2ad58c01b4bb2e24878aa4caef55c93c7f3d7825de3f6df53c41
SHA512e995673593fd8471adb170ccca0954873923ac6de892a977c17a36b9bb287c73e766f4c63137b236a140b2ed53e15e308c0349442d7c53fe711db878549173b2
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\f01b4d95cf55d32a.automaticDestinations-ms
Filesize14KB
MD53233006d9fc58a419af35470ce0b59ea
SHA11c75888ed1f3389f986429676b7f683fce0f0ce0
SHA256ad70db38fb11f3a5619da09af32193eab468c3bbead7b2ad5fb06659c14262d6
SHA5128d475ddc5d2ead69eb360a61be548838cd98b09420e26b2c34c9188deea5f213d49a568f27cdfd6b7ef115c42e2c6daf647aac09fcfdd7e9a67e8247202d8064
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\f01b4d95cf55d32a.automaticDestinations-ms
Filesize16KB
MD595045249356aeb8c720f51da5a9ecb46
SHA1f2d9ef6a00c8baf5148f20baaf59d68d96028608
SHA2569ee26a9b507718d54f43d02b3a2e1b31f8ae9d9ace21ec59e6dd9e3795390015
SHA51208b9d5ab4dc8277bc5c29bf379013f2573fc62716ce6d395d63edca8d57a3f5dd35dc80717d7b8ca163befc96403c459a40ffbae9667a23c1d5d55167c86abfe
-
Filesize
84KB
MD58d9a9918a759777619839cf275127de9
SHA1fb8aeea3ed04ff3aee28a7e8dd9843779efce7c5
SHA2560336521180fd028ca546ee5687c25beab31b56e5eea6c91509b31ee3e620980f
SHA5126c5bce0ed532bbe19203b75f8466fc6422f24ce5d35f5441c0ba6b6b003ee3aeab1ecce7d25babf09129ae2e5be17c07e559853da459cfb5af7d48599ffbbc88
-
Filesize
31KB
MD577df462c59e3bc5f5effb28693221b79
SHA1a3231b7fd124668940e0921e7ec784e44a92aa6e
SHA256c197684156a9185c4ab460ed1f84b669771c6b8d4848cc63f9954d8637eb9414
SHA51200cfaee49a721d3173920a1b69565abd2c7bd2d4f78ee63d429d7b903fc7649c37fcde4be08514426937e5fa96bbe69562a46c4882c6e7ddc838028bee168930
-
Filesize
56KB
MD5675a09dbb3a90703294bf4bf937a3816
SHA15662279d822d0cfeebf7205288a3bf3cb79476ce
SHA256a9fe9932e706a501cc4176ee7abe8f1cab78f54d916d5955f1e08efd7358701f
SHA512c28758cef03312125672ce05ebe8a07fc82caa33a808b619949e6339f82934d1e57e8e3b7ee2488c66cda457a23fec1f5e8f47a7c8d2847f804ee9c88be70d6f
-
Filesize
92KB
MD51141f409bf9596ff9b195dd34e307e40
SHA11f782d8b6b519e46702667316ff6f2d962112872
SHA256c300833a63fb6a90eeb807e3584cb8bfe2ff4b54d5e19523db1a66fff6a68932
SHA5124f340e4cb8f167cc8c40606d9857bcd7cac34b5838aa6dd58464d81c0d903437a890cc8739d968e3dde887579599991878e8b9bb7575af655495ffb9abb5dadb
-
Filesize
20KB
MD5ed626b1a2d7497b43c3dd299ef2c41ab
SHA1b586abf7c9b38c750ae7c00d278e1427658193c7
SHA256e1f9902c8785ce49b099173e9065434ffdbb3e347702d14d5d924cd439d16920
SHA5129362f0479825297c1f416cd2207fdf831561c1f5b90247d8715e6b94385e6e8b65f4745f70d492e9c06d397fcda5cd2388315a0542e448fc48c28eefe71b9b05
-
Filesize
80KB
MD5f4eaa09d78b46f943f8b093606866301
SHA187a1a3cbf775501f4285d949c42a3b8b52fa79af
SHA2562e37739c20b29bae5f558a8f5463f7aec6090a97cb5adca6e8b6fb50ba7559de
SHA5127b1720684348dee4b4f3549d8dbbc2272c9cc2f364b26085401c4c861d52f3a820aa99aa2dabd99be1df38797ff2360093ea6fb03e0a62f7821b1416e2f3eb4f
-
Filesize
164KB
MD5bb83cba39e9f69b0ea9f79aaf1cef729
SHA1a0d98be45bb23f8a6feaecc1092f2ba3dc91221c
SHA2567036a541caba0e20169f8cb5a906de7a7eaaec862abe5936691acc1a2657a057
SHA5120d506b0151b74e6317fd63dd0671cf6294920e1f052861d983eeea40a7ee1aa31f4c108f58615cfc85bba22555d9abed95b8dea9cbf82136975a996fa4d95dee
-
Filesize
75KB
MD5883b06a996b3c351b97c8069951b5bd4
SHA19dd1a272c92b3cd73d59dba17c29783d7e39a61d
SHA2567311608a1af5d2bad5dabd58fed9ebee5b9a5f99c06d9adc97c4302afec410f4
SHA512ed9dc896b1884f302188274b0e52bf457d0724fd9afce2510d26bd76d6e0d3b2ca9c83c8e9a0101397579eb26565f508af7cb68093e4d2ef706d4d90919f87ff
-
Filesize
12KB
MD568d9018bcfa92be76496c143ce4f9dce
SHA16f48c0d1910bc6c0b6ed005fc1c540de002e6c6e
SHA25655640c5d5611894e5ca968f0d14e428b86a6f664a8336593b93bea61d48abda2
SHA5128c503e125cb96a6483593c259684388150c4702112b89a9740f6fc50ceb676ff286130d71aaa544bc9bf317b1d6ec7c1ea1c79b360fc4d77483b8bf2cecff5a1
-
Filesize
161KB
MD5c2c6fcaa3775bab675859ccf937cb93c
SHA1dd4cb09f48cf713b2a51aad77a13922bbd89366c
SHA25681a470036f9c997c949ba57149a9f7365af610a0a4c94d1dae5f0612cb467eda
SHA5124d1533c34ad851ccb89a84fd3d5413f1362a12ce8e631e03e47b6afe554e4fe79b10061082edd3ea2cd27a590219df70bf7fa366ba7ccdefe4db61414c492cd8
-
Filesize
31KB
MD59f51cdf75d08b49ed39ebc05e3374bd0
SHA1de37070deeefc3ae9d642520d1be55579bfca45d
SHA256b87851eb4df8069cec166317fb079a46da5699faec098f0a5cb7f0a8a25423cc
SHA512965d69c849cf9ec9ae66dba5d3948c755afcab07cf46857e871c18f5d6ab89171da91c5a6a4d28323cdd22bf81e669d255ab1610566de1da58884fb08bb146d9
-
Filesize
108KB
MD5799431b1ba4ee0dd68cd3a7097ef20a5
SHA1da34770c2fe613cb90e2cc452d29f1e101f04ba5
SHA25626594ac21f6c4683286b5a29920a4701211fe15f9ae9c91db34681237314bc7f
SHA512e7bade33dc5385940009f4500ff60f99a557c0fb40f93fb772cef2c34a2c25d7de2429faab42a31ef6b5f84ad40238f44893d3758925e9a2f17ccd3062fe9c7c
-
Filesize
36KB
MD59b571f4eb622096d7989dff203b0bbe1
SHA1c9b192394dba6e2e77247a6adf0ac31c2a3fb8e1
SHA256e08ffb748740b4cb4b11b210e4ae5cc5e9ec8876e8c79179fc2bf111ccc37c37
SHA512bb2843f6a3252b6ac7c051624b2e9f89dc3774805a09bd9d4af3394f6238a4a0096dcced94e809156edf4813aef27198cbc822bbe4af2bcf547932dfe1690d88
-
Filesize
132KB
MD5cb90a48a7bc692a0165dc5cc79454c5f
SHA1a82128b70b00467029cb4de5df44838e5b45fc26
SHA256f7319462926520b3ccee2731a1792235d060ce26356ccf361777ad530fe5ef1d
SHA5121274c144f0556085578d52013d1f996dc5b998d79458eee03494036d9c2a32549cdeab2c84e02f03c148001fb42a6042771281209ed14a6ff535d5fc37a6882c
-
Filesize
20KB
MD5584c95b07f7c32469e3eea5c5735acd4
SHA14c90b4884fa1efdb50ee7ce88aaa600549e65464
SHA2560d26b912d323d509a29466356772fd03d4006f8c253f7b1243149af2a8ff8073
SHA512d0728f09f6aebfa11e1476854254b2bb0f95c6846a7f27040fc751befc6fd94b77c931d40c911bfdeea8af8ce3a338797727ef1828f52d0cf705ffc31c396d99