ab1c7f4ac5a557c7a4fea24a6d8e376a51ba9488ba74805a5d68a33e769338d0

Analysis

max time kernel
149s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
02/10/2024, 08:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

09bce6fc3fa2b0972d7173726a67ca42_JaffaCakes118.exe
Size

2.7MB
MD5

09bce6fc3fa2b0972d7173726a67ca42
SHA1

d8f8712aadfc64e550c6f1588cfa1819eb0baef5
SHA256

ab1c7f4ac5a557c7a4fea24a6d8e376a51ba9488ba74805a5d68a33e769338d0
SHA512

ec148ccde3e6af5577709b917c430cb21dd8115cbefd4dbcf3dae1fbe8a4cbeeb9b0440f1d541cbdb3b90e6cdb0d1cfc3e12841d1a00147022ce777220e1a55d
SSDEEP

49152:3Z74mej7s9QlRZPswbIEvSD7haUNs/NW5GsA1L5jl89ebA5rOYiZn9:3N4aKfE0IPhaUNs3XtpAebSivZn9

Score

7^/10

adware discovery persistence privilege_escalation stealer

Malware Config

Signatures

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 4 IoCs

pid	Process
1740	09bce6fc3fa2b0972d7173726a67ca42_JaffaCakes118.tmp
2408	Inbox.exe
2344	Inbox.exe
2492	Inbox.exe

Loads dropped DLL 11 IoCs

pid	Process
236	09bce6fc3fa2b0972d7173726a67ca42_JaffaCakes118.exe
1740	09bce6fc3fa2b0972d7173726a67ca42_JaffaCakes118.tmp
1740	09bce6fc3fa2b0972d7173726a67ca42_JaffaCakes118.tmp
1740	09bce6fc3fa2b0972d7173726a67ca42_JaffaCakes118.tmp
1740	09bce6fc3fa2b0972d7173726a67ca42_JaffaCakes118.tmp
2344	Inbox.exe
2344	Inbox.exe
2344	Inbox.exe
3032	regsvr32.exe
764	regsvr32.exe
1740	09bce6fc3fa2b0972d7173726a67ca42_JaffaCakes118.tmp

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\InboxToolbar = "\"C:\\Program Files (x86)\\Inbox Toolbar\\Inbox.exe\" /STARTUP"	Inbox.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Installs/modifies Browser Helper Object 2 TTPs 6 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{D3D233D5-9F6D-436C-B6C7-E63F77503B30}\NoExplorer = "1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{D3D233D5-9F6D-436C-B6C7-E63F77503B30}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D3D233D5-9F6D-436C-B6C7-E63F77503B30}\	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D3D233D5-9F6D-436C-B6C7-E63F77503B30}\NoExplorer = "1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{D3D233D5-9F6D-436C-B6C7-E63F77503B30}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{D3D233D5-9F6D-436C-B6C7-E63F77503B30}\	regsvr32.exe

Drops file in Program Files directory 35 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Inbox Toolbar\unins000.dat	09bce6fc3fa2b0972d7173726a67ca42_JaffaCakes118.tmp
File opened for modification	C:\Program Files (x86)\Inbox Toolbar\Buttons\general_facebook2.xml	Inbox.exe
File opened for modification	C:\Program Files (x86)\Inbox Toolbar\Plugins\plugins.ini	Inbox.exe
File created	C:\Program Files (x86)\Inbox Toolbar\Plugins\libeay32.dll	Inbox.exe
File created	C:\Program Files (x86)\Inbox Toolbar\unins000.dat	09bce6fc3fa2b0972d7173726a67ca42_JaffaCakes118.tmp
File created	C:\Program Files (x86)\Inbox Toolbar\is-O1BRR.tmp	09bce6fc3fa2b0972d7173726a67ca42_JaffaCakes118.tmp
File created	C:\Program Files (x86)\Inbox Toolbar\Buttons\is-6JI2U.tmp	09bce6fc3fa2b0972d7173726a67ca42_JaffaCakes118.tmp
File created	C:\Program Files (x86)\Inbox Toolbar\Buttons\is-5LE8C.tmp	09bce6fc3fa2b0972d7173726a67ca42_JaffaCakes118.tmp
File opened for modification	C:\Program Files (x86)\Inbox Toolbar\Inbox.ini	Inbox.exe
File created	C:\Program Files (x86)\Inbox Toolbar\Plugins\is-C3FRF.tmp	09bce6fc3fa2b0972d7173726a67ca42_JaffaCakes118.tmp
File created	C:\Program Files (x86)\Inbox Toolbar\setupcfg.ini	09bce6fc3fa2b0972d7173726a67ca42_JaffaCakes118.tmp
File opened for modification	C:\Program Files (x86)\Inbox Toolbar\Buttons\general_youtube2.xml	Inbox.exe
File opened for modification	C:\Program Files (x86)\Inbox Toolbar\Buttons\maps_weather_plugin.xml	Inbox.exe
File opened for modification	C:\Program Files (x86)\Inbox Toolbar\uninstall.ini	09bce6fc3fa2b0972d7173726a67ca42_JaffaCakes118.tmp
File opened for modification	C:\Program Files (x86)\Inbox Toolbar\Buttons\reference_search.xml	Inbox.exe
File created	C:\Program Files (x86)\Inbox Toolbar\Buttons\is-NAS7B.tmp	09bce6fc3fa2b0972d7173726a67ca42_JaffaCakes118.tmp
File created	C:\Program Files (x86)\Inbox Toolbar\Buttons\is-2PVE4.tmp	09bce6fc3fa2b0972d7173726a67ca42_JaffaCakes118.tmp
File created	C:\Program Files (x86)\Inbox Toolbar\Buttons\is-UQUHH.tmp	09bce6fc3fa2b0972d7173726a67ca42_JaffaCakes118.tmp
File opened for modification	C:\Program Files (x86)\Inbox Toolbar\Buttons\maps_navigate.xml	Inbox.exe
File opened for modification	C:\Program Files (x86)\Inbox Toolbar\Buttons\BTN_1967.xml	Inbox.exe
File created	C:\Program Files (x86)\Inbox Toolbar\Plugins\ssleay32.dll	Inbox.exe
File created	C:\Program Files (x86)\Inbox Toolbar\is-9A70T.tmp	09bce6fc3fa2b0972d7173726a67ca42_JaffaCakes118.tmp
File created	C:\Program Files (x86)\Inbox Toolbar\is-9UCMB.tmp	09bce6fc3fa2b0972d7173726a67ca42_JaffaCakes118.tmp
File created	C:\Program Files (x86)\Inbox Toolbar\Buttons\is-8MLDD.tmp	09bce6fc3fa2b0972d7173726a67ca42_JaffaCakes118.tmp
File created	C:\Program Files (x86)\Inbox Toolbar\unins000.msg	09bce6fc3fa2b0972d7173726a67ca42_JaffaCakes118.tmp
File created	C:\Program Files (x86)\Inbox Toolbar\is-S12G5.tmp	09bce6fc3fa2b0972d7173726a67ca42_JaffaCakes118.tmp
File created	C:\Program Files (x86)\Inbox Toolbar\Buttons\is-KAACA.tmp	09bce6fc3fa2b0972d7173726a67ca42_JaffaCakes118.tmp
File created	C:\Program Files (x86)\Inbox Toolbar\Buttons\is-KRI2E.tmp	09bce6fc3fa2b0972d7173726a67ca42_JaffaCakes118.tmp
File opened for modification	C:\Program Files (x86)\Inbox Toolbar\setupcfg.ini	09bce6fc3fa2b0972d7173726a67ca42_JaffaCakes118.tmp
File created	C:\Program Files (x86)\Inbox Toolbar\is-3K346.tmp	09bce6fc3fa2b0972d7173726a67ca42_JaffaCakes118.tmp
File created	C:\Program Files (x86)\Inbox Toolbar\Buttons\is-GANHH.tmp	09bce6fc3fa2b0972d7173726a67ca42_JaffaCakes118.tmp
File opened for modification	C:\Program Files (x86)\Inbox Toolbar\Buttons\mail_plugin.xml	Inbox.exe
File created	C:\Program Files (x86)\Inbox Toolbar\Buttons\is-8TF5S.tmp	09bce6fc3fa2b0972d7173726a67ca42_JaffaCakes118.tmp
File opened for modification	C:\Program Files (x86)\Inbox Toolbar\Buttons\black_green.xml	Inbox.exe
File opened for modification	C:\Program Files (x86)\Inbox Toolbar\Buttons\news_newser.xml	Inbox.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	09bce6fc3fa2b0972d7173726a67ca42_JaffaCakes118.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Inbox.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Inbox.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Inbox.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	09bce6fc3fa2b0972d7173726a67ca42_JaffaCakes118.exe

Modifies Internet Explorer settings 1 TTPs 62 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\SearchScopes\{C04B7D22-5AEC-4561-8F49-27F6269208F6}\URL = "http://www2.inbox.com/search/dispatcher.aspx?tp=bs&qkw={searchTerms}&tbid=82845&iwk=845&lng=en"	Inbox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\User Preferences\6256FFB019F8FDFBD36745B06F4540E9AEAF222A25 = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b3e8f15f634dfc43bfa5c3a2648d88c4000000000200000000001066000000010000200000005b3d3675afd5d73da8d6bedfd05c939ef05797ae8ed73452b2ee2fe018e7593a000000000e80000000020000200000008e5cfffddc906c4732f4b5efadafa15689b4e9843c4b6c9ffcaf1741a3d65a7c10000000fc2fbae4522119c3747da0c3daa348d2400000002d29baea435baba3ae7f52a6e4487873836a6cb44cf76c2ce1b62b1b3cc25b6d56a700531a34607a20626bff8106741e47e60d37328c765343b63aa900c500d4	Inbox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{612AD33D-9824-4E87-8396-92374E91C4BB}	Inbox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar	regsvr32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar\{D7E97865-918F-41E4-9CD0-25AB1C574CE8} = 00	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\Policy = "3"	regsvr32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\User Preferences\6256FFB019F8FDFBD36745B06F4540E9AEAF222A25 = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b3e8f15f634dfc43bfa5c3a2648d88c4000000000200000000001066000000010000200000005bd6945998b0b2108d15180a5b40b60fda22baa5e1a947f551f224e8f35db316000000000e80000000020000200000007eae9eea15b5d2ef46dbd9a9afbc966636b0fff9aa1602db9378bcd07dd38eed10000000a2d8949b4471931d9bab011d61493b6d400000009ecd399e9032b649fd2a636e8e10179be9b93de8fcff7addd7861e0f5fb77e8fea957273f461558d579da8a7a7eb5fb4e0f091791197e0818760e1c980801f21	Inbox.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{612AD33D-9824-4E87-8396-92374E91C4BB}\Policy = "3"	Inbox.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Main	regsvr32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{D7E97865-918F-41E4-9CD0-25AB1C574CE8} = 00	regsvr32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\User Preferences\6256FFB019F8FDFBD36745B06F4540E9AEAF222A25 = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b3e8f15f634dfc43bfa5c3a2648d88c40000000002000000000010660000000100002000000087334fbe4e1a8863fb5220aabfa527f021ad922ce97b6509f988006727588255000000000e8000000002000020000000e6ae169425088569878e2cfa6ade5ce1b62aceccd635ca9b4f8e12973effded41000000093ba68aeeed1435f9a369fc3186a244240000000cd544256f886e95c1069a71342afc07a26c6f2884999ff1e254d34a169fd2722a7e9c5c2c3612c665e9f5337b17c2e17cd57b674b42fb2f8372df75da5d04c48	Inbox.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\Policy = "3"	regsvr32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\User Preferences\6256FFB019F8FDFBD36745B06F4540E9AEAF222A25 = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b3e8f15f634dfc43bfa5c3a2648d88c400000000020000000000106600000001000020000000641689a2112efd1ad3972dd237ad99b434ef8cef702426fa6263ef0d29a710a1000000000e800000000200002000000078cd2564de2bc09d074fcaa3fa4c30ecd9399058eb90de3debf59affc3c92d28100000002124455f98e3b96d14883a8b85e74e9f40000000e5516d3d5516c11819cc682856a21cef52523c44466be6bcf900278bb29f01edeba941ad07d4d18d041e8dbaf812c78ced933b3db879f858cdb76bd1f13c8b01	Inbox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{612AD33D-9824-4E87-8396-92374E91C4BB}\AppName = "Inbox.exe"	Inbox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}	regsvr32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\SearchScopes\{C04B7D22-5AEC-4561-8F49-27F6269208F6}\ShowSearchSuggestions = "1"	Inbox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\User Preferences\6256FFB019F8FDFBD36745B06F4540E9AEAF222A25 = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b3e8f15f634dfc43bfa5c3a2648d88c400000000020000000000106600000001000020000000f27cfd7229641d00a90f70f64e28f161a335ea060d5fb3dc0375b93c3aa821cd000000000e800000000200002000000059730f570447ef5af54d62c5168ffc39f3e7887b947ad3538f0f6b470b87fc7510000000257adb2c31b813893e7e454257af1bc04000000093791bf8903b9df6253bf73b28672c6f85f38f5764621b86aba88a6b94921c3d75f58052af4dc604c8920d4c728b56e02a9f7601750eb6f6bcf62aa4966ebb54	Inbox.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\IEWatsonEnabled = "0"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\SearchScopes\{C04B7D22-5AEC-4561-8F49-27F6269208F6}	Inbox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\SearchScopes\{C04B7D22-5AEC-4561-8F49-27F6269208F6}\SuggestionsURL_JSON = "http://www.inbox.com/s.aspx?q={searchTerms}"	Inbox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\SearchScopes\{C04B7D22-5AEC-4561-8F49-27F6269208F6}\FaviconPath = "C:\\Users\\Admin\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services\\search_{C04B7D22-5AEC-4561-8F49-27F6269208F6}.ico"	Inbox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\User Preferences\6256FFB019F8FDFBD36745B06F4540E9AEAF222A25 = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b3e8f15f634dfc43bfa5c3a2648d88c4000000000200000000001066000000010000200000008adc61781eb9f375c8061aa6b09a3a7ab28c60d4af6498749bb5d37c22c868d4000000000e80000000020000200000006b94c85c7f6f482f86fecc4adc857ecd68e380a732948d3cbbde97586bfe7a3410000000d8db7232a741c01eeba1904e687fec934000000079bf8f799afcbb141c73652e7a8e12eb37680b8c97fd20789ac7b048e088e7870933986fd26b5a4a0b1cfabef89f4a99119f3bac43d07f6bb409dac623884e49	Inbox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\AppName = "Inbox64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\SearchScopes\{C04B7D22-5AEC-4561-8F49-27F6269208F6}\FaviconURLFallback = "http://www2.inbox.com/favicon.ico"	Inbox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\User Preferences\6256FFB019F8FDFBD36745B06F4540E9AEAF222A25 = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b3e8f15f634dfc43bfa5c3a2648d88c400000000020000000000106600000001000020000000b6f7ffc8edd8539c35841bff575acd178c9d104831b6a542427ca06b7863d7f1000000000e8000000002000020000000453ff06157e35908611389463ca3edeb9cb87997ce283af97326fbb7e97398fb10000000b094125ec49a7041e5fe48911ebe11ad400000002a4fdb2f1d138178d6f46a12cb203db143d33b1ad2f5818dca467c1e646236306200414d22743a5d625f3f81036db234702a085f461aefe34cfd523a283f60fd	Inbox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\AppName = "Inbox64.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\SearchScopes\{C04B7D22-5AEC-4561-8F49-27F6269208F6}\DisplayName = "Inbox Search"	Inbox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\User Preferences\6256FFB019F8FDFBD36745B06F4540E9AEAF222A25 = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b3e8f15f634dfc43bfa5c3a2648d88c4000000000200000000001066000000010000200000005a0cfeefef7c3d91624b20138f2f9786255a4524380289473073d7be92f9b094000000000e800000000200002000000000e3104e20f3de4c3d286612f08811381ad10b0fb2cbfe1b0164c27120588cd7100000002f696d7acb2882af7468103d31213a0e40000000632d9cf1c87f5ebbd73385a1e309af731b637afda21a0eac8da32c97e86faa6d545d73d9a88111595e34f85a3c265e0f79f672aefd08ae72d83d3bcec19a97d8	Inbox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\User Preferences\6256FFB019F8FDFBD36745B06F4540E9AEAF222A25 = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b3e8f15f634dfc43bfa5c3a2648d88c400000000020000000000106600000001000020000000f105986ce6de46161e54fd1ea3afffb2f4404affcdff08c444f8a892abe725c2000000000e800000000200002000000033c5a6361241be62bfe51db11ea6f90a70dda2eb287b64ded955b98083e2762c100000005f8c0dfbd8c1ff73aff347659f993cd54000000028af922861108c4f370263afbb1a228c545edd945f1e234689672b936f35df0ff0f799a4214f4486c77b38dfd28527b4565de3f9033e3717bc3badb7066098b1	Inbox.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Main	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\AppPath = "C:\\Program Files (x86)\\Inbox Toolbar"	regsvr32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\User Preferences\6256FFB019F8FDFBD36745B06F4540E9AEAF222A25 = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b3e8f15f634dfc43bfa5c3a2648d88c40000000002000000000010660000000100002000000017e7255808254ae4fdd9a10bbb0cbaca663d30ac860acc1b8a5a1f5a1ea53026000000000e800000000200002000000094994ed71294e823b3499215790bd5f7dd7006a3b416457139e7353a210f34eb100000009d1c153ecc10d9d216f5c49949a1196e40000000ad0fb38373b0dad3e6c824d0356017fb53f0ae5cbb177b3b06c6de22c0026525f0c7f707e8dd613ffe9201f4e08e979db9cf0befb276305c1bf94d23c568082d	Inbox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\User Preferences\6256FFB019F8FDFBD36745B06F4540E9AEAF222A25 = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b3e8f15f634dfc43bfa5c3a2648d88c400000000020000000000106600000001000020000000dd6367f33d1cd600df3f18b0ad31db74e5fb0ea1d72e58366a2e7012a9cb06d3000000000e80000000020000200000009fa06f346491067a19a6dcfdc8004913c27195a1c70abe6e6a4a68af2e3f6f871000000050599a16212efebd58a2c60e0cf0709240000000260c946e76c07c2ac4318f272bbe642cc3de93581205ef9085e3a993a87f83384702d2537a9e674a2d69b8a561eccf1e10aa704362bf2ce36211ae21b06fb379	Inbox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\User Preferences\6256FFB019F8FDFBD36745B06F4540E9AEAF222A25 = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b3e8f15f634dfc43bfa5c3a2648d88c400000000020000000000106600000001000020000000bc1c5567b3e1881a3e59baf99d526568add6d8ef628556f5032347713e2ee123000000000e8000000002000020000000db0e7233c221a7b1fcf2bede898d10998a74597b435889c88d8df4b3e8c770cc10000000a92180ecf238b0a699cf40910fb3370c400000006114260866b7f271eb81190a31ab88fd8b882339eaf3535a6c6aed66252276456d21fcbd8e20b91388d68154a2911458ae86b052c27e3105dae3c6901e45714e	Inbox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\User Preferences\6256FFB019F8FDFBD36745B06F4540E9AEAF222A25 = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b3e8f15f634dfc43bfa5c3a2648d88c400000000020000000000106600000001000020000000e642ae9b0c749cca4ce046091ff738fad7b1f577db9373afba5add0fee84ee3c000000000e800000000200002000000019462e60fa9ea788b91f7a05a4a9ab56986b965b659b568c767be223e05cdcb0100000003c67c4747e9b9ec7d77a1f474259843b400000001135148bb20d6e3fdafdea20505f27bf32bfe02972615f68a5bf6af8e80bc1a3e532770f892ad8f4f84f8b1b0500f1f83555d94ecf5f0af668e08fc7cd1cc1e1	Inbox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{612AD33D-9824-4E87-8396-92374E91C4BB}	Inbox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{612AD33D-9824-4E87-8396-92374E91C4BB}\AppName = "Inbox.exe"	Inbox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\AppName = "Inbox.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\AppName = "Inbox.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}	regsvr32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\User Preferences\6256FFB019F8FDFBD36745B06F4540E9AEAF222A25 = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b3e8f15f634dfc43bfa5c3a2648d88c40000000002000000000010660000000100002000000016ce2c8983f2679f49b328b5712317596db0d8ec2192b42b69fc902d844a2fa6000000000e80000000020000200000008aea45aa6af2ebc4abdb639df72491811ffbe994b354329732d446c2487cc92f10000000c32dbed79a98fd4ce3f9410b787d5fbd400000000068cb0d78b709a32997c5aca296ddd3dbc2140af0c2a9d436617c30ae35eca14945a6376395a05cdf6a2498b892c18a1e08ce5e75737584d93f638c2563dc15	Inbox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\User Preferences\6256FFB019F8FDFBD36745B06F4540E9AEAF222A25 = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b3e8f15f634dfc43bfa5c3a2648d88c400000000020000000000106600000001000020000000b8e673192a99fd0c34882524ae1e1ace757d34229259c923cc23c03ffa9c8f4a000000000e80000000020000200000004135255c2d2dae85b42528862d35e58ecc79f561d79eb307916ffb2c4d75a42a1000000025c702977b23470bc27ca22fc2d1e2f940000000a92b868157bfb256329a19dc68b95c90ede42258d99be57f1b9d100656e8950a925aa2be897335412d3729ad1c8c0bc9295999020271871d68a5719e88ad9cc7	Inbox.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\Policy = "3"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\IEWatsonEnabled = "0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{612AD33D-9824-4E87-8396-92374E91C4BB}\AppPath = "C:\\Program Files (x86)\\Inbox Toolbar"	Inbox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\User Preferences\6256FFB019F8FDFBD36745B06F4540E9AEAF222A25 = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b3e8f15f634dfc43bfa5c3a2648d88c4000000000200000000001066000000010000200000003e5c8be19755ed144184d1985bd3aa97c00cde4b4f0e30e0691f337a5b85e389000000000e80000000020000200000001cf5ad020ed2c778018fc1fe8e41c35ee74b348f4c75b2b9d6398e6b8dfee6af10000000dfb0e0881292345e1628fd349574561a40000000219f9001a9ce95e8a2183987fbbd48d83366dcc1d86612b8d3bdc60e62d2200633fb55e23e83ddcf4188b1d3fb038316a790967ca78ea251983b1c9a0df66104	Inbox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\User Preferences\6256FFB019F8FDFBD36745B06F4540E9AEAF222A25 = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b3e8f15f634dfc43bfa5c3a2648d88c4000000000200000000001066000000010000200000006c1a9ee27c8c15e9ec3fa3bf19c05aecb1eba088afcea7eec7ea6ff4aab73a63000000000e800000000200002000000068b3d59ee8dd8ac8711bab4f63cf9960438007edf93bc5118397b5fe5986839910000000e732f4540acf6af46d01e152979a1a1c40000000259dbbc622cdb1cca64b11a4676c71f56a6bdfbb644ac5221a16c8b09aa73ff1c725cb322f1ee04573740e5ee53bcc7a86e91a02cdaa516ad4f679b82115c976	Inbox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\AppPath = "C:\\Program Files (x86)\\Inbox Toolbar"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\Policy = "3"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{612AD33D-9824-4E87-8396-92374E91C4BB}\AppPath = "C:\\Program Files (x86)\\Inbox Toolbar"	Inbox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\AppPath = "C:\\Program Files (x86)\\Inbox Toolbar"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\User Preferences	Inbox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\User Preferences\6256FFB019F8FDFBD36745B06F4540E9AEAF222A25 = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b3e8f15f634dfc43bfa5c3a2648d88c4000000000200000000001066000000010000200000007548f3db56476e17454c4a5b356c42db5631cc99367354d153c7d2dd085b5f94000000000e8000000002000020000000f2580e68d686b3b7799404ced8d88f520bc7052c23c798459582d5f5eca4ed4210000000d26a0d306c5badf14b591b87087e342040000000aa3cad807fed5aa2ac82cdd71154e23e02ba3f8c68514da20e18990133d65849a20ba61c71b24ded0d53be47a5c40a6dd2b04a2973958749a756b4920f33ea78	Inbox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\User Preferences\6256FFB019F8FDFBD36745B06F4540E9AEAF222A25 = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b3e8f15f634dfc43bfa5c3a2648d88c40000000002000000000010660000000100002000000082fad27dacf8bb77fb3c7ca0448e0885e2733a407551bf926592819a9da81b61000000000e80000000020000200000003ceb3b890b4a464462f3ae7899b824ab6c37a82a9599ff10d2cd11ea3ca1317110000000b352963af62b864931b9cfc4ab04514240000000a7d92115255e19f94b4a4cffab9b11e04d0ea1e411e95c7acf46debeadc655fe19ec3ea862134d780a6fb2e0814f52b77d2757e093724274ecb7c7521995dcf6	Inbox.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{612AD33D-9824-4E87-8396-92374E91C4BB}\Policy = "3"	Inbox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}	regsvr32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\User Preferences\6256FFB019F8FDFBD36745B06F4540E9AEAF222A25 = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b3e8f15f634dfc43bfa5c3a2648d88c400000000020000000000106600000001000020000000ac2cf511fd52493bab8175bfe58e25934a0140222f4b317d6770d07a1f92a8ac000000000e8000000002000020000000cd2ff5a540c12f87065f9447580c7356cb92f9f69ddb500c71ae5a57b0b41f2810000000e0ccffd0dd095ed13cf85b9851a93e9540000000eba6a8e0649cb9dfe9cb42c4b6b57b5433dcbb6122a266d0eb4655288a50e6d1261148f08e0ebcafefd5b2e0046cd2dd818bd2ab55cd26d2a1ca33fbabfdca45	Inbox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\User Preferences\6256FFB019F8FDFBD36745B06F4540E9AEAF222A25 = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b3e8f15f634dfc43bfa5c3a2648d88c4000000000200000000001066000000010000200000005187ee31a2140cc85cad5deae90d920cee97e9c56d1ce84a172973fa5739941f000000000e80000000020000200000002c5384fd3468b14cd36b32a8737bcac805604245bdcac445ba196d2ce787cb55100000005c481fcb9e079f0bc1cfe97a02963afd400000009ea39315ebf0bf4c3b11d24ab353c2c74d2cb5453a015baf59f655cc3baf442256eed21962244c9acf604bb8d37242dabbd6ab83478f993ad40b18c7434bd1c0	Inbox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\AppPath = "C:\\Program Files (x86)\\Inbox Toolbar"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar	regsvr32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\User Preferences\6256FFB019F8FDFBD36745B06F4540E9AEAF222A25 = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b3e8f15f634dfc43bfa5c3a2648d88c400000000020000000000106600000001000020000000293c7e500fa88108ec5147c1710842b5aad20762b4ab07264080f620565b449c000000000e80000000020000200000006a449b49c2d4c7e64dd1d2508d3a4bb7bf34bc9fedfbd03156852252768cab5f10000000c6f3353149132d56bd5bbee0a372429b40000000b349a6710e5f893e32abd891284509881b62c126c0a020ce7e83f1d4d43535309aa5ec48cf754d1f3fd8cc6e5d88e6011ce40321aa256d9ab9add7a9281d3b9b	Inbox.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{28C3737A-32D1-492D-B76B-8D75EBBFB887}\ = "IAppServer"	Inbox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{042DA63B-0933-403D-9395-B49307691690}\	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D3D233D5-9F6D-436C-B6C7-E63F77503B30}\InProcServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{28C3737A-32D1-492D-B76B-8D75EBBFB887}	Inbox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{042DA63B-0933-403D-9395-B49307691690}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{042DA63B-0933-403D-9395-B49307691690}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D3D233D5-9F6D-436C-B6C7-E63F77503B30}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CBEF8724-D080-4737-88DA-111EEC6651AA}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CE057E0D-2D7E-4DFF-A890-07BA69B8C762}\TypeLib\ = "{CBEF8724-D080-4737-88DA-111EEC6651AA}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{042DA63B-0933-403D-9395-B49307691690}\Implemented Categories	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{37540F19-DD4C-478B-B2DF-C19281BCAF27}\InProcServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Inbox.AppServer\	Inbox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{CE057E0D-2D7E-4DFF-A890-07BA69B8C762}\TypeLib\ = "{CBEF8724-D080-4737-88DA-111EEC6651AA}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\ = "&Inbox Toolbar"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Inbox.IBX404\	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{612AD33D-9824-4E87-8396-92374E91C4BB}\LocalServer32	Inbox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{042DA63B-0933-403D-9395-B49307691690}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{615E8AA1-6BB8-4A3D-A1CC-373194DB612C}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\Inbox Toolbar\\"	Inbox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CBEF8724-D080-4737-88DA-111EEC6651AA}\1.0\0\win32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{042DA63B-0933-403D-9395-B49307691690}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{28C3737A-32D1-492D-B76B-8D75EBBFB887}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	Inbox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{612AD33D-9824-4E87-8396-92374E91C4BB}\ProgID	Inbox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D3D233D5-9F6D-436C-B6C7-E63F77503B30}\	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\inbox	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{042DA63B-0933-403D-9395-B49307691690}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}\	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8FAE973C-3FE3-44BF-81F0-ADB0D42CE851}	Inbox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Inbox.AppServer\Clsid\ = "{612AD33D-9824-4E87-8396-92374E91C4BB}"	Inbox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{615E8AA1-6BB8-4A3D-A1CC-373194DB612C}	Inbox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{612AD33D-9824-4E87-8396-92374E91C4BB}	Inbox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{042DA63B-0933-403D-9395-B49307691690}\Version	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{042DA63B-0933-403D-9395-B49307691690}\Implemented Categories	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{615E8AA1-6BB8-4A3D-A1CC-373194DB612C}\1.0\0\win32\ = "C:\\Program Files (x86)\\Inbox Toolbar\\Inbox.exe"	Inbox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CBEF8724-D080-4737-88DA-111EEC6651AA}\1.0\HELPDIR	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CE057E0D-2D7E-4DFF-A890-07BA69B8C762}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{042DA63B-0933-403D-9395-B49307691690}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}\	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\InprocServer32\ = "C:\\PROGRA~2\\INBOXT~1\\Inbox64.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{615E8AA1-6BB8-4A3D-A1CC-373194DB612C}\1.0\0\win32	Inbox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{28C3737A-32D1-492D-B76B-8D75EBBFB887}\TypeLib\Version = "1.0"	Inbox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8FAE973C-3FE3-44BF-81F0-ADB0D42CE851}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	Inbox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8FAE973C-3FE3-44BF-81F0-ADB0D42CE851}\TypeLib	Inbox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{612AD33D-9824-4E87-8396-92374E91C4BB}\LocalServer32\ = "C:\\PROGRA~2\\INBOXT~1\\Inbox.exe"	Inbox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D3D233D5-9F6D-436C-B6C7-E63F77503B30}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D3D233D5-9F6D-436C-B6C7-E63F77503B30}\InprocServer32\ = "C:\\Program Files (x86)\\Inbox Toolbar\\Inbox64.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{042DA63B-0933-403D-9395-B49307691690}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{042DA63B-0933-403D-9395-B49307691690}\InProcServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{042DA63B-0933-403D-9395-B49307691690}\Implemented Categories\	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{615E8AA1-6BB8-4A3D-A1CC-373194DB612C}\1.0\FLAGS\ = "0"	Inbox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CBEF8724-D080-4737-88DA-111EEC6651AA}\1.0\FLAGS	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CE057E0D-2D7E-4DFF-A890-07BA69B8C762}\ = "IJSServer"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Inbox.Toolbar\	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Inbox.IBX404	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{28C3737A-32D1-492D-B76B-8D75EBBFB887}\TypeLib	Inbox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8FAE973C-3FE3-44BF-81F0-ADB0D42CE851}\TypeLib\ = "{615E8AA1-6BB8-4A3D-A1CC-373194DB612C}"	Inbox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D3D233D5-9F6D-436C-B6C7-E63F77503B30}\InprocServer32\ = "C:\\PROGRA~2\\INBOXT~1\\Inbox64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Inbox.Toolbar\Clsid\ = "{D7E97865-918F-41E4-9CD0-25AB1C574CE8}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{37540F19-DD4C-478B-B2DF-C19281BCAF27}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CBEF8724-D080-4737-88DA-111EEC6651AA}\1.0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{042DA63B-0933-403D-9395-B49307691690}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{042DA63B-0933-403D-9395-B49307691690}\Version	regsvr32.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\627F8D7827656399D27D7F9044C9FEB3F33EFA9A\Blob = 1900000001000000100000005dc45e2cd1845791bdde7600050af510030000000100000014000000627f8d7827656399d27d7f9044c9feb3f33efa9a0b000000010000000e00000074006800610077007400650000001d0000000100000010000000d4803ac36c256817d4ec5936f29bc4e71400000001000000140000005ff3246c8f9124af9b5f3eb0346af42d5ca85dcc090000000100000016000000301406082b0601050507030106082b0601050507030353000000010000002500000030233021060b6086480186f8450107300130123010060a2b0601040182373c0101030200c00f00000001000000100000005f3d1aa6f471a760663eb7ef254281ef20000000010000002b0300003082032730820290a003020102020101300d06092a864886f70d01010405003081ce310b3009060355040613025a41311530130603550408130c5765737465726e204361706531123010060355040713094361706520546f776e311d301b060355040a131454686177746520436f6e73756c74696e6720636331283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e3121301f06035504031318546861777465205072656d69756d205365727665722043413128302606092a864886f70d01090116197072656d69756d2d736572766572407468617774652e636f6d301e170d3936303830313030303030305a170d3230313233313233353935395a3081ce310b3009060355040613025a41311530130603550408130c5765737465726e204361706531123010060355040713094361706520546f776e311d301b060355040a131454686177746520436f6e73756c74696e6720636331283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e3121301f06035504031318546861777465205072656d69756d205365727665722043413128302606092a864886f70d01090116197072656d69756d2d736572766572407468617774652e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100d236366a8bd7c25b9eda8141628f38ee490455d6d0ef1c1b951647ef1848353a52f42b6a068f3b2fea56e3af868d9e17f79eb46575024defcb09a22151d89bd067d0ba0d92061473d493cb972a009c5c4e0cbcfa1552fcf2446eda114a6e089f2f2de3f9aa3a8673b6465358c88905bd8311b8733faa078df4424de7409d1c370203010001a3133011300f0603551d130101ff040530030101ff300d06092a864886f70d01010405000381810026482c16c258fae816740caaaa5f543ff2d7c978605e5e6e37632277367eb217c434b9f50885fcc90138ff4dbef2164243e7bb5a46fbc1c6111ff14ab02846c9c3c4427dbcfaab596ed5b7518811e3a485196b824ca40c12ade9a4ae3ff1c349659a8cc5c83e25b79499bb92327107f0865eed5027a60da623f9bbcba6071442	Inbox.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\627F8D7827656399D27D7F9044C9FEB3F33EFA9A\Blob = 040000000100000010000000069f6979166690021b8c8ca2c3076f3a0f00000001000000100000005f3d1aa6f471a760663eb7ef254281ef53000000010000002500000030233021060b6086480186f8450107300130123010060a2b0601040182373c0101030200c0090000000100000016000000301406082b0601050507030106082b060105050703031400000001000000140000005ff3246c8f9124af9b5f3eb0346af42d5ca85dcc1d0000000100000010000000d4803ac36c256817d4ec5936f29bc4e70b000000010000000e0000007400680061007700740065000000030000000100000014000000627f8d7827656399d27d7f9044c9feb3f33efa9a1900000001000000100000005dc45e2cd1845791bdde7600050af51020000000010000002b0300003082032730820290a003020102020101300d06092a864886f70d01010405003081ce310b3009060355040613025a41311530130603550408130c5765737465726e204361706531123010060355040713094361706520546f776e311d301b060355040a131454686177746520436f6e73756c74696e6720636331283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e3121301f06035504031318546861777465205072656d69756d205365727665722043413128302606092a864886f70d01090116197072656d69756d2d736572766572407468617774652e636f6d301e170d3936303830313030303030305a170d3230313233313233353935395a3081ce310b3009060355040613025a41311530130603550408130c5765737465726e204361706531123010060355040713094361706520546f776e311d301b060355040a131454686177746520436f6e73756c74696e6720636331283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e3121301f06035504031318546861777465205072656d69756d205365727665722043413128302606092a864886f70d01090116197072656d69756d2d736572766572407468617774652e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100d236366a8bd7c25b9eda8141628f38ee490455d6d0ef1c1b951647ef1848353a52f42b6a068f3b2fea56e3af868d9e17f79eb46575024defcb09a22151d89bd067d0ba0d92061473d493cb972a009c5c4e0cbcfa1552fcf2446eda114a6e089f2f2de3f9aa3a8673b6465358c88905bd8311b8733faa078df4424de7409d1c370203010001a3133011300f0603551d130101ff040530030101ff300d06092a864886f70d01010405000381810026482c16c258fae816740caaaa5f543ff2d7c978605e5e6e37632277367eb217c434b9f50885fcc90138ff4dbef2164243e7bb5a46fbc1c6111ff14ab02846c9c3c4427dbcfaab596ed5b7518811e3a485196b824ca40c12ade9a4ae3ff1c349659a8cc5c83e25b79499bb92327107f0865eed5027a60da623f9bbcba6071442	Inbox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\627F8D7827656399D27D7F9044C9FEB3F33EFA9A	Inbox.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\627F8D7827656399D27D7F9044C9FEB3F33EFA9A\Blob = 0f00000001000000100000005f3d1aa6f471a760663eb7ef254281ef53000000010000002500000030233021060b6086480186f8450107300130123010060a2b0601040182373c0101030200c0090000000100000016000000301406082b0601050507030106082b060105050703031400000001000000140000005ff3246c8f9124af9b5f3eb0346af42d5ca85dcc1d0000000100000010000000d4803ac36c256817d4ec5936f29bc4e70b000000010000000e0000007400680061007700740065000000030000000100000014000000627f8d7827656399d27d7f9044c9feb3f33efa9a20000000010000002b0300003082032730820290a003020102020101300d06092a864886f70d01010405003081ce310b3009060355040613025a41311530130603550408130c5765737465726e204361706531123010060355040713094361706520546f776e311d301b060355040a131454686177746520436f6e73756c74696e6720636331283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e3121301f06035504031318546861777465205072656d69756d205365727665722043413128302606092a864886f70d01090116197072656d69756d2d736572766572407468617774652e636f6d301e170d3936303830313030303030305a170d3230313233313233353935395a3081ce310b3009060355040613025a41311530130603550408130c5765737465726e204361706531123010060355040713094361706520546f776e311d301b060355040a131454686177746520436f6e73756c74696e6720636331283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e3121301f06035504031318546861777465205072656d69756d205365727665722043413128302606092a864886f70d01090116197072656d69756d2d736572766572407468617774652e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100d236366a8bd7c25b9eda8141628f38ee490455d6d0ef1c1b951647ef1848353a52f42b6a068f3b2fea56e3af868d9e17f79eb46575024defcb09a22151d89bd067d0ba0d92061473d493cb972a009c5c4e0cbcfa1552fcf2446eda114a6e089f2f2de3f9aa3a8673b6465358c88905bd8311b8733faa078df4424de7409d1c370203010001a3133011300f0603551d130101ff040530030101ff300d06092a864886f70d01010405000381810026482c16c258fae816740caaaa5f543ff2d7c978605e5e6e37632277367eb217c434b9f50885fcc90138ff4dbef2164243e7bb5a46fbc1c6111ff14ab02846c9c3c4427dbcfaab596ed5b7518811e3a485196b824ca40c12ade9a4ae3ff1c349659a8cc5c83e25b79499bb92327107f0865eed5027a60da623f9bbcba6071442	Inbox.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1740	09bce6fc3fa2b0972d7173726a67ca42_JaffaCakes118.tmp
1740	09bce6fc3fa2b0972d7173726a67ca42_JaffaCakes118.tmp
1740	09bce6fc3fa2b0972d7173726a67ca42_JaffaCakes118.tmp
1740	09bce6fc3fa2b0972d7173726a67ca42_JaffaCakes118.tmp

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1740	09bce6fc3fa2b0972d7173726a67ca42_JaffaCakes118.tmp

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1740	09bce6fc3fa2b0972d7173726a67ca42_JaffaCakes118.tmp

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 236 wrote to memory of 1740	236	09bce6fc3fa2b0972d7173726a67ca42_JaffaCakes118.exe	30
PID 236 wrote to memory of 1740	236	09bce6fc3fa2b0972d7173726a67ca42_JaffaCakes118.exe	30
PID 236 wrote to memory of 1740	236	09bce6fc3fa2b0972d7173726a67ca42_JaffaCakes118.exe	30
PID 236 wrote to memory of 1740	236	09bce6fc3fa2b0972d7173726a67ca42_JaffaCakes118.exe	30
PID 236 wrote to memory of 1740	236	09bce6fc3fa2b0972d7173726a67ca42_JaffaCakes118.exe	30
PID 236 wrote to memory of 1740	236	09bce6fc3fa2b0972d7173726a67ca42_JaffaCakes118.exe	30
PID 236 wrote to memory of 1740	236	09bce6fc3fa2b0972d7173726a67ca42_JaffaCakes118.exe	30
PID 1740 wrote to memory of 2408	1740	09bce6fc3fa2b0972d7173726a67ca42_JaffaCakes118.tmp	31
PID 1740 wrote to memory of 2408	1740	09bce6fc3fa2b0972d7173726a67ca42_JaffaCakes118.tmp	31
PID 1740 wrote to memory of 2408	1740	09bce6fc3fa2b0972d7173726a67ca42_JaffaCakes118.tmp	31
PID 1740 wrote to memory of 2408	1740	09bce6fc3fa2b0972d7173726a67ca42_JaffaCakes118.tmp	31
PID 1740 wrote to memory of 2344	1740	09bce6fc3fa2b0972d7173726a67ca42_JaffaCakes118.tmp	32
PID 1740 wrote to memory of 2344	1740	09bce6fc3fa2b0972d7173726a67ca42_JaffaCakes118.tmp	32
PID 1740 wrote to memory of 2344	1740	09bce6fc3fa2b0972d7173726a67ca42_JaffaCakes118.tmp	32
PID 1740 wrote to memory of 2344	1740	09bce6fc3fa2b0972d7173726a67ca42_JaffaCakes118.tmp	32
PID 1740 wrote to memory of 3032	1740	09bce6fc3fa2b0972d7173726a67ca42_JaffaCakes118.tmp	34
PID 1740 wrote to memory of 3032	1740	09bce6fc3fa2b0972d7173726a67ca42_JaffaCakes118.tmp	34
PID 1740 wrote to memory of 3032	1740	09bce6fc3fa2b0972d7173726a67ca42_JaffaCakes118.tmp	34
PID 1740 wrote to memory of 3032	1740	09bce6fc3fa2b0972d7173726a67ca42_JaffaCakes118.tmp	34
PID 1740 wrote to memory of 3032	1740	09bce6fc3fa2b0972d7173726a67ca42_JaffaCakes118.tmp	34
PID 1740 wrote to memory of 3032	1740	09bce6fc3fa2b0972d7173726a67ca42_JaffaCakes118.tmp	34
PID 1740 wrote to memory of 3032	1740	09bce6fc3fa2b0972d7173726a67ca42_JaffaCakes118.tmp	34
PID 1740 wrote to memory of 764	1740	09bce6fc3fa2b0972d7173726a67ca42_JaffaCakes118.tmp	35
PID 1740 wrote to memory of 764	1740	09bce6fc3fa2b0972d7173726a67ca42_JaffaCakes118.tmp	35
PID 1740 wrote to memory of 764	1740	09bce6fc3fa2b0972d7173726a67ca42_JaffaCakes118.tmp	35
PID 1740 wrote to memory of 764	1740	09bce6fc3fa2b0972d7173726a67ca42_JaffaCakes118.tmp	35
PID 1740 wrote to memory of 764	1740	09bce6fc3fa2b0972d7173726a67ca42_JaffaCakes118.tmp	35
PID 1740 wrote to memory of 764	1740	09bce6fc3fa2b0972d7173726a67ca42_JaffaCakes118.tmp	35
PID 1740 wrote to memory of 764	1740	09bce6fc3fa2b0972d7173726a67ca42_JaffaCakes118.tmp	35
PID 1740 wrote to memory of 2492	1740	09bce6fc3fa2b0972d7173726a67ca42_JaffaCakes118.tmp	36
PID 1740 wrote to memory of 2492	1740	09bce6fc3fa2b0972d7173726a67ca42_JaffaCakes118.tmp	36
PID 1740 wrote to memory of 2492	1740	09bce6fc3fa2b0972d7173726a67ca42_JaffaCakes118.tmp	36
PID 1740 wrote to memory of 2492	1740	09bce6fc3fa2b0972d7173726a67ca42_JaffaCakes118.tmp	36

C:\Users\Admin\AppData\Local\Temp\09bce6fc3fa2b0972d7173726a67ca42_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\09bce6fc3fa2b0972d7173726a67ca42_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:236
- C:\Users\Admin\AppData\Local\Temp\is-0OKDE.tmp\09bce6fc3fa2b0972d7173726a67ca42_JaffaCakes118.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-0OKDE.tmp\09bce6fc3fa2b0972d7173726a67ca42_JaffaCakes118.tmp" /SL5="$400EC,2132727,70144,C:\Users\Admin\AppData\Local\Temp\09bce6fc3fa2b0972d7173726a67ca42_JaffaCakes118.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:1740
- - C:\Program Files (x86)\Inbox Toolbar\Inbox.exe
    "C:\Program Files (x86)\Inbox Toolbar\Inbox.exe" /regserver
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Modifies registry class
    PID:2408
- - C:\Program Files (x86)\Inbox Toolbar\Inbox.exe
    "C:\Program Files (x86)\Inbox Toolbar\Inbox.exe" /install
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    PID:2344
- - C:\Windows\SysWOW64\regsvr32.exe
    "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\Inbox Toolbar\Inbox.dll"
    3⤵
    - Loads dropped DLL
    - Installs/modifies Browser Helper Object
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Modifies registry class
    PID:3032
- - C:\Windows\system32\regsvr32.exe
    "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\Inbox Toolbar\Inbox64.dll"
    3⤵
    - Loads dropped DLL
    - Installs/modifies Browser Helper Object
    - Modifies Internet Explorer settings
    - Modifies registry class
    PID:764
- - C:\Program Files (x86)\Inbox Toolbar\Inbox.exe
    "C:\Program Files (x86)\Inbox Toolbar\Inbox.exe" /afterinstall
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Modifies system certificate store
    PID:2492

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Browser Extensions

T1176

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Inbox Toolbar\Buttons\BTN_1967.xml

Filesize
4KB

MD5
641c15fa465fd213fbafe0a08807960c

SHA1
1a10e799d2d680b457ac2a506e6ce9e1eb639885

SHA256
91bff6c4186deda12939e3b4c51c91a85b83a7d4d7524c8fa4b8c97091fec449

SHA512
84815869e1268bd2cccb4d5fce5112aa3467aee9e869d987a2a19768a8a7ea293fdaa9bc8edafc97998df1d8962f07b5b4cfd1f32c16843acde8d3b558507d66

Download Submit
C:\Program Files (x86)\Inbox Toolbar\Buttons\black_green.xml

Filesize
51KB

MD5
01116f926b28cb3442473d8b47a6dd8f

SHA1
5303b4976d13bc6f3ffa0e3c443a0d36ea55fff4

SHA256
01f5b90e46c63749261d30ab669b55b581ae0c41912b54b38f71c7dc2c454511

SHA512
df6debe9debe900ff5338aa9d8637a6c887b9905a1fc77b6e2a50d3f8067cfa806e9fceb3d8d2a57b5b859346267048bca60c5f19d2bd9092f9c08a2d2859271

Download Submit
C:\Program Files (x86)\Inbox Toolbar\Buttons\general_facebook2.xml

Filesize
3KB

MD5
45dc0a638701a1d267778029e7b9439f

SHA1
1a9c21d34cb68498df1687db258a3302d19d10a1

SHA256
8ec30fbed691aaa6aba5f74429b94a7f3b03011347d2179dded2b2a7439d7639

SHA512
0593dab63f4f9a064705531627fdc20977d9afe842f5cd9103a389d1633ee1251f54d5477194a5087e037f0dd075d44ee7fb881104a25ee10988d838148af270

Download Submit
C:\Program Files (x86)\Inbox Toolbar\Buttons\general_youtube2.xml

Filesize
5KB

MD5
1b4bb1996fe1d1607c402b5b9b46bf49

SHA1
fdbfd8bac0cbb53b49c672cce3a995ab74b48bec

SHA256
fd3585fc0affdb6e46591fcd3122b8f3a3e59ee949c7677ec1ba966191b49b6a

SHA512
5aa61fba5d3c7de01040ce72d2956fea8f2f61df13148f0c164c8a7f66d95422e29e986c1b1719985ef98ffc808d4e1a51344b7900c50711c33d8e691c133830

Download Submit
C:\Program Files (x86)\Inbox Toolbar\Buttons\mail_plugin.xml

Filesize
6KB

MD5
d5932b3157fc5d33bf1c2ee608a9cc4e

SHA1
d5c4a96bca0bd1b7de94a0c9b046c0827ec44126

SHA256
2e1f499961575b0d45f4ab87392c21ad9fad77accccb3dff0d6cd7ced17c610b

SHA512
0fcf2edbaee396d543b7a217d6a92804ce82393c7548152693a9a9f4d4bfbb4c44ccbdf388d576c0991b0eaca7c3df894183152392c9c4f07caa85cbac23cdec

Download Submit
C:\Program Files (x86)\Inbox Toolbar\Buttons\maps_navigate.xml

Filesize
4KB

MD5
8e87fe8044e1ba16964d3622a24ce383

SHA1
cf3fc71ca76523e160ba06942c1189035f1a7540

SHA256
fd96c083b5ebbf8d84c24fb45e61a5785d7c56a9a9508e4dae109f02230c8f60

SHA512
c426226546317ff99b9fe61b9b773fbd9be043a58edd1369ef2c305ddd47e66d8e1884726672d1c9d2abf11aa4a1d835b27ea176fd90d0ba9f16958e10e052b8

Download Submit
C:\Program Files (x86)\Inbox Toolbar\Buttons\maps_weather_plugin.xml

Filesize
4KB

MD5
6541f47f14d00caf3a5afd2c400728c5

SHA1
bb0f66eb5dbf1b87b7c22c1ffb73aea9044c2792

SHA256
9e5a228bbf6689e00de5676b10a69b1a131ae9b5ecf72274a5cb141026be75d3

SHA512
3f57a699cc299a0a8a309a4fb6f59cde886024f82dbd427dd14c38d149bd484edb280873d4b5e34f56c0126c9638e93f1ec12c34a4cd63cfb024488770ddeb2e

Download Submit
C:\Program Files (x86)\Inbox Toolbar\Buttons\news_newser.xml

Filesize
4KB

MD5
eed5c90550189bc440bc01a26d26e044

SHA1
fd0a62fb40eb99d267d79e59c32cd0cfbc4b0256

SHA256
402332dd03543861b5290a1994ec97bcbfacc8a9e5d7bc730e363390bf742790

SHA512
6bc13dc9a0e3387b8baa0325812ad2af3641d3cca7dc9fdf6412ceca9f68b29881ab2100bfa9b63744074254fce7e20e38203dcf2f25aacf14dfedfb306c0522

Download Submit
C:\Program Files (x86)\Inbox Toolbar\Buttons\reference_search.xml

Filesize
4KB

MD5
10ccbc4db5529074d66f938af67a0689

SHA1
28ebcb68e41425f8c226e6cda9781df70ddbd087

SHA256
424c44e549be79e027bcf4ed93978ad3c515bb9632d3610d69f94e16d1ed2144

SHA512
f6e33503abb9df68554136ea4c156d70ebf77199e3e8a18d5e7fed056c2d28e581f7db39567f88662f9705a4da5990b070d99d4ff0ce28e91ef5b0eca3e8a8b6

Download Submit
C:\Program Files (x86)\Inbox Toolbar\Inbox.dll

Filesize
1.0MB

MD5
abebbb5e520dcdbad18a67989ce96b60

SHA1
75d8f52df3139e7ff93d8528059ac8be93ae6d1f

SHA256
46fa173e57779f42f71eb2df45a742e05cbf2daa9977f4ecc3f77823894e98f1

SHA512
cbf7047331297ea8ea53b5534d4f965ae9c4a32fb7033919047c27258d90c23ba33c45759be40c2047a8d629cde732466fb409d9ca15449b28673a35b909e0b7

Download Submit
C:\Program Files (x86)\Inbox Toolbar\Inbox.ini

Filesize
2KB

MD5
421d88d9225bdaeaf58eee12b525616a

SHA1
00884ae0ff662eb19b467fc4bdc781bce3ad6450

SHA256
e526ec11e494dfaf3d3027f43ad545b9f740e9872c2477a61efd7e5aa178dc68

SHA512
3adc47f6494eadd5e2d50bd3d1f9efd8ad13f9f78cf9ce81efd8094da23817407a475f7345d8148f06cb08cee225989881211ec19dd042d6f19bc5dd5541ff25

Download Submit
C:\Program Files (x86)\Inbox Toolbar\Inbox.ini

Filesize
2KB

MD5
dc81f4b39be87df72f28edaf1dc73bb4

SHA1
c0d1253b34fe9bc49bb26dd79aa9c341d8983daf

SHA256
18773282289fd8c3eabeb019caf72e5f080261dd6bfb74c05fe2e83a1cce1c50

SHA512
018ca7100d1c6844d42bde2b8cfd98b13ec2e230ab52199aa2e683297029bf88e5cc56a3ef1d360eda4b360bc00d047d593af96d0c62448994729b753cb3fb3d

Download Submit
C:\Program Files (x86)\Inbox Toolbar\Inbox64.dll

Filesize
1.5MB

MD5
5b26b6a64937976b7e686f4ecd469751

SHA1
3740a577d0ac3650fa9781058cc0059c9974020e

SHA256
f27935bdf97c39b18efdb1480e3549e8320c7e80098f7653e3c07298204be59e

SHA512
0b9e8c6c4d38276121a5f112bf561a7593a6ed95eba941a9eaace1ea0a2e817ff4f254f5acc2411b2231e4657adf9632974cb9b0257a4ed274ff6db6a0971c50

Download Submit
C:\Program Files (x86)\Inbox Toolbar\Plugins\mail.dll

Filesize
1.2MB

MD5
80b1af63d2de40628b1b5f0bf86e827a

SHA1
f7267eb35f8b499c91a6e69db74f9c686286b621

SHA256
7bb3fb17dcc23245d734870b6c2c2cd0f472467a70f32342e08526796f0258ac

SHA512
d5081a83c7df32f20a00e4ec39570fc034e99c9a79f47cab5189a27910b2b25b9c98b65a878211ca2945a2753fb8f37ead2de5daf095ad3317c40b84b539a6f2

Download Submit
C:\Users\Admin\AppData\LocalLow\Inbox Toolbar\config.ini

Filesize
30B

MD5
129a4ce81f9a7b3dc2d98e090a069f05

SHA1
a266de9a5f3fea40e7de85ddfde49f4b6c515c96

SHA256
9ec3cb3f9a5f238ab518e7b57bcad1ca765c429fb37be15057da7eb9170541f7

SHA512
3d15c7ddf93e944ed5ce634f35050f95989b1f1f35b4b8233e10658508f07953579c6dd62cced8efd22cf783c7e9565f39270e5bb46d2959a1312148af6414f2

Download Submit
C:\Users\Admin\AppData\LocalLow\Inbox Toolbar\translate.ini

Filesize
89KB

MD5
6b72fbdc939dffb3c9d268d521459f91

SHA1
948023c34ddd35bab4b83d80cabf6b7fb06eb5f2

SHA256
9b1c3b8a08541289d360526f37a4647a59fa40f474d2288ea6a5c3a947364fff

SHA512
f8948e0cc24361f361886a4f9467b8316ed093e0def78df860ed221e345a69a8cae785f57d08cfd3ac54741ea9dbde97f035eb88aa8d35b5529c32cf50b1d8e3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{C04B7D22-5AEC-4561-8F49-27F6269208F6}.ico

Filesize
1KB

MD5
34f4618666b7e80e687b25b82a7da5e2

SHA1
ab543a8992b71891139d608d77403a59bfabd501

SHA256
fa975f7a7a854a7730b1c92d1567706dce2eab80d78cf131eb1cec40e88cb7e3

SHA512
b7e4eeccdd9d84d9a352e9490f19d08c06c54554ac52e3ba9aa1a81de2181a6a185387a323122021303afe32da21ceb3f1f6aa3524c45a6c8d9abac4144237eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabCC27.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarCED8.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-5OBR5.tmp\RI_AfterDot.bmp

Filesize
84B

MD5
7ccd5a0af4da51cf4962f184fcf9456a

SHA1
de37f4521fa7fee49b37898f4136728e8971ee0f

SHA256
8f2374b30622dfae1fd0b9706520de34c5e1597c1531fddbff65bc0201132ac7

SHA512
d7c4fbc6a4413dc457400fa2e026dea5d639a5b413164cc6939284c46bb46b6ae8ff10184ba2da4f32ace89646b026400db2a49dd9894d71e88d003a91c8267a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-5OBR5.tmp\setupcfg.ini

Filesize
44B

MD5
56ae4863eb7886b04a9bc318530614c3

SHA1
1ee654565567976b11005d14370c713cf11d2ab6

SHA256
e66a75e4a9bdb2b08d2341f727362f16599729fd2c1a1131407750150f4714ad

SHA512
3d1821b40c72092e1e44a3dfeedf9a45836301b098ab72bd0affd8398d27de256b12b0ec02745b1acdc65738090a386ef2de337004ebff02442b641ffe81526d

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-5OBR5.tmp\tbr_dots.bmp

Filesize
164B

MD5
adc799ec79eeaef366ea4dddf099c3ae

SHA1
556c915615a34a2499604b7b732ab304b20fdd4e

SHA256
7e7f18c73560f9c020abe1ab1f22705083281e2ea16ab0030fc927901b5b5d1e

SHA512
76962a17cc26d3f9886828be4e43373ac530165e1c627272ed7c0bc731133e97608e55d2e31f44592aad0d0974352155f41a0718aa0666ec128406b1050c1d6c

Download Submit
\Program Files (x86)\Inbox Toolbar\Inbox.exe

Filesize
1.3MB

MD5
53723b9af00bbd8d2576c75278098e89

SHA1
1608f02f75a5fe00cacd2b8b513bd0c836af77c1

SHA256
464d440bb9d5fc57daaf4d14596cf2bd3f2c4ce209438135604e24635a3d7d86

SHA512
100917f2d5fb447097c3bd87d3a373d8b799ef8f6e061bf3c1663c4508699db107c0a2a88eac8879a171f7173de8e6fbd8ecf0141d862a21ebb672f9fb8d5fde

Download Submit
\Users\Admin\AppData\Local\Temp\is-0OKDE.tmp\09bce6fc3fa2b0972d7173726a67ca42_JaffaCakes118.tmp

Filesize
1.2MB

MD5
e7106fbf42fbc6d5b08a18ada4f781b4

SHA1
36d4a629f79d772c0b0df8bd2ae2ea09108d239d

SHA256
64e1f1fa7d91920b17bc7bc679a4cd8d87ff5b104318b6921bb6bf6a19055635

SHA512
adf876296a952aadeb4f25211c0939bf5a278809b5d3007ad7e26c5d4975e7684d242c1b3de796efd474a47cb7ecdb80f9047935924a1108bf0e4d7c973d1845

Download Submit
\Users\Admin\AppData\Local\Temp\is-5OBR5.tmp\DownLib.dll

Filesize
183KB

MD5
db25dfdd4c1f2b65c68a230881072695

SHA1
94cd6a3438041f0e61b0a1bea7b66461854efe69

SHA256
1b66aaf1e7e3c493dd96af3b7442ea60072f6e93ba45281eacd31a14ca7e7e73

SHA512
db69e4ab2218856e5184d9094e7e39705b83e3efdc15225067205c8faf6e5836145364f1d509192defa3b48864e72b9f8c0f2dc53a7adb2b86c655318b7afc2c

Download Submit
\Users\Admin\AppData\Local\Temp\is-5OBR5.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
memory/236-264-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/236-2-0x0000000000401000-0x000000000040D000-memory.dmp

Filesize
48KB

Download
memory/236-0-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/764-273-0x0000000001E10000-0x0000000001FA1000-memory.dmp

Filesize
1.6MB

Download
memory/1740-266-0x0000000003800000-0x0000000003837000-memory.dmp

Filesize
220KB

Download
memory/1740-394-0x00000000045B0000-0x00000000046BB000-memory.dmp

Filesize
1.0MB

Download
memory/1740-267-0x0000000000400000-0x0000000000536000-memory.dmp

Filesize
1.2MB

Download
memory/1740-277-0x00000000045B0000-0x00000000046BB000-memory.dmp

Filesize
1.0MB

Download
memory/1740-392-0x0000000000400000-0x0000000000536000-memory.dmp

Filesize
1.2MB

Download
memory/1740-434-0x00000000045B0000-0x00000000046BB000-memory.dmp

Filesize
1.0MB

Download
memory/1740-9-0x0000000000400000-0x0000000000536000-memory.dmp

Filesize
1.2MB

Download
memory/1740-22-0x0000000003800000-0x0000000003837000-memory.dmp

Filesize
220KB

Download
memory/2344-241-0x00000000033C0000-0x0000000003500000-memory.dmp

Filesize
1.2MB

Download
memory/2344-276-0x0000000000400000-0x000000000055A000-memory.dmp

Filesize
1.4MB

Download
memory/2408-205-0x0000000000400000-0x000000000055A000-memory.dmp

Filesize
1.4MB

Download
memory/2492-395-0x0000000000400000-0x000000000055A000-memory.dmp

Filesize
1.4MB

Download
memory/3032-270-0x0000000002350000-0x000000000245B000-memory.dmp

Filesize
1.0MB

Download