Analysis Overview
SHA256
e8a2cc4cc538c9c382d6978293101d3788728532666dad5e5f6eaf5e0313ef96
Threat Level: Shows suspicious behavior
The file 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Loads dropped DLL
Installs/modifies Browser Helper Object
Adds Run key to start application
Checks installed software on the system
Drops file in System32 directory
Drops file in Windows directory
Drops file in Program Files directory
Enumerates physical storage devices
Unsigned PE
NSIS installer
Suspicious use of FindShellTrayWindow
Modifies registry class
Modifies Internet Explorer settings
Suspicious use of AdjustPrivilegeToken
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-22 12:55
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-22 12:55
Reported
2024-06-22 12:57
Platform
win7-20240611-en
Max time kernel
120s
Max time network
120s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\cb8034_ICMEDIAX.exe | N/A |
| N/A | N/A | C:\Windows\nls8034_ICMEDIAX.exe | N/A |
| N/A | N/A | C:\Windows\adp8034_ICMEDIAX.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\CashBack\bin\cashback.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\NaviSearch\bin\nls.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\BullsEye Network\bin\bargains.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\exdl2.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\exdl3.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\exdl1.exe | N/A |
| N/A | N/A | C:\Windows\autoheal.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\angelex.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\instsrv.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msexreg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msexreg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msexreg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msexreg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msexreg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msexreg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msexreg.exe | N/A |
Loads dropped DLL
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CashBack = "C:\\Program Files (x86)\\CashBack\\bin\\cashback.exe" | C:\Windows\cb8034_ICMEDIAX.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\NaviSearch = "C:\\Program Files (x86)\\NaviSearch\\bin\\nls.exe" | C:\Windows\nls8034_ICMEDIAX.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\BullsEye Network = "C:\\Program Files (x86)\\BullsEye Network\\bin\\bargains.exe" | C:\Windows\adp8034_ICMEDIAX.exe | N/A |
Checks installed software on the system
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{F4E04583-354E-4076-BE7D-ED6A80FD66DA} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{CE188402-6EE7-4022-8868-AB25173A3E14}\ | C:\Users\Admin\AppData\Local\Temp\0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{CE188402-6EE7-4022-8868-AB25173A3E14} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{F4E04583-354E-4076-BE7D-ED6A80FD66DA}\ | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{CE188402-6EE7-4022-8868-AB25173A3E14}\ | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{F4E04583-354E-4076-BE7D-ED6A80FD66DA} | C:\Users\Admin\AppData\Local\Temp\0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{F4E04583-354E-4076-BE7D-ED6A80FD66DA}\ | C:\Users\Admin\AppData\Local\Temp\0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344}\ | C:\Users\Admin\AppData\Local\Temp\0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344} | C:\Users\Admin\AppData\Local\Temp\0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{CE188402-6EE7-4022-8868-AB25173A3E14} | C:\Users\Admin\AppData\Local\Temp\0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{F4E04583-354E-4076-BE7D-ED6A80FD66DA} | C:\Users\Admin\AppData\Local\Temp\0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344} | C:\Users\Admin\AppData\Local\Temp\0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{F4E04583-354E-4076-BE7D-ED6A80FD66DA} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{CE188402-6EE7-4022-8868-AB25173A3E14} | C:\Users\Admin\AppData\Local\Temp\0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344}\ | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{CE188402-6EE7-4022-8868-AB25173A3E14} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\nvms.dll | C:\Users\Admin\AppData\Local\Temp\0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe | N/A |
| File created | C:\Windows\SysWOW64\vx1x.nls | C:\Windows\SysWOW64\msexreg.exe | N/A |
| File created | C:\Windows\SysWOW64\vx3x.nls | C:\Windows\SysWOW64\msexreg.exe | N/A |
| File created | C:\Windows\SysWOW64\vx0.nls | C:\Windows\SysWOW64\msexreg.exe | N/A |
| File created | C:\Windows\SysWOW64\netut80ex.vxd | C:\Windows\SysWOW64\angelex.exe | N/A |
| File created | C:\Windows\SysWOW64\exdl3.exe | C:\Program Files (x86)\CashBack\bin\cashback.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\exdl1.exe | C:\Program Files (x86)\BullsEye Network\bin\bargains.exe | N/A |
| File created | C:\Windows\System32\javexulm.vxd | C:\Users\Admin\AppData\Local\Temp\0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe | N/A |
| File created | C:\Windows\System32\bbchk.exe | C:\Users\Admin\AppData\Local\Temp\0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe | N/A |
| File created | C:\Windows\System32\trkgif.exe | C:\Users\Admin\AppData\Local\Temp\0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe | N/A |
| File created | C:\Windows\SysWOW64\msbe.dll | C:\Users\Admin\AppData\Local\Temp\0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\instsrv.exe | C:\Windows\autoheal.exe | N/A |
| File created | C:\Windows\SysWOW64\msexreg.exe | C:\Windows\autoheal.exe | N/A |
| File created | C:\Windows\SysWOW64\mac80ex.idf | C:\Windows\SysWOW64\angelex.exe | N/A |
| File created | C:\Windows\SysWOW64\psis80ex.ax | C:\Windows\SysWOW64\angelex.exe | N/A |
| File created | C:\Windows\System32\mqexdlm.srg | C:\Users\Admin\AppData\Local\Temp\0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe | N/A |
| File created | C:\Windows\SysWOW64\mscb.dll | C:\Users\Admin\AppData\Local\Temp\0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\exdl2.exe | C:\Program Files (x86)\NaviSearch\bin\nls.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\exdl3.exe | C:\Program Files (x86)\CashBack\bin\cashback.exe | N/A |
| File created | C:\Windows\SysWOW64\instsrv.exe | C:\Windows\autoheal.exe | N/A |
| File created | C:\Windows\SysWOW64\exdl2.exe | C:\Program Files (x86)\NaviSearch\bin\nls.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\angelex.exe | C:\Windows\autoheal.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\msexreg.exe | C:\Windows\autoheal.exe | N/A |
| File created | C:\Windows\SysWOW64\vx1.nls | C:\Windows\SysWOW64\msexreg.exe | N/A |
| File created | C:\Windows\System32\exul.exe | C:\Users\Admin\AppData\Local\Temp\0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe | N/A |
| File created | C:\Windows\SysWOW64\exdl1.exe | C:\Program Files (x86)\BullsEye Network\bin\bargains.exe | N/A |
| File created | C:\Windows\SysWOW64\vx2.nls | C:\Windows\SysWOW64\msexreg.exe | N/A |
| File created | C:\Windows\SysWOW64\vx3.nls | C:\Windows\SysWOW64\msexreg.exe | N/A |
| File created | C:\Windows\System32\exdl.exe | C:\Users\Admin\AppData\Local\Temp\0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe | N/A |
| File created | C:\Windows\System32\exclean.exe | C:\Users\Admin\AppData\Local\Temp\0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe | N/A |
| File created | C:\Windows\SysWOW64\vx2x.nls | C:\Windows\SysWOW64\msexreg.exe | N/A |
| File created | C:\Windows\SysWOW64\angelex.exe | C:\Windows\autoheal.exe | N/A |
| File created | C:\Windows\SysWOW64\javex80.vxd | C:\Windows\SysWOW64\angelex.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\NaviSearch\nvms.dll | C:\Windows\nls8034_ICMEDIAX.exe | N/A |
| File created | C:\Program Files (x86)\NaviSearch\ad-nls.dat | C:\Windows\nls8034_ICMEDIAX.exe | N/A |
| File opened for modification | C:\Program Files (x86)\BullsEye Network\bargains.exe | C:\Windows\adp8034_ICMEDIAX.exe | N/A |
| File created | C:\Program Files (x86)\BullsEye Network\adx.exe | C:\Windows\adp8034_ICMEDIAX.exe | N/A |
| File opened for modification | C:\Program Files (x86)\CashBack\flash.exe | C:\Windows\cb8034_ICMEDIAX.exe | N/A |
| File created | C:\Program Files (x86)\CashBack\logo.gif | C:\Windows\cb8034_ICMEDIAX.exe | N/A |
| File created | C:\Program Files (x86)\CashBack\bin\cashback.exe | C:\Windows\cb8034_ICMEDIAX.exe | N/A |
| File created | C:\Program Files (x86)\CashBack\bin\cb.exe | C:\Windows\cb8034_ICMEDIAX.exe | N/A |
| File opened for modification | C:\Program Files (x86)\BullsEye Network\adx.exe | C:\Windows\adp8034_ICMEDIAX.exe | N/A |
| File opened for modification | C:\Program Files (x86)\CashBack\template.html | C:\Windows\cb8034_ICMEDIAX.exe | N/A |
| File created | C:\Program Files (x86)\BullsEye Network\t1719060915.dec | C:\Program Files (x86)\BullsEye Network\bin\bargains.exe | N/A |
| File opened for modification | C:\Program Files (x86)\CashBack\bb_auto_wider.swf | C:\Windows\cb8034_ICMEDIAX.exe | N/A |
| File opened for modification | C:\Program Files (x86)\CashBack\icon.gif | C:\Windows\cb8034_ICMEDIAX.exe | N/A |
| File opened for modification | C:\Program Files (x86)\BullsEye Network\adv.exe | C:\Windows\adp8034_ICMEDIAX.exe | N/A |
| File created | C:\Program Files (x86)\CashBack\template2.html | C:\Windows\cb8034_ICMEDIAX.exe | N/A |
| File created | C:\Program Files (x86)\NaviSearch\bin\nls.exe | C:\Windows\nls8034_ICMEDIAX.exe | N/A |
| File created | C:\Program Files (x86)\CashBack\icon.gif | C:\Windows\cb8034_ICMEDIAX.exe | N/A |
| File opened for modification | C:\Program Files (x86)\CashBack\logo.gif | C:\Windows\cb8034_ICMEDIAX.exe | N/A |
| File created | C:\Program Files (x86)\BullsEye Network\bargains.exe | C:\Windows\adp8034_ICMEDIAX.exe | N/A |
| File created | C:\Program Files (x86)\CashBack\bb_welcome1.swf | C:\Windows\cb8034_ICMEDIAX.exe | N/A |
| File created | C:\Program Files (x86)\BullsEye Network\bin\adv.exe | C:\Windows\adp8034_ICMEDIAX.exe | N/A |
| File created | C:\Program Files (x86)\CashBack\template.html | C:\Windows\cb8034_ICMEDIAX.exe | N/A |
| File opened for modification | C:\Program Files (x86)\CashBack\blank.gif | C:\Windows\cb8034_ICMEDIAX.exe | N/A |
| File created | C:\Program Files (x86)\BullsEye Network\bin\adx.exe | C:\Windows\adp8034_ICMEDIAX.exe | N/A |
| File opened for modification | C:\Program Files (x86)\NaviSearch\t1719060915.dec | C:\Program Files (x86)\NaviSearch\bin\nls.exe | N/A |
| File opened for modification | C:\Program Files (x86)\CashBack\cashback.exe | C:\Windows\cb8034_ICMEDIAX.exe | N/A |
| File created | C:\Program Files (x86)\CashBack\flash.exe | C:\Windows\cb8034_ICMEDIAX.exe | N/A |
| File opened for modification | C:\Program Files (x86)\NaviSearch\ad-nls.dat | C:\Windows\nls8034_ICMEDIAX.exe | N/A |
| File opened for modification | C:\Program Files (x86)\CashBack\template2.html | C:\Windows\cb8034_ICMEDIAX.exe | N/A |
| File opened for modification | C:\Program Files (x86)\CashBack\bb_click_wider.swf | C:\Windows\cb8034_ICMEDIAX.exe | N/A |
| File created | C:\Program Files (x86)\CashBack\bb_welcome.html | C:\Windows\cb8034_ICMEDIAX.exe | N/A |
| File created | C:\Program Files (x86)\CashBack\Uninstall.exe | C:\Windows\cb8034_ICMEDIAX.exe | N/A |
| File created | C:\Program Files (x86)\NaviSearch\nls.exe | C:\Windows\nls8034_ICMEDIAX.exe | N/A |
| File created | C:\Program Files (x86)\BullsEye Network\adv.exe | C:\Windows\adp8034_ICMEDIAX.exe | N/A |
| File created | C:\Program Files (x86)\BullsEye Network\Uninstall.exe | C:\Windows\adp8034_ICMEDIAX.exe | N/A |
| File opened for modification | C:\Program Files (x86)\CashBack\cb.exe | C:\Windows\cb8034_ICMEDIAX.exe | N/A |
| File created | C:\Program Files (x86)\CashBack\bb_auto_wider.swf | C:\Windows\cb8034_ICMEDIAX.exe | N/A |
| File created | C:\Program Files (x86)\CashBack\bin\flash.exe | C:\Windows\cb8034_ICMEDIAX.exe | N/A |
| File opened for modification | C:\Program Files (x86)\NaviSearch\nls.exe | C:\Windows\nls8034_ICMEDIAX.exe | N/A |
| File opened for modification | C:\Program Files (x86)\CashBack\bb_welcome.html | C:\Windows\cb8034_ICMEDIAX.exe | N/A |
| File created | C:\Program Files (x86)\CashBack\blank.gif | C:\Windows\cb8034_ICMEDIAX.exe | N/A |
| File created | C:\Program Files (x86)\CashBack\cashback.exe | C:\Windows\cb8034_ICMEDIAX.exe | N/A |
| File created | C:\Program Files (x86)\CashBack\cb.exe | C:\Windows\cb8034_ICMEDIAX.exe | N/A |
| File opened for modification | C:\Program Files (x86)\CashBack\bb_welcome1.swf | C:\Windows\cb8034_ICMEDIAX.exe | N/A |
| File created | C:\Program Files (x86)\CashBack\bb_click_wider.swf | C:\Windows\cb8034_ICMEDIAX.exe | N/A |
| File created | C:\Program Files (x86)\BullsEye Network\bin\bargains.exe | C:\Windows\adp8034_ICMEDIAX.exe | N/A |
| File created | C:\Program Files (x86)\NaviSearch\t1719060915.dec | C:\Program Files (x86)\NaviSearch\bin\nls.exe | N/A |
| File created | C:\Program Files (x86)\NaviSearch\nvms.dll | C:\Windows\nls8034_ICMEDIAX.exe | N/A |
| File created | C:\Program Files (x86)\NaviSearch\ad.dat | C:\Windows\nls8034_ICMEDIAX.exe | N/A |
| File created | C:\Program Files (x86)\NaviSearch\Uninstall.exe | C:\Windows\nls8034_ICMEDIAX.exe | N/A |
| File created | C:\Program Files (x86)\CashBack\t1719060915.dec | C:\Program Files (x86)\CashBack\bin\cashback.exe | N/A |
Drops file in Windows directory
Enumerates physical storage devices
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\nls8034_ICMEDIAX.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main\Use Search Asst = "no" | C:\Windows\nls8034_ICMEDIAX.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Search | C:\Windows\nls8034_ICMEDIAX.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Search\SearchAssistant = "http://www.exactsearch.net/sidesearch" | C:\Windows\nls8034_ICMEDIAX.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C6906A23-4717-4E1F-B6FD-F06EBED11357}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CE188402-6EE7-4022-8868-AB25173A3E14}\VersionIndependentProgID | C:\Users\Admin\AppData\Local\Temp\0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CE188402-6EE7-4022-8868-AB25173A3E14}\VersionIndependentProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C6906A23-4717-4E1F-B6FD-F06EBED15678} | C:\Users\Admin\AppData\Local\Temp\0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C6906A23-4717-4E1F-B6FD-F06EBED15678}\TypeLib | C:\Users\Admin\AppData\Local\Temp\0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344} | C:\Users\Admin\AppData\Local\Temp\0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4EB7BBE8-2E15-424B-9DDB-2CDB9516C2E3}\1.0\FLAGS | C:\Users\Admin\AppData\Local\Temp\0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CB.UrlCatcher.1\CLSID\ = "{CE188402-6EE7-4022-8868-AB25173A3E14}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F4E04583-354E-4076-BE7D-ED6A80FD66DA}\ = "ADP UrlCatcher Class" | C:\Users\Admin\AppData\Local\Temp\0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344} | C:\Users\Admin\AppData\Local\Temp\0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CB.UrlCatcher\ = "CB UrlCatcher Class" | C:\Users\Admin\AppData\Local\Temp\0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C6906A23-4717-4E1F-B6FD-F06EBED12468}\TypeLib | C:\Users\Admin\AppData\Local\Temp\0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344}\ProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ADP.UrlCatcher\CLSID | C:\Users\Admin\AppData\Local\Temp\0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C6906A23-4717-4E1F-B6FD-F06EBED15678}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CE188402-6EE7-4022-8868-AB25173A3E14}\VersionIndependentProgID\ = "CB.UrlCatcher" | C:\Users\Admin\AppData\Local\Temp\0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C6906A23-4717-4E1F-B6FD-F06EBED12468}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4EB7BBE8-2E15-424B-9DDB-2CDB9516B2C3}\1.0\FLAGS\ = "0" | C:\Users\Admin\AppData\Local\Temp\0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8EEE58D5-130E-4CBD-9C83-35A0564E5678}\TypeLib | C:\Users\Admin\AppData\Local\Temp\0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ADP.UrlCatcher\ = "ADP UrlCatcher Class" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F4E04583-354E-4076-BE7D-ED6A80FD66DA}\ProgID | C:\Users\Admin\AppData\Local\Temp\0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8EEE58D5-130E-4CBD-9C83-35A0564E1357}\TypeLib\ = "{4EB7BBE8-2E15-424B-9DDB-2CDB9516C2E3}" | C:\Users\Admin\AppData\Local\Temp\0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F4E04583-354E-4076-BE7D-ED6A80FD66DA}\ = "ADP UrlCatcher Class" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344}\VersionIndependentProgID\ = "NLS.UrlCatcher" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F4E04583-354E-4076-BE7D-ED6A80FD66DA}\InprocServer32\ = "C:\\Windows\\SysWow64\\msbe.dll" | C:\Users\Admin\AppData\Local\Temp\0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\NLS.UrlCatcher\ = "NLS UrlCatcher Class" | C:\Users\Admin\AppData\Local\Temp\0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4EB7BBE8-2E15-424B-9DDB-2CDB9516C2E3}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\nvms.dll" | C:\Users\Admin\AppData\Local\Temp\0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C6906A23-4717-4E1F-B6FD-F06EBED11357}\ = "IUrlCatcher" | C:\Users\Admin\AppData\Local\Temp\0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4EB7BBE8-2E15-424B-9DDB-2CDB9516B2C3}\1.0\HELPDIR\ = "C:\\Windows\\SysWow64\\" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8EEE58D5-130E-4CBD-9C83-35A0564E2468} | C:\Users\Admin\AppData\Local\Temp\0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C6906A23-4717-4E1F-B6FD-F06EBED12468}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4EB7BBE8-2E15-424B-9DDB-2CDB9516C2E3}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\nvms.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4EB7BBE8-2E15-424B-9DDB-2CDB9516E2A3}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\mscb.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F4E04583-354E-4076-BE7D-ED6A80FD66DA}\InprocServer32 | C:\Users\Admin\AppData\Local\Temp\0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8EEE58D5-130E-4CBD-9C83-35A0564E5678}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F4E04583-354E-4076-BE7D-ED6A80FD66DA}\VersionIndependentProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CE188402-6EE7-4022-8868-AB25173A3E14}\InprocServer32\ThreadingModel = "Apartment" | C:\Users\Admin\AppData\Local\Temp\0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CB.UrlCatcher.1 | C:\Users\Admin\AppData\Local\Temp\0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ADP.UrlCatcher.1 | C:\Users\Admin\AppData\Local\Temp\0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F4E04583-354E-4076-BE7D-ED6A80FD66DA}\VersionIndependentProgID | C:\Users\Admin\AppData\Local\Temp\0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C6906A23-4717-4E1F-B6FD-F06EBED11357}\ = "IUrlCatcher" | C:\Users\Admin\AppData\Local\Temp\0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F4E04583-354E-4076-BE7D-ED6A80FD66DA}\ProgID\ = "ADP.UrlCatcher.1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8EEE58D5-130E-4CBD-9C83-35A0564E2468}\TypeLib\ = "{4EB7BBE8-2E15-424B-9DDB-2CDB9516E2A3}" | C:\Users\Admin\AppData\Local\Temp\0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4EB7BBE8-2E15-424B-9DDB-2CDB9516B2C3}\1.0\0 | C:\Users\Admin\AppData\Local\Temp\0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C6906A23-4717-4E1F-B6FD-F06EBED15678}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8EEE58D5-130E-4CBD-9C83-35A0564E5678}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4EB7BBE8-2E15-424B-9DDB-2CDB9516E2A3}\1.0\HELPDIR\ = "C:\\Windows\\SysWow64\\" | C:\Users\Admin\AppData\Local\Temp\0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4EB7BBE8-2E15-424B-9DDB-2CDB9516E2A3} | C:\Users\Admin\AppData\Local\Temp\0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4EB7BBE8-2E15-424B-9DDB-2CDB9516E2A3}\1.0\FLAGS\ = "0" | C:\Users\Admin\AppData\Local\Temp\0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344}\ProgID | C:\Users\Admin\AppData\Local\Temp\0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C6906A23-4717-4E1F-B6FD-F06EBED11357}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344}\InprocServer32 | C:\Users\Admin\AppData\Local\Temp\0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CB.UrlCatcher.1\ = "CB UrlCatcher Class" | C:\Users\Admin\AppData\Local\Temp\0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8EEE58D5-130E-4CBD-9C83-35A0564E1357} | C:\Users\Admin\AppData\Local\Temp\0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8EEE58D5-130E-4CBD-9C83-35A0564E1357}\ = "IXYZ" | C:\Users\Admin\AppData\Local\Temp\0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344}\VersionIndependentProgID | C:\Users\Admin\AppData\Local\Temp\0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F4E04583-354E-4076-BE7D-ED6A80FD66DA}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C6906A23-4717-4E1F-B6FD-F06EBED15678} | C:\Users\Admin\AppData\Local\Temp\0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8EEE58D5-130E-4CBD-9C83-35A0564E5678}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344}\Programmable | C:\Users\Admin\AppData\Local\Temp\0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8EEE58D5-130E-4CBD-9C83-35A0564E1357}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F4E04583-354E-4076-BE7D-ED6A80FD66DA}\ProgID | C:\Users\Admin\AppData\Local\Temp\0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\NLS.UrlCatcher.1\ = "NLS UrlCatcher Class" | C:\Users\Admin\AppData\Local\Temp\0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\msexreg.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\msexreg.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\msexreg.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\msexreg.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\msexreg.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\msexreg.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\msexreg.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\CashBack\bin\cashback.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe"
C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /s C:\Windows\system32\msbe.dll
C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /s C:\Windows\system32\nvms.dll
C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /s C:\Windows\system32\mscb.dll
C:\Windows\cb8034_ICMEDIAX.exe
C:\Windows\cb8034_ICMEDIAX.exe
C:\Windows\nls8034_ICMEDIAX.exe
C:\Windows\nls8034_ICMEDIAX.exe
C:\Windows\adp8034_ICMEDIAX.exe
C:\Windows\adp8034_ICMEDIAX.exe
C:\Program Files (x86)\CashBack\bin\cashback.exe
"C:\Program Files (x86)\CashBack\bin\cashback.exe"
C:\Program Files (x86)\NaviSearch\bin\nls.exe
"C:\Program Files (x86)\NaviSearch\bin\nls.exe"
C:\Program Files (x86)\BullsEye Network\bin\bargains.exe
"C:\Program Files (x86)\BullsEye Network\bin\bargains.exe"
C:\Windows\SysWOW64\exdl2.exe
C:\Windows\system32\exdl2.exe 2~0
C:\Windows\SysWOW64\exdl3.exe
C:\Windows\system32\exdl3.exe 3~0
C:\Windows\SysWOW64\exdl1.exe
C:\Windows\system32\exdl1.exe 1~0
C:\Windows\autoheal.exe
C:\Windows\autoheal.exe
C:\Windows\SysWOW64\angelex.exe
C:\Windows\system32\angelex.exe 0
C:\Windows\SysWOW64\instsrv.exe
instsrv.exe ZESOFT C:\Windows\zeta.exe
C:\Windows\SysWOW64\msexreg.exe
C:\Windows\system32\msexreg.exe /S HKLM SOFTWARE\Bargains C:\Windows\system32\vx1.nls
C:\Windows\SysWOW64\msexreg.exe
C:\Windows\system32\msexreg.exe /S HKLM SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\BargainBuddy C:\Windows\system32\vx1x.nls
C:\Windows\SysWOW64\msexreg.exe
C:\Windows\system32\msexreg.exe /S HKLM SOFTWARE\NaviSearch C:\Windows\system32\vx2.nls
C:\Windows\SysWOW64\msexreg.exe
C:\Windows\system32\msexreg.exe /S HKLM SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\NaviSearch C:\Windows\system32\vx2x.nls
C:\Windows\SysWOW64\msexreg.exe
C:\Windows\system32\msexreg.exe /S HKLM SOFTWARE\CashBack C:\Windows\system32\vx3.nls
C:\Windows\SysWOW64\msexreg.exe
C:\Windows\system32\msexreg.exe /S HKLM SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\CashBack C:\Windows\system32\vx3x.nls
C:\Windows\SysWOW64\msexreg.exe
C:\Windows\system32\msexreg.exe /S HKLM SOFTWARE\eXactUtil C:\Windows\system32\vx0.nls
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | adpopper.outblaze.com | udp |
| US | 8.8.8.8:53 | adpopper.outblaze.com | udp |
Files
C:\Windows\exdl.exe
| MD5 | 799431b1ba4ee0dd68cd3a7097ef20a5 |
| SHA1 | da34770c2fe613cb90e2cc452d29f1e101f04ba5 |
| SHA256 | 26594ac21f6c4683286b5a29920a4701211fe15f9ae9c91db34681237314bc7f |
| SHA512 | e7bade33dc5385940009f4500ff60f99a557c0fb40f93fb772cef2c34a2c25d7de2429faab42a31ef6b5f84ad40238f44893d3758925e9a2f17ccd3062fe9c7c |
C:\Windows\exul.exe
| MD5 | 9b571f4eb622096d7989dff203b0bbe1 |
| SHA1 | c9b192394dba6e2e77247a6adf0ac31c2a3fb8e1 |
| SHA256 | e08ffb748740b4cb4b11b210e4ae5cc5e9ec8876e8c79179fc2bf111ccc37c37 |
| SHA512 | bb2843f6a3252b6ac7c051624b2e9f89dc3774805a09bd9d4af3394f6238a4a0096dcced94e809156edf4813aef27198cbc822bbe4af2bcf547932dfe1690d88 |
C:\Windows\bbchk.exe
| MD5 | 68d9018bcfa92be76496c143ce4f9dce |
| SHA1 | 6f48c0d1910bc6c0b6ed005fc1c540de002e6c6e |
| SHA256 | 55640c5d5611894e5ca968f0d14e428b86a6f664a8336593b93bea61d48abda2 |
| SHA512 | 8c503e125cb96a6483593c259684388150c4702112b89a9740f6fc50ceb676ff286130d71aaa544bc9bf317b1d6ec7c1ea1c79b360fc4d77483b8bf2cecff5a1 |
C:\Windows\trkgif.exe
| MD5 | 584c95b07f7c32469e3eea5c5735acd4 |
| SHA1 | 4c90b4884fa1efdb50ee7ce88aaa600549e65464 |
| SHA256 | 0d26b912d323d509a29466356772fd03d4006f8c253f7b1243149af2a8ff8073 |
| SHA512 | d0728f09f6aebfa11e1476854254b2bb0f95c6846a7f27040fc751befc6fd94b77c931d40c911bfdeea8af8ce3a338797727ef1828f52d0cf705ffc31c396d99 |
C:\Windows\SysWOW64\msbe.dll
| MD5 | 675a09dbb3a90703294bf4bf937a3816 |
| SHA1 | 5662279d822d0cfeebf7205288a3bf3cb79476ce |
| SHA256 | a9fe9932e706a501cc4176ee7abe8f1cab78f54d916d5955f1e08efd7358701f |
| SHA512 | c28758cef03312125672ce05ebe8a07fc82caa33a808b619949e6339f82934d1e57e8e3b7ee2488c66cda457a23fec1f5e8f47a7c8d2847f804ee9c88be70d6f |
\Windows\SysWOW64\nvms.dll
| MD5 | f4eaa09d78b46f943f8b093606866301 |
| SHA1 | 87a1a3cbf775501f4285d949c42a3b8b52fa79af |
| SHA256 | 2e37739c20b29bae5f558a8f5463f7aec6090a97cb5adca6e8b6fb50ba7559de |
| SHA512 | 7b1720684348dee4b4f3549d8dbbc2272c9cc2f364b26085401c4c861d52f3a820aa99aa2dabd99be1df38797ff2360093ea6fb03e0a62f7821b1416e2f3eb4f |
C:\Windows\SysWOW64\mscb.dll
| MD5 | 1141f409bf9596ff9b195dd34e307e40 |
| SHA1 | 1f782d8b6b519e46702667316ff6f2d962112872 |
| SHA256 | c300833a63fb6a90eeb807e3584cb8bfe2ff4b54d5e19523db1a66fff6a68932 |
| SHA512 | 4f340e4cb8f167cc8c40606d9857bcd7cac34b5838aa6dd58464d81c0d903437a890cc8739d968e3dde887579599991878e8b9bb7575af655495ffb9abb5dadb |
C:\Windows\exclean.exe
| MD5 | 9f51cdf75d08b49ed39ebc05e3374bd0 |
| SHA1 | de37070deeefc3ae9d642520d1be55579bfca45d |
| SHA256 | b87851eb4df8069cec166317fb079a46da5699faec098f0a5cb7f0a8a25423cc |
| SHA512 | 965d69c849cf9ec9ae66dba5d3948c755afcab07cf46857e871c18f5d6ab89171da91c5a6a4d28323cdd22bf81e669d255ab1610566de1da58884fb08bb146d9 |
C:\Windows\cb8034_ICMEDIAX.exe
| MD5 | c2c6fcaa3775bab675859ccf937cb93c |
| SHA1 | dd4cb09f48cf713b2a51aad77a13922bbd89366c |
| SHA256 | 81a470036f9c997c949ba57149a9f7365af610a0a4c94d1dae5f0612cb467eda |
| SHA512 | 4d1533c34ad851ccb89a84fd3d5413f1362a12ce8e631e03e47b6afe554e4fe79b10061082edd3ea2cd27a590219df70bf7fa366ba7ccdefe4db61414c492cd8 |
C:\Program Files (x86)\CashBack\cashback.exe
| MD5 | 6facb09c2ea09a439c911515a2f32456 |
| SHA1 | 1e26a2c37e06724f723080be15e67f516b9a2877 |
| SHA256 | 33a3f6628277aeba874c08cd94a9e559de2c13aa4179ed5fd5e570121a3ee042 |
| SHA512 | a59b15eaf2a3cc68c183e883c4fd49a4d250201f2d09c42b9aa3ee03dc6311bc0cedaa5ec70eba3d4fefced3072cceac0657891d530522b1ecd52b35c52e02f3 |
C:\Program Files (x86)\CashBack\cb.exe
| MD5 | 9899f2dd68fd636833ef144228ee3e8b |
| SHA1 | c770f0e7645d4d3262620bd52e0e557c700dd36e |
| SHA256 | 40a105d2236e1ab6376edbd6c8611818853fbd8f3d851368def1b9fb9688862a |
| SHA512 | 2c0968492161a3176049c122c7de18baab8456c2cfbf6cc4a8bd87a1cd56f378ea590129e6cf9aa98e0b2eff962ba54515ab0caddc9dec79904a16f5ec9d9606 |
C:\Program Files (x86)\CashBack\flash.exe
| MD5 | e4d97541176ac53baca22e48cbda1acd |
| SHA1 | a3c0cfe8915e4a3de609eb4ba1b3d6f3e20fd072 |
| SHA256 | 3d8b609d207d3c4397e5db1bb083725eafbe45e043a639325d37f4d96feb8013 |
| SHA512 | 99bcc270aae61d59d0af32da09581ff98bd9f1b05cb7b93d4f333924bf4a2f712a798951e98b39f8d6a0fa42b91474533ce36706625572f1bf2bd00f81fccae7 |
C:\Program Files (x86)\CashBack\bb_click_wider.swf
| MD5 | 0feb450c9aaf40e8a1ac4a3d81f7cff9 |
| SHA1 | 3ca296665e29c866d9a36571f43b9da721be4d9a |
| SHA256 | 0220d00b6d0073ed527cd835fb8fe392b96e4a0d138d69dc9adf697121230c97 |
| SHA512 | 1c0c3bd5fa2d4357876421f56cf9e34751ff9c6faaa51e62a460ef5b033abfa1cad3d112d4d28b4f44b90bfcc3300379c057d200667b5f4ece3ffb5adc7ba451 |
C:\Program Files (x86)\CashBack\bb_auto_wider.swf
| MD5 | 6d15e76001accd8fe663d52cba4ef2e5 |
| SHA1 | 936329eec5cd422644bc15e2db33fdaf0172ba98 |
| SHA256 | 3db760d72de2d28630aa47bf2dc932ed99563f414e14a508758609dc6e3bd714 |
| SHA512 | 77972112b618680301f996546c098066eb43f63a0680bf419b2d37733177a80dc103b1efbc2425fa47f7b9edb44c8c58eb4b92ee4ec57378e9b23caea1180c87 |
C:\Program Files (x86)\CashBack\bb_welcome.html
| MD5 | d299a27a210b338e5229785b941cfdef |
| SHA1 | bf7d6f95922d7882f32c9718beaed1efe50e6ac1 |
| SHA256 | 625dc00715f006824984271660f829dc310ceb4cb45f8af401c304a3e5aae631 |
| SHA512 | 661c579b98c52191bf6d8fb79e98d91f24626dcfef36c33e31a3937623acb929a7eaf481dea7ccd56998b3bd8764287cf3f2970947c0928aca59c63727116d6b |
C:\Program Files (x86)\CashBack\bb_welcome1.swf
| MD5 | c0affacb99623c4f9a2a878f12d02647 |
| SHA1 | 900c8d00e12fc1ac3af7a037fe4f1d33b15eed14 |
| SHA256 | f698303cde4e0a6d6309107c72c3274fac5a9d0634ff470b977a78602305f518 |
| SHA512 | acfcd619cf703222c3c25e1bf328cb2ac4e7497cbdf46b49ce273fd37551e7bb835c867ce072c50fe7214628c6a1a28288ee363f64de74f2c832b1bc23f7558e |
C:\Program Files (x86)\CashBack\blank.gif
| MD5 | 325472601571f31e1bf00674c368d335 |
| SHA1 | 2daeaa8b5f19f0bc209d976c02bd6acb51b00b0a |
| SHA256 | b1442e85b03bdcaf66dc58c7abb98745dd2687d86350be9a298a1d9382ac849b |
| SHA512 | 717ea0ff7f3f624c268eccb244e24ec1305ab21557abb3d6f1a7e183ff68a2d28f13d1d2af926c9ef6d1fb16dd8cbe34cd98cacf79091dddc7874dcee21ecfdc |
C:\Program Files (x86)\CashBack\icon.gif
| MD5 | c2cb3f56cb075c22d7dbbb6dcca40f8e |
| SHA1 | eab286c5466c03cf0ec8f35c53e3468229ab58b9 |
| SHA256 | 59c4b81e937d00208a5b280af4eca09ea8ddacac57c79fb138f12713e4af1514 |
| SHA512 | 25738608e5f87b1e3069712359e81d2558294f5e0892026a1f3628fc5cd91075f6d55bde33ccec6c15610f68106d379ac29180cf0c3df884c48805c32cab03b0 |
C:\Program Files (x86)\CashBack\logo.gif
| MD5 | 5b48ebbd988ace67c6d203657fb9225a |
| SHA1 | da0f8eedce95e19d25faf9668839c7bfa5cc97ad |
| SHA256 | a30f9227138042bcfbd601863ea6e2f8b3657f305efb8c77ad691ac279ca8019 |
| SHA512 | 5b4755537b7f95eb31e5f04aa51e01430123acac3d56a4f925dd76588bcc33c3b3b1a788ea1edfee584d8bf69e79daa470f674e5404bc04212ad3ae654d026a3 |
C:\Windows\nls8034_ICMEDIAX.exe
| MD5 | cb90a48a7bc692a0165dc5cc79454c5f |
| SHA1 | a82128b70b00467029cb4de5df44838e5b45fc26 |
| SHA256 | f7319462926520b3ccee2731a1792235d060ce26356ccf361777ad530fe5ef1d |
| SHA512 | 1274c144f0556085578d52013d1f996dc5b998d79458eee03494036d9c2a32549cdeab2c84e02f03c148001fb42a6042771281209ed14a6ff535d5fc37a6882c |
C:\Program Files (x86)\NaviSearch\nls.exe
| MD5 | 3e4a8942089709e8d79392a0957a8ea8 |
| SHA1 | 86c601f6b9101bb588b8819e71e5044422ea0f50 |
| SHA256 | 35f7bf41136f7820889c06f0ee016ed2758632004db44eba7bbef9d006f1912e |
| SHA512 | ce6180f7d6d4ffbfad9f001c306fecefca20c0ff366e498cf0483bdd338888dfab8e38db1294ee2ba4ae9ef995e2cda1948ebe4acfb59f7efa2b53dc6525c24a |
C:\Program Files (x86)\NaviSearch\ad-nls.dat
| MD5 | d7ff52ea75594a565fac58da5a66f041 |
| SHA1 | 10677adeab52b900ff7a242f8ae4f7710c79512e |
| SHA256 | b7edbc2853b8fce6ff23de355b41667efcb3274d9a4b6d6fd4e6dbe29baceaa2 |
| SHA512 | 7204b7f425a8d803f7d5e9db9f8ed86bea7e575dd71cadd63100d7ad2b2681ec08d715bcc776c8435c247c1924304d737c4d7249e3edf829b8d06203239b9433 |
C:\Windows\adp8034_ICMEDIAX.exe
| MD5 | bb83cba39e9f69b0ea9f79aaf1cef729 |
| SHA1 | a0d98be45bb23f8a6feaecc1092f2ba3dc91221c |
| SHA256 | 7036a541caba0e20169f8cb5a906de7a7eaaec862abe5936691acc1a2657a057 |
| SHA512 | 0d506b0151b74e6317fd63dd0671cf6294920e1f052861d983eeea40a7ee1aa31f4c108f58615cfc85bba22555d9abed95b8dea9cbf82136975a996fa4d95dee |
C:\Program Files (x86)\BullsEye Network\bargains.exe
| MD5 | 293b8f27d5ede0b27ef2ad2f9ecedf6d |
| SHA1 | 994d3af24ea51f0dc326840a735a632d8569ead8 |
| SHA256 | 99bf422be6c81b10b423d0f33ff08b04397020b3b4b045024c36ed91d12cb490 |
| SHA512 | b49ddfe6d357ea466c1e5771b67e6bd8e1e737db29b92e94712de11495c9b2572d7e999a6282446f4f6c54852b612fffbe8509dcc88bda5bc07cd03da8432f20 |
C:\Program Files (x86)\BullsEye Network\adv.exe
| MD5 | 56979b69b9ff449b792e53f7e956cecc |
| SHA1 | 6a63738d767cca38582ca84b355510a1cecb188f |
| SHA256 | d8e3e92fff45f70b62034c754201f42d71ee8e443cdfa550219623b24281aefc |
| SHA512 | 772ceaa4967c57645ecfb0985a1b72f624a2e4ec09f0fbaca75abd98c639bd8609eb2864d45d499c35bd99863915ca1ffcc7505d2a77dd46cc664aee6f96fefc |
C:\Program Files (x86)\BullsEye Network\adx.exe
| MD5 | 812def7df63838ed0be0a2b6a3fbcdb0 |
| SHA1 | 5c5aa6bd7e118b6a9d9f18c6ffd3d2b4c9cac18f |
| SHA256 | 0376b21c8f4bb3231aa4c1afda7f491b20690cdd30ed4dd1680800e5e2a58d20 |
| SHA512 | 664a8cc8e2e27e4e2974221c3be842d7307facd93008cfc0c870d452d035abda1e810cfcfc20fb4cfe1d7266251ca1d4a79dba436d6769bf2ee8accc48a10be1 |
C:\Windows\SysWOW64\angelex.exe
| MD5 | 8d9a9918a759777619839cf275127de9 |
| SHA1 | fb8aeea3ed04ff3aee28a7e8dd9843779efce7c5 |
| SHA256 | 0336521180fd028ca546ee5687c25beab31b56e5eea6c91509b31ee3e620980f |
| SHA512 | 6c5bce0ed532bbe19203b75f8466fc6422f24ce5d35f5441c0ba6b6b003ee3aeab1ecce7d25babf09129ae2e5be17c07e559853da459cfb5af7d48599ffbbc88 |
memory/2608-308-0x0000000004580000-0x000000000458E000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-22 12:55
Reported
2024-06-22 12:57
Platform
win10v2004-20240508-en
Max time kernel
51s
Max time network
51s
Command Line
Signatures
Executes dropped EXE
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CashBack = "C:\\Program Files (x86)\\CashBack\\bin\\cashback.exe" | C:\Windows\cb8034_ICMEDIAX.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\NaviSearch = "C:\\Program Files (x86)\\NaviSearch\\bin\\nls.exe" | C:\Windows\nls8034_ICMEDIAX.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\BullsEye Network = "C:\\Program Files (x86)\\BullsEye Network\\bin\\bargains.exe" | C:\Windows\adp8034_ICMEDIAX.exe | N/A |
Checks installed software on the system
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344} | C:\Users\Admin\AppData\Local\Temp\0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{CE188402-6EE7-4022-8868-AB25173A3E14}\ | C:\Users\Admin\AppData\Local\Temp\0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344}\ | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F4E04583-354E-4076-BE7D-ED6A80FD66DA} | C:\Users\Admin\AppData\Local\Temp\0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344}\ | C:\Users\Admin\AppData\Local\Temp\0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{CE188402-6EE7-4022-8868-AB25173A3E14} | C:\Users\Admin\AppData\Local\Temp\0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{CE188402-6EE7-4022-8868-AB25173A3E14} | C:\Users\Admin\AppData\Local\Temp\0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F4E04583-354E-4076-BE7D-ED6A80FD66DA} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{CE188402-6EE7-4022-8868-AB25173A3E14} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{CE188402-6EE7-4022-8868-AB25173A3E14} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{CE188402-6EE7-4022-8868-AB25173A3E14}\ | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F4E04583-354E-4076-BE7D-ED6A80FD66DA} | C:\Users\Admin\AppData\Local\Temp\0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344} | C:\Users\Admin\AppData\Local\Temp\0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F4E04583-354E-4076-BE7D-ED6A80FD66DA}\ | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F4E04583-354E-4076-BE7D-ED6A80FD66DA}\ | C:\Users\Admin\AppData\Local\Temp\0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F4E04583-354E-4076-BE7D-ED6A80FD66DA} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\javexulm.vxd | C:\Users\Admin\AppData\Local\Temp\0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe | N/A |
| File created | C:\Windows\SysWOW64\trkgif.exe | C:\Users\Admin\AppData\Local\Temp\0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\exdl1.exe | C:\Program Files (x86)\BullsEye Network\bin\bargains.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\exdl2.exe | C:\Program Files (x86)\NaviSearch\bin\nls.exe | N/A |
| File created | C:\Windows\SysWOW64\mac80ex.idf | C:\Windows\SysWOW64\angelex.exe | N/A |
| File created | C:\Windows\SysWOW64\mscb.dll | C:\Users\Admin\AppData\Local\Temp\0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\exdl3.exe | C:\Program Files (x86)\CashBack\bin\cashback.exe | N/A |
| File created | C:\Windows\SysWOW64\vx1.nls | C:\Windows\SysWOW64\msexreg.exe | N/A |
| File created | C:\Windows\SysWOW64\bbchk.exe | C:\Users\Admin\AppData\Local\Temp\0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe | N/A |
| File created | C:\Windows\SysWOW64\msbe.dll | C:\Users\Admin\AppData\Local\Temp\0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\instsrv.exe | C:\Windows\autoheal.exe | N/A |
| File created | C:\Windows\SysWOW64\javex80.vxd | C:\Windows\SysWOW64\angelex.exe | N/A |
| File created | C:\Windows\SysWOW64\netut80ex.vxd | C:\Windows\SysWOW64\angelex.exe | N/A |
| File created | C:\Windows\SysWOW64\exdl2.exe | C:\Program Files (x86)\NaviSearch\bin\nls.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\msexreg.exe | C:\Windows\autoheal.exe | N/A |
| File created | C:\Windows\SysWOW64\vx1x.nls | C:\Windows\SysWOW64\msexreg.exe | N/A |
| File created | C:\Windows\SysWOW64\vx3.nls | C:\Windows\SysWOW64\msexreg.exe | N/A |
| File created | C:\Windows\SysWOW64\psis80ex.ax | C:\Windows\SysWOW64\angelex.exe | N/A |
| File created | C:\Windows\SysWOW64\vx2.nls | C:\Windows\SysWOW64\msexreg.exe | N/A |
| File created | C:\Windows\SysWOW64\vx3x.nls | C:\Windows\SysWOW64\msexreg.exe | N/A |
| File created | C:\Windows\SysWOW64\exclean.exe | C:\Users\Admin\AppData\Local\Temp\0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe | N/A |
| File created | C:\Windows\SysWOW64\exdl3.exe | C:\Program Files (x86)\CashBack\bin\cashback.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\angelex.exe | C:\Windows\autoheal.exe | N/A |
| File created | C:\Windows\SysWOW64\angelex.exe | C:\Windows\autoheal.exe | N/A |
| File created | C:\Windows\SysWOW64\instsrv.exe | C:\Windows\autoheal.exe | N/A |
| File created | C:\Windows\SysWOW64\vx0.nls | C:\Windows\SysWOW64\msexreg.exe | N/A |
| File created | C:\Windows\SysWOW64\exdl.exe | C:\Users\Admin\AppData\Local\Temp\0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\exdl.exe | C:\Users\Admin\AppData\Local\Temp\0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe | N/A |
| File created | C:\Windows\SysWOW64\mqexdlm.srg | C:\Users\Admin\AppData\Local\Temp\0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe | N/A |
| File created | C:\Windows\SysWOW64\exdl1.exe | C:\Program Files (x86)\BullsEye Network\bin\bargains.exe | N/A |
| File created | C:\Windows\SysWOW64\vx2x.nls | C:\Windows\SysWOW64\msexreg.exe | N/A |
| File created | C:\Windows\SysWOW64\exul.exe | C:\Users\Admin\AppData\Local\Temp\0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe | N/A |
| File created | C:\Windows\SysWOW64\nvms.dll | C:\Users\Admin\AppData\Local\Temp\0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe | N/A |
| File created | C:\Windows\SysWOW64\msexreg.exe | C:\Windows\autoheal.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\BullsEye Network\adv.exe | C:\Windows\adp8034_ICMEDIAX.exe | N/A |
| File created | C:\Program Files (x86)\BullsEye Network\adv.exe | C:\Windows\adp8034_ICMEDIAX.exe | N/A |
| File opened for modification | C:\Program Files (x86)\NaviSearch\t1719060918.dec | C:\Program Files (x86)\NaviSearch\bin\nls.exe | N/A |
| File opened for modification | C:\Program Files (x86)\CashBack\cashback.exe | C:\Windows\cb8034_ICMEDIAX.exe | N/A |
| File created | C:\Program Files (x86)\CashBack\template.html | C:\Windows\cb8034_ICMEDIAX.exe | N/A |
| File opened for modification | C:\Program Files (x86)\CashBack\template2.html | C:\Windows\cb8034_ICMEDIAX.exe | N/A |
| File created | C:\Program Files (x86)\CashBack\template2.html | C:\Windows\cb8034_ICMEDIAX.exe | N/A |
| File created | C:\Program Files (x86)\CashBack\bb_welcome1.swf | C:\Windows\cb8034_ICMEDIAX.exe | N/A |
| File created | C:\Program Files (x86)\CashBack\t1719060918.dec | C:\Program Files (x86)\CashBack\bin\cashback.exe | N/A |
| File opened for modification | C:\Program Files (x86)\CashBack\bb_click_wider.swf | C:\Windows\cb8034_ICMEDIAX.exe | N/A |
| File created | C:\Program Files (x86)\CashBack\Uninstall.exe | C:\Windows\cb8034_ICMEDIAX.exe | N/A |
| File opened for modification | C:\Program Files (x86)\NaviSearch\nls.exe | C:\Windows\nls8034_ICMEDIAX.exe | N/A |
| File created | C:\Program Files (x86)\CashBack\bin\cb.exe | C:\Windows\cb8034_ICMEDIAX.exe | N/A |
| File created | C:\Program Files (x86)\BullsEye Network\bin\bargains.exe | C:\Windows\adp8034_ICMEDIAX.exe | N/A |
| File opened for modification | C:\Program Files (x86)\BullsEye Network\bin\bargains.exe | C:\Windows\adp8034_ICMEDIAX.exe | N/A |
| File created | C:\Program Files (x86)\BullsEye Network\bin\adx.exe | C:\Windows\adp8034_ICMEDIAX.exe | N/A |
| File created | C:\Program Files (x86)\BullsEye Network\t1719060918.dec | C:\Program Files (x86)\BullsEye Network\bin\bargains.exe | N/A |
| File created | C:\Program Files (x86)\NaviSearch\t1719060918.dec | C:\Program Files (x86)\NaviSearch\bin\nls.exe | N/A |
| File opened for modification | C:\Program Files (x86)\NaviSearch\ad-nls.dat | C:\Windows\nls8034_ICMEDIAX.exe | N/A |
| File created | C:\Program Files (x86)\NaviSearch\Uninstall.exe | C:\Windows\nls8034_ICMEDIAX.exe | N/A |
| File opened for modification | C:\Program Files (x86)\BullsEye Network\bargains.exe | C:\Windows\adp8034_ICMEDIAX.exe | N/A |
| File opened for modification | C:\Program Files (x86)\CashBack\bb_welcome.html | C:\Windows\cb8034_ICMEDIAX.exe | N/A |
| File created | C:\Program Files (x86)\CashBack\bb_welcome.html | C:\Windows\cb8034_ICMEDIAX.exe | N/A |
| File opened for modification | C:\Program Files (x86)\CashBack\bin\cashback.exe | C:\Windows\cb8034_ICMEDIAX.exe | N/A |
| File opened for modification | C:\Program Files (x86)\CashBack\cb.exe | C:\Windows\cb8034_ICMEDIAX.exe | N/A |
| File opened for modification | C:\Program Files (x86)\CashBack\bb_auto_wider.swf | C:\Windows\cb8034_ICMEDIAX.exe | N/A |
| File created | C:\Program Files (x86)\CashBack\bb_auto_wider.swf | C:\Windows\cb8034_ICMEDIAX.exe | N/A |
| File created | C:\Program Files (x86)\CashBack\icon.gif | C:\Windows\cb8034_ICMEDIAX.exe | N/A |
| File opened for modification | C:\Program Files (x86)\NaviSearch\bin\nls.exe | C:\Windows\nls8034_ICMEDIAX.exe | N/A |
| File created | C:\Program Files (x86)\NaviSearch\bin\nls.exe | C:\Windows\nls8034_ICMEDIAX.exe | N/A |
| File created | C:\Program Files (x86)\BullsEye Network\bargains.exe | C:\Windows\adp8034_ICMEDIAX.exe | N/A |
| File created | C:\Program Files (x86)\BullsEye Network\Uninstall.exe | C:\Windows\adp8034_ICMEDIAX.exe | N/A |
| File opened for modification | C:\Program Files (x86)\CashBack\flash.exe | C:\Windows\cb8034_ICMEDIAX.exe | N/A |
| File opened for modification | C:\Program Files (x86)\CashBack\blank.gif | C:\Windows\cb8034_ICMEDIAX.exe | N/A |
| File opened for modification | C:\Program Files (x86)\CashBack\logo.gif | C:\Windows\cb8034_ICMEDIAX.exe | N/A |
| File created | C:\Program Files (x86)\CashBack\logo.gif | C:\Windows\cb8034_ICMEDIAX.exe | N/A |
| File created | C:\Program Files (x86)\CashBack\bin\cashback.exe | C:\Windows\cb8034_ICMEDIAX.exe | N/A |
| File created | C:\Program Files (x86)\BullsEye Network\adx.exe | C:\Windows\adp8034_ICMEDIAX.exe | N/A |
| File created | C:\Program Files (x86)\CashBack\bb_click_wider.swf | C:\Windows\cb8034_ICMEDIAX.exe | N/A |
| File created | C:\Program Files (x86)\NaviSearch\nvms.dll | C:\Windows\nls8034_ICMEDIAX.exe | N/A |
| File created | C:\Program Files (x86)\NaviSearch\nls.exe | C:\Windows\nls8034_ICMEDIAX.exe | N/A |
| File created | C:\Program Files (x86)\NaviSearch\ad.dat | C:\Windows\nls8034_ICMEDIAX.exe | N/A |
| File opened for modification | C:\Program Files (x86)\BullsEye Network\adx.exe | C:\Windows\adp8034_ICMEDIAX.exe | N/A |
| File opened for modification | C:\Program Files (x86)\NaviSearch\nvms.dll | C:\Windows\nls8034_ICMEDIAX.exe | N/A |
| File created | C:\Program Files (x86)\CashBack\cashback.exe | C:\Windows\cb8034_ICMEDIAX.exe | N/A |
| File created | C:\Program Files (x86)\CashBack\flash.exe | C:\Windows\cb8034_ICMEDIAX.exe | N/A |
| File created | C:\Program Files (x86)\CashBack\blank.gif | C:\Windows\cb8034_ICMEDIAX.exe | N/A |
| File created | C:\Program Files (x86)\CashBack\bin\flash.exe | C:\Windows\cb8034_ICMEDIAX.exe | N/A |
| File created | C:\Program Files (x86)\CashBack\cb.exe | C:\Windows\cb8034_ICMEDIAX.exe | N/A |
| File opened for modification | C:\Program Files (x86)\CashBack\template.html | C:\Windows\cb8034_ICMEDIAX.exe | N/A |
| File created | C:\Program Files (x86)\NaviSearch\ad-nls.dat | C:\Windows\nls8034_ICMEDIAX.exe | N/A |
| File opened for modification | C:\Program Files (x86)\CashBack\bb_welcome1.swf | C:\Windows\cb8034_ICMEDIAX.exe | N/A |
| File opened for modification | C:\Program Files (x86)\CashBack\icon.gif | C:\Windows\cb8034_ICMEDIAX.exe | N/A |
| File created | C:\Program Files (x86)\BullsEye Network\bin\adv.exe | C:\Windows\adp8034_ICMEDIAX.exe | N/A |
Drops file in Windows directory
Enumerates physical storage devices
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\nls8034_ICMEDIAX.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Use Search Asst = "no" | C:\Windows\nls8034_ICMEDIAX.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Search | C:\Windows\nls8034_ICMEDIAX.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Search\SearchAssistant = "http://www.exactsearch.net/sidesearch" | C:\Windows\nls8034_ICMEDIAX.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C6906A23-4717-4E1F-B6FD-F06EBED11357}\TypeLib | C:\Users\Admin\AppData\Local\Temp\0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8EEE58D5-130E-4CBD-9C83-35A0564E1357}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F4E04583-354E-4076-BE7D-ED6A80FD66DA}\ProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F4E04583-354E-4076-BE7D-ED6A80FD66DA}\VersionIndependentProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C6906A23-4717-4E1F-B6FD-F06EBED11357} | C:\Users\Admin\AppData\Local\Temp\0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344}\Programmable | C:\Users\Admin\AppData\Local\Temp\0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CB.UrlCatcher\CLSID | C:\Users\Admin\AppData\Local\Temp\0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C6906A23-4717-4E1F-B6FD-F06EBED12468} | C:\Users\Admin\AppData\Local\Temp\0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8EEE58D5-130E-4CBD-9C83-35A0564E2468}\ = "IXYZ" | C:\Users\Admin\AppData\Local\Temp\0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\NLS.UrlCatcher.1\CLSID\ = " {AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8EEE58D5-130E-4CBD-9C83-35A0564E5678}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344}\VersionIndependentProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344}\VersionIndependentProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CE188402-6EE7-4022-8868-AB25173A3E14}\InprocServer32 | C:\Users\Admin\AppData\Local\Temp\0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CB.UrlCatcher.1\ = "CB UrlCatcher Class" | C:\Users\Admin\AppData\Local\Temp\0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CE188402-6EE7-4022-8868-AB25173A3E14}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C6906A23-4717-4E1F-B6FD-F06EBED11357}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8EEE58D5-130E-4CBD-9C83-35A0564E1357}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8EEE58D5-130E-4CBD-9C83-35A0564E1357}\TypeLib\ = "{4EB7BBE8-2E15-424B-9DDB-2CDB9516C2E3}" | C:\Users\Admin\AppData\Local\Temp\0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ADP.UrlCatcher\ = "ADP UrlCatcher Class" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4EB7BBE8-2E15-424B-9DDB-2CDB9516C2E3}\1.0\HELPDIR\ = "C:\\Windows\\SysWow64\\" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C6906A23-4717-4E1F-B6FD-F06EBED15678}\TypeLib | C:\Users\Admin\AppData\Local\Temp\0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ADP.UrlCatcher.1\ = "ADP UrlCatcher Class" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4EB7BBE8-2E15-424B-9DDB-2CDB9516E2A3}\1.0\0 | C:\Users\Admin\AppData\Local\Temp\0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4EB7BBE8-2E15-424B-9DDB-2CDB9516C2E3}\1.0 | C:\Users\Admin\AppData\Local\Temp\0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C6906A23-4717-4E1F-B6FD-F06EBED11357}\TypeLib\ = "{4EB7BBE8-2E15-424B-9DDB-2CDB9516C2E3}" | C:\Users\Admin\AppData\Local\Temp\0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4EB7BBE8-2E15-424B-9DDB-2CDB9516E2A3}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\mscb.dll" | C:\Users\Admin\AppData\Local\Temp\0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ADP.UrlCatcher.1\CLSID\ = "{F4E04583-354E-4076-BE7D-ED6A80FD66DA}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F4E04583-354E-4076-BE7D-ED6A80FD66DA}\Programmable | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344}\ProgID\ = "NLS.UrlCatcher.1" | C:\Users\Admin\AppData\Local\Temp\0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C6906A23-4717-4E1F-B6FD-F06EBED15678}\ = "IUrlCatcher" | C:\Users\Admin\AppData\Local\Temp\0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8EEE58D5-130E-4CBD-9C83-35A0564E5678} | C:\Users\Admin\AppData\Local\Temp\0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8EEE58D5-130E-4CBD-9C83-35A0564E5678}\TypeLib | C:\Users\Admin\AppData\Local\Temp\0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ADP.UrlCatcher | C:\Users\Admin\AppData\Local\Temp\0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C6906A23-4717-4E1F-B6FD-F06EBED15678}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C6906A23-4717-4E1F-B6FD-F06EBED15678}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344}\ProgID | C:\Users\Admin\AppData\Local\Temp\0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CE188402-6EE7-4022-8868-AB25173A3E14}\InprocServer32\ = "C:\\Windows\\SysWow64\\mscb.dll" | C:\Users\Admin\AppData\Local\Temp\0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C6906A23-4717-4E1F-B6FD-F06EBED12468}\ = "IUrlCatcher" | C:\Users\Admin\AppData\Local\Temp\0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C6906A23-4717-4E1F-B6FD-F06EBED12468}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C6906A23-4717-4E1F-B6FD-F06EBED12468}\ = "IUrlCatcher" | C:\Users\Admin\AppData\Local\Temp\0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ADP.UrlCatcher\CLSID\ = "{F4E04583-354E-4076-BE7D-ED6A80FD66DA}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F4E04583-354E-4076-BE7D-ED6A80FD66DA}\InprocServer32\ThreadingModel = "Apartment" | C:\Users\Admin\AppData\Local\Temp\0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C6906A23-4717-4E1F-B6FD-F06EBED11357}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F4E04583-354E-4076-BE7D-ED6A80FD66DA}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CE188402-6EE7-4022-8868-AB25173A3E14}\VersionIndependentProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CE188402-6EE7-4022-8868-AB25173A3E14}\VersionIndependentProgID\ = "CB.UrlCatcher" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C6906A23-4717-4E1F-B6FD-F06EBED15678}\TypeLib\ = "{4EB7BBE8-2E15-424B-9DDB-2CDB9516B2C3}" | C:\Users\Admin\AppData\Local\Temp\0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8EEE58D5-130E-4CBD-9C83-35A0564E1357}\ = "IXYZ" | C:\Users\Admin\AppData\Local\Temp\0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CE188402-6EE7-4022-8868-AB25173A3E14}\Programmable | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\NLS.UrlCatcher\CLSID\ = "{AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344}" | C:\Users\Admin\AppData\Local\Temp\0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C6906A23-4717-4E1F-B6FD-F06EBED12468}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C6906A23-4717-4E1F-B6FD-F06EBED12468}\TypeLib\ = "{4EB7BBE8-2E15-424B-9DDB-2CDB9516E2A3}" | C:\Users\Admin\AppData\Local\Temp\0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8EEE58D5-130E-4CBD-9C83-35A0564E2468}\TypeLib | C:\Users\Admin\AppData\Local\Temp\0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8EEE58D5-130E-4CBD-9C83-35A0564E2468}\TypeLib\ = "{4EB7BBE8-2E15-424B-9DDB-2CDB9516E2A3}" | C:\Users\Admin\AppData\Local\Temp\0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CE188402-6EE7-4022-8868-AB25173A3E14}\InprocServer32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\NLS.UrlCatcher.1\CLSID | C:\Users\Admin\AppData\Local\Temp\0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8EEE58D5-130E-4CBD-9C83-35A0564E1357} | C:\Users\Admin\AppData\Local\Temp\0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F4E04583-354E-4076-BE7D-ED6A80FD66DA}\VersionIndependentProgID | C:\Users\Admin\AppData\Local\Temp\0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F4E04583-354E-4076-BE7D-ED6A80FD66DA}\InprocServer32 | C:\Users\Admin\AppData\Local\Temp\0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C6906A23-4717-4E1F-B6FD-F06EBED11357}\TypeLib\ = "{4EB7BBE8-2E15-424B-9DDB-2CDB9516C2E3}" | C:\Users\Admin\AppData\Local\Temp\0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344}\InprocServer32 | C:\Users\Admin\AppData\Local\Temp\0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8EEE58D5-130E-4CBD-9C83-35A0564E2468} | C:\Users\Admin\AppData\Local\Temp\0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\msexreg.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\msexreg.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\msexreg.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\msexreg.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\msexreg.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\msexreg.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\msexreg.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\CashBack\bin\cashback.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe"
C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /s C:\Windows\system32\msbe.dll
C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /s C:\Windows\system32\nvms.dll
C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /s C:\Windows\system32\mscb.dll
C:\Windows\cb8034_ICMEDIAX.exe
C:\Windows\cb8034_ICMEDIAX.exe
C:\Windows\nls8034_ICMEDIAX.exe
C:\Windows\nls8034_ICMEDIAX.exe
C:\Windows\adp8034_ICMEDIAX.exe
C:\Windows\adp8034_ICMEDIAX.exe
C:\Windows\exdl.exe
exdl 1~No
C:\Windows\exdl.exe
exdl 2~No
C:\Windows\exdl.exe
exdl 3~No
C:\Program Files (x86)\CashBack\bin\cashback.exe
"C:\Program Files (x86)\CashBack\bin\cashback.exe"
C:\Program Files (x86)\NaviSearch\bin\nls.exe
"C:\Program Files (x86)\NaviSearch\bin\nls.exe"
C:\Program Files (x86)\BullsEye Network\bin\bargains.exe
"C:\Program Files (x86)\BullsEye Network\bin\bargains.exe"
C:\Windows\SysWOW64\exdl1.exe
C:\Windows\system32\exdl1.exe 1~0
C:\Windows\SysWOW64\exdl2.exe
C:\Windows\system32\exdl2.exe 2~0
C:\Windows\SysWOW64\exdl3.exe
C:\Windows\system32\exdl3.exe 3~0
C:\Windows\autoheal.exe
C:\Windows\autoheal.exe
C:\Windows\SysWOW64\angelex.exe
C:\Windows\system32\angelex.exe 0
C:\Windows\SysWOW64\instsrv.exe
instsrv.exe ZESOFT C:\Windows\zeta.exe
C:\Windows\SysWOW64\msexreg.exe
C:\Windows\system32\msexreg.exe /S HKLM SOFTWARE\Bargains C:\Windows\system32\vx1.nls
C:\Windows\SysWOW64\msexreg.exe
C:\Windows\system32\msexreg.exe /S HKLM SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\BargainBuddy C:\Windows\system32\vx1x.nls
C:\Windows\SysWOW64\msexreg.exe
C:\Windows\system32\msexreg.exe /S HKLM SOFTWARE\NaviSearch C:\Windows\system32\vx2.nls
C:\Windows\SysWOW64\msexreg.exe
C:\Windows\system32\msexreg.exe /S HKLM SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\NaviSearch C:\Windows\system32\vx2x.nls
C:\Windows\SysWOW64\msexreg.exe
C:\Windows\system32\msexreg.exe /S HKLM SOFTWARE\CashBack C:\Windows\system32\vx3.nls
C:\Windows\SysWOW64\msexreg.exe
C:\Windows\system32\msexreg.exe /S HKLM SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\CashBack C:\Windows\system32\vx3x.nls
C:\Windows\SysWOW64\msexreg.exe
C:\Windows\system32\msexreg.exe /S HKLM SOFTWARE\eXactUtil C:\Windows\system32\vx0.nls
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | adpopper.outblaze.com | udp |
Files
C:\Windows\exdl.exe
| MD5 | 799431b1ba4ee0dd68cd3a7097ef20a5 |
| SHA1 | da34770c2fe613cb90e2cc452d29f1e101f04ba5 |
| SHA256 | 26594ac21f6c4683286b5a29920a4701211fe15f9ae9c91db34681237314bc7f |
| SHA512 | e7bade33dc5385940009f4500ff60f99a557c0fb40f93fb772cef2c34a2c25d7de2429faab42a31ef6b5f84ad40238f44893d3758925e9a2f17ccd3062fe9c7c |
C:\Windows\exul.exe
| MD5 | 9b571f4eb622096d7989dff203b0bbe1 |
| SHA1 | c9b192394dba6e2e77247a6adf0ac31c2a3fb8e1 |
| SHA256 | e08ffb748740b4cb4b11b210e4ae5cc5e9ec8876e8c79179fc2bf111ccc37c37 |
| SHA512 | bb2843f6a3252b6ac7c051624b2e9f89dc3774805a09bd9d4af3394f6238a4a0096dcced94e809156edf4813aef27198cbc822bbe4af2bcf547932dfe1690d88 |
C:\Windows\bbchk.exe
| MD5 | 68d9018bcfa92be76496c143ce4f9dce |
| SHA1 | 6f48c0d1910bc6c0b6ed005fc1c540de002e6c6e |
| SHA256 | 55640c5d5611894e5ca968f0d14e428b86a6f664a8336593b93bea61d48abda2 |
| SHA512 | 8c503e125cb96a6483593c259684388150c4702112b89a9740f6fc50ceb676ff286130d71aaa544bc9bf317b1d6ec7c1ea1c79b360fc4d77483b8bf2cecff5a1 |
C:\Windows\trkgif.exe
| MD5 | 584c95b07f7c32469e3eea5c5735acd4 |
| SHA1 | 4c90b4884fa1efdb50ee7ce88aaa600549e65464 |
| SHA256 | 0d26b912d323d509a29466356772fd03d4006f8c253f7b1243149af2a8ff8073 |
| SHA512 | d0728f09f6aebfa11e1476854254b2bb0f95c6846a7f27040fc751befc6fd94b77c931d40c911bfdeea8af8ce3a338797727ef1828f52d0cf705ffc31c396d99 |
C:\Windows\SysWOW64\msbe.dll
| MD5 | 675a09dbb3a90703294bf4bf937a3816 |
| SHA1 | 5662279d822d0cfeebf7205288a3bf3cb79476ce |
| SHA256 | a9fe9932e706a501cc4176ee7abe8f1cab78f54d916d5955f1e08efd7358701f |
| SHA512 | c28758cef03312125672ce05ebe8a07fc82caa33a808b619949e6339f82934d1e57e8e3b7ee2488c66cda457a23fec1f5e8f47a7c8d2847f804ee9c88be70d6f |
C:\Windows\SysWOW64\nvms.dll
| MD5 | f4eaa09d78b46f943f8b093606866301 |
| SHA1 | 87a1a3cbf775501f4285d949c42a3b8b52fa79af |
| SHA256 | 2e37739c20b29bae5f558a8f5463f7aec6090a97cb5adca6e8b6fb50ba7559de |
| SHA512 | 7b1720684348dee4b4f3549d8dbbc2272c9cc2f364b26085401c4c861d52f3a820aa99aa2dabd99be1df38797ff2360093ea6fb03e0a62f7821b1416e2f3eb4f |
C:\Windows\SysWOW64\mscb.dll
| MD5 | 1141f409bf9596ff9b195dd34e307e40 |
| SHA1 | 1f782d8b6b519e46702667316ff6f2d962112872 |
| SHA256 | c300833a63fb6a90eeb807e3584cb8bfe2ff4b54d5e19523db1a66fff6a68932 |
| SHA512 | 4f340e4cb8f167cc8c40606d9857bcd7cac34b5838aa6dd58464d81c0d903437a890cc8739d968e3dde887579599991878e8b9bb7575af655495ffb9abb5dadb |
C:\Windows\exclean.exe
| MD5 | 9f51cdf75d08b49ed39ebc05e3374bd0 |
| SHA1 | de37070deeefc3ae9d642520d1be55579bfca45d |
| SHA256 | b87851eb4df8069cec166317fb079a46da5699faec098f0a5cb7f0a8a25423cc |
| SHA512 | 965d69c849cf9ec9ae66dba5d3948c755afcab07cf46857e871c18f5d6ab89171da91c5a6a4d28323cdd22bf81e669d255ab1610566de1da58884fb08bb146d9 |
C:\Windows\cb8034_ICMEDIAX.exe
| MD5 | c2c6fcaa3775bab675859ccf937cb93c |
| SHA1 | dd4cb09f48cf713b2a51aad77a13922bbd89366c |
| SHA256 | 81a470036f9c997c949ba57149a9f7365af610a0a4c94d1dae5f0612cb467eda |
| SHA512 | 4d1533c34ad851ccb89a84fd3d5413f1362a12ce8e631e03e47b6afe554e4fe79b10061082edd3ea2cd27a590219df70bf7fa366ba7ccdefe4db61414c492cd8 |
C:\Program Files (x86)\CashBack\cashback.exe
| MD5 | 6facb09c2ea09a439c911515a2f32456 |
| SHA1 | 1e26a2c37e06724f723080be15e67f516b9a2877 |
| SHA256 | 33a3f6628277aeba874c08cd94a9e559de2c13aa4179ed5fd5e570121a3ee042 |
| SHA512 | a59b15eaf2a3cc68c183e883c4fd49a4d250201f2d09c42b9aa3ee03dc6311bc0cedaa5ec70eba3d4fefced3072cceac0657891d530522b1ecd52b35c52e02f3 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\f01b4d95cf55d32a.automaticDestinations-ms
| MD5 | b76507661c80ec25c4bd2affbe2ea88f |
| SHA1 | b023e84d392d8e22708ad4a3710464af1752526e |
| SHA256 | bfbcebc8b1720470cc51aa6416420c43aaf2c3f942159cd49ed4239c86b20a74 |
| SHA512 | c2fb38427eb6f123b973ef54664ae4bc1bccd30f82cc640621080b7a02340cefb182528f9d3ef269993f778bc7fdb76d847368cd747bd2528e57ebc650fa0f4d |
C:\Program Files (x86)\CashBack\cb.exe
| MD5 | 9899f2dd68fd636833ef144228ee3e8b |
| SHA1 | c770f0e7645d4d3262620bd52e0e557c700dd36e |
| SHA256 | 40a105d2236e1ab6376edbd6c8611818853fbd8f3d851368def1b9fb9688862a |
| SHA512 | 2c0968492161a3176049c122c7de18baab8456c2cfbf6cc4a8bd87a1cd56f378ea590129e6cf9aa98e0b2eff962ba54515ab0caddc9dec79904a16f5ec9d9606 |
C:\Program Files (x86)\CashBack\flash.exe
| MD5 | e4d97541176ac53baca22e48cbda1acd |
| SHA1 | a3c0cfe8915e4a3de609eb4ba1b3d6f3e20fd072 |
| SHA256 | 3d8b609d207d3c4397e5db1bb083725eafbe45e043a639325d37f4d96feb8013 |
| SHA512 | 99bcc270aae61d59d0af32da09581ff98bd9f1b05cb7b93d4f333924bf4a2f712a798951e98b39f8d6a0fa42b91474533ce36706625572f1bf2bd00f81fccae7 |
C:\Program Files (x86)\CashBack\bb_click_wider.swf
| MD5 | 0feb450c9aaf40e8a1ac4a3d81f7cff9 |
| SHA1 | 3ca296665e29c866d9a36571f43b9da721be4d9a |
| SHA256 | 0220d00b6d0073ed527cd835fb8fe392b96e4a0d138d69dc9adf697121230c97 |
| SHA512 | 1c0c3bd5fa2d4357876421f56cf9e34751ff9c6faaa51e62a460ef5b033abfa1cad3d112d4d28b4f44b90bfcc3300379c057d200667b5f4ece3ffb5adc7ba451 |
C:\Program Files (x86)\CashBack\bb_auto_wider.swf
| MD5 | 6d15e76001accd8fe663d52cba4ef2e5 |
| SHA1 | 936329eec5cd422644bc15e2db33fdaf0172ba98 |
| SHA256 | 3db760d72de2d28630aa47bf2dc932ed99563f414e14a508758609dc6e3bd714 |
| SHA512 | 77972112b618680301f996546c098066eb43f63a0680bf419b2d37733177a80dc103b1efbc2425fa47f7b9edb44c8c58eb4b92ee4ec57378e9b23caea1180c87 |
C:\Program Files (x86)\CashBack\bb_welcome.html
| MD5 | d299a27a210b338e5229785b941cfdef |
| SHA1 | bf7d6f95922d7882f32c9718beaed1efe50e6ac1 |
| SHA256 | 625dc00715f006824984271660f829dc310ceb4cb45f8af401c304a3e5aae631 |
| SHA512 | 661c579b98c52191bf6d8fb79e98d91f24626dcfef36c33e31a3937623acb929a7eaf481dea7ccd56998b3bd8764287cf3f2970947c0928aca59c63727116d6b |
C:\Program Files (x86)\CashBack\bb_welcome1.swf
| MD5 | c0affacb99623c4f9a2a878f12d02647 |
| SHA1 | 900c8d00e12fc1ac3af7a037fe4f1d33b15eed14 |
| SHA256 | f698303cde4e0a6d6309107c72c3274fac5a9d0634ff470b977a78602305f518 |
| SHA512 | acfcd619cf703222c3c25e1bf328cb2ac4e7497cbdf46b49ce273fd37551e7bb835c867ce072c50fe7214628c6a1a28288ee363f64de74f2c832b1bc23f7558e |
C:\Program Files (x86)\CashBack\blank.gif
| MD5 | 325472601571f31e1bf00674c368d335 |
| SHA1 | 2daeaa8b5f19f0bc209d976c02bd6acb51b00b0a |
| SHA256 | b1442e85b03bdcaf66dc58c7abb98745dd2687d86350be9a298a1d9382ac849b |
| SHA512 | 717ea0ff7f3f624c268eccb244e24ec1305ab21557abb3d6f1a7e183ff68a2d28f13d1d2af926c9ef6d1fb16dd8cbe34cd98cacf79091dddc7874dcee21ecfdc |
C:\Program Files (x86)\CashBack\icon.gif
| MD5 | c2cb3f56cb075c22d7dbbb6dcca40f8e |
| SHA1 | eab286c5466c03cf0ec8f35c53e3468229ab58b9 |
| SHA256 | 59c4b81e937d00208a5b280af4eca09ea8ddacac57c79fb138f12713e4af1514 |
| SHA512 | 25738608e5f87b1e3069712359e81d2558294f5e0892026a1f3628fc5cd91075f6d55bde33ccec6c15610f68106d379ac29180cf0c3df884c48805c32cab03b0 |
C:\Program Files (x86)\CashBack\logo.gif
| MD5 | 5b48ebbd988ace67c6d203657fb9225a |
| SHA1 | da0f8eedce95e19d25faf9668839c7bfa5cc97ad |
| SHA256 | a30f9227138042bcfbd601863ea6e2f8b3657f305efb8c77ad691ac279ca8019 |
| SHA512 | 5b4755537b7f95eb31e5f04aa51e01430123acac3d56a4f925dd76588bcc33c3b3b1a788ea1edfee584d8bf69e79daa470f674e5404bc04212ad3ae654d026a3 |
C:\Windows\nls8034_ICMEDIAX.exe
| MD5 | cb90a48a7bc692a0165dc5cc79454c5f |
| SHA1 | a82128b70b00467029cb4de5df44838e5b45fc26 |
| SHA256 | f7319462926520b3ccee2731a1792235d060ce26356ccf361777ad530fe5ef1d |
| SHA512 | 1274c144f0556085578d52013d1f996dc5b998d79458eee03494036d9c2a32549cdeab2c84e02f03c148001fb42a6042771281209ed14a6ff535d5fc37a6882c |
C:\Program Files (x86)\NaviSearch\nls.exe
| MD5 | 3e4a8942089709e8d79392a0957a8ea8 |
| SHA1 | 86c601f6b9101bb588b8819e71e5044422ea0f50 |
| SHA256 | 35f7bf41136f7820889c06f0ee016ed2758632004db44eba7bbef9d006f1912e |
| SHA512 | ce6180f7d6d4ffbfad9f001c306fecefca20c0ff366e498cf0483bdd338888dfab8e38db1294ee2ba4ae9ef995e2cda1948ebe4acfb59f7efa2b53dc6525c24a |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\f01b4d95cf55d32a.automaticDestinations-ms
| MD5 | 44cabd750b87cfc4c2c63b3ab28c9348 |
| SHA1 | c00617c8c1ae1f476d9e5b42cdd5148cb21c7243 |
| SHA256 | 202842d9e26d2ad58c01b4bb2e24878aa4caef55c93c7f3d7825de3f6df53c41 |
| SHA512 | e995673593fd8471adb170ccca0954873923ac6de892a977c17a36b9bb287c73e766f4c63137b236a140b2ed53e15e308c0349442d7c53fe711db878549173b2 |
C:\Program Files (x86)\NaviSearch\ad.dat
| MD5 | d7ff52ea75594a565fac58da5a66f041 |
| SHA1 | 10677adeab52b900ff7a242f8ae4f7710c79512e |
| SHA256 | b7edbc2853b8fce6ff23de355b41667efcb3274d9a4b6d6fd4e6dbe29baceaa2 |
| SHA512 | 7204b7f425a8d803f7d5e9db9f8ed86bea7e575dd71cadd63100d7ad2b2681ec08d715bcc776c8435c247c1924304d737c4d7249e3edf829b8d06203239b9433 |
C:\Windows\adp8034_ICMEDIAX.exe
| MD5 | bb83cba39e9f69b0ea9f79aaf1cef729 |
| SHA1 | a0d98be45bb23f8a6feaecc1092f2ba3dc91221c |
| SHA256 | 7036a541caba0e20169f8cb5a906de7a7eaaec862abe5936691acc1a2657a057 |
| SHA512 | 0d506b0151b74e6317fd63dd0671cf6294920e1f052861d983eeea40a7ee1aa31f4c108f58615cfc85bba22555d9abed95b8dea9cbf82136975a996fa4d95dee |
C:\Program Files (x86)\BullsEye Network\bargains.exe
| MD5 | 293b8f27d5ede0b27ef2ad2f9ecedf6d |
| SHA1 | 994d3af24ea51f0dc326840a735a632d8569ead8 |
| SHA256 | 99bf422be6c81b10b423d0f33ff08b04397020b3b4b045024c36ed91d12cb490 |
| SHA512 | b49ddfe6d357ea466c1e5771b67e6bd8e1e737db29b92e94712de11495c9b2572d7e999a6282446f4f6c54852b612fffbe8509dcc88bda5bc07cd03da8432f20 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\f01b4d95cf55d32a.automaticDestinations-ms
| MD5 | 3233006d9fc58a419af35470ce0b59ea |
| SHA1 | 1c75888ed1f3389f986429676b7f683fce0f0ce0 |
| SHA256 | ad70db38fb11f3a5619da09af32193eab468c3bbead7b2ad5fb06659c14262d6 |
| SHA512 | 8d475ddc5d2ead69eb360a61be548838cd98b09420e26b2c34c9188deea5f213d49a568f27cdfd6b7ef115c42e2c6daf647aac09fcfdd7e9a67e8247202d8064 |
C:\Program Files (x86)\BullsEye Network\adv.exe
| MD5 | 56979b69b9ff449b792e53f7e956cecc |
| SHA1 | 6a63738d767cca38582ca84b355510a1cecb188f |
| SHA256 | d8e3e92fff45f70b62034c754201f42d71ee8e443cdfa550219623b24281aefc |
| SHA512 | 772ceaa4967c57645ecfb0985a1b72f624a2e4ec09f0fbaca75abd98c639bd8609eb2864d45d499c35bd99863915ca1ffcc7505d2a77dd46cc664aee6f96fefc |
C:\Program Files (x86)\BullsEye Network\adx.exe
| MD5 | 812def7df63838ed0be0a2b6a3fbcdb0 |
| SHA1 | 5c5aa6bd7e118b6a9d9f18c6ffd3d2b4c9cac18f |
| SHA256 | 0376b21c8f4bb3231aa4c1afda7f491b20690cdd30ed4dd1680800e5e2a58d20 |
| SHA512 | 664a8cc8e2e27e4e2974221c3be842d7307facd93008cfc0c870d452d035abda1e810cfcfc20fb4cfe1d7266251ca1d4a79dba436d6769bf2ee8accc48a10be1 |
C:\Windows\autoheal.exe
| MD5 | 883b06a996b3c351b97c8069951b5bd4 |
| SHA1 | 9dd1a272c92b3cd73d59dba17c29783d7e39a61d |
| SHA256 | 7311608a1af5d2bad5dabd58fed9ebee5b9a5f99c06d9adc97c4302afec410f4 |
| SHA512 | ed9dc896b1884f302188274b0e52bf457d0724fd9afce2510d26bd76d6e0d3b2ca9c83c8e9a0101397579eb26565f508af7cb68093e4d2ef706d4d90919f87ff |
C:\Windows\SysWOW64\angelex.exe
| MD5 | 8d9a9918a759777619839cf275127de9 |
| SHA1 | fb8aeea3ed04ff3aee28a7e8dd9843779efce7c5 |
| SHA256 | 0336521180fd028ca546ee5687c25beab31b56e5eea6c91509b31ee3e620980f |
| SHA512 | 6c5bce0ed532bbe19203b75f8466fc6422f24ce5d35f5441c0ba6b6b003ee3aeab1ecce7d25babf09129ae2e5be17c07e559853da459cfb5af7d48599ffbbc88 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\f01b4d95cf55d32a.automaticDestinations-ms
| MD5 | 95045249356aeb8c720f51da5a9ecb46 |
| SHA1 | f2d9ef6a00c8baf5148f20baaf59d68d96028608 |
| SHA256 | 9ee26a9b507718d54f43d02b3a2e1b31f8ae9d9ace21ec59e6dd9e3795390015 |
| SHA512 | 08b9d5ab4dc8277bc5c29bf379013f2573fc62716ce6d395d63edca8d57a3f5dd35dc80717d7b8ca163befc96403c459a40ffbae9667a23c1d5d55167c86abfe |
C:\Windows\SysWOW64\instsrv.exe
| MD5 | 77df462c59e3bc5f5effb28693221b79 |
| SHA1 | a3231b7fd124668940e0921e7ec784e44a92aa6e |
| SHA256 | c197684156a9185c4ab460ed1f84b669771c6b8d4848cc63f9954d8637eb9414 |
| SHA512 | 00cfaee49a721d3173920a1b69565abd2c7bd2d4f78ee63d429d7b903fc7649c37fcde4be08514426937e5fa96bbe69562a46c4882c6e7ddc838028bee168930 |
C:\Windows\SysWOW64\msexreg.exe
| MD5 | ed626b1a2d7497b43c3dd299ef2c41ab |
| SHA1 | b586abf7c9b38c750ae7c00d278e1427658193c7 |
| SHA256 | e1f9902c8785ce49b099173e9065434ffdbb3e347702d14d5d924cd439d16920 |
| SHA512 | 9362f0479825297c1f416cd2207fdf831561c1f5b90247d8715e6b94385e6e8b65f4745f70d492e9c06d397fcda5cd2388315a0542e448fc48c28eefe71b9b05 |
memory/1168-349-0x0000000004580000-0x000000000458E000-memory.dmp
C:\Program Files (x86)\BullsEye Network\Uninstall.exe
| MD5 | 861f3a1b7d4a9819ef1b7a8eda73e23e |
| SHA1 | 858b74e6f0668de09daef963b54a39f528933416 |
| SHA256 | a2aa9844a53aa48a825c14aaed05e2ed15dde7ba73d5edf8aa210d5ab49ad902 |
| SHA512 | 8c71abe9d422e2c80b86e1090afceee557f0b8b5d0f48b6c40b46de38fca371fb09bd3d5f2ab04ea5ef057360fb9c919ed2498c3906b5a8a5a91030eaf5d126d |