d1594ec59c4881a07fc26d9939e24cd5dff9d02545ecdcb4d4bf7e4bce5866ee

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
02-10-2024 17:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0bb58eec87204e929a119b801f856061_JaffaCakes118.exe
Size

2.3MB
MD5

0bb58eec87204e929a119b801f856061
SHA1

b09fea726c738c27765b3ddf7826b1d14a0886d8
SHA256

d1594ec59c4881a07fc26d9939e24cd5dff9d02545ecdcb4d4bf7e4bce5866ee
SHA512

35114723d20f27aca6648851e1068914edf2a4e886aff9d40fc18b59f36a10cb2398ddd9a586dba2d6b290a5f51ab5df9a83f09714afa3578c9fb11fb405f7c6
SSDEEP

49152:2gIeoURc7Ib6SUEqdZN1CXRc52Sfm1/arMdcfvDX4N8kebA5rOYiZnv:2gI6ckbDe/NQyw8j+5ebSivZnv

Score

7^/10

adware discovery persistence privilege_escalation stealer

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	Inbox.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 5 IoCs

pid	Process
2524	0bb58eec87204e929a119b801f856061_JaffaCakes118.tmp
3572	Inbox.exe
4656	Inbox.exe
4420	Inbox.exe
1236	Inbox.exe

Loads dropped DLL 7 IoCs

pid	Process
2524	0bb58eec87204e929a119b801f856061_JaffaCakes118.tmp
2524	0bb58eec87204e929a119b801f856061_JaffaCakes118.tmp
2872	regsvr32.exe
2872	regsvr32.exe
2412	regsvr32.exe
2524	0bb58eec87204e929a119b801f856061_JaffaCakes118.tmp
2524	0bb58eec87204e929a119b801f856061_JaffaCakes118.tmp

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\InboxToolbar = "\"C:\\Program Files (x86)\\Inbox Toolbar\\Inbox.exe\" /STARTUP"	Inbox.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Installs/modifies Browser Helper Object 2 TTPs 6 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{D3D233D5-9F6D-436C-B6C7-E63F77503B30}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D3D233D5-9F6D-436C-B6C7-E63F77503B30}\	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D3D233D5-9F6D-436C-B6C7-E63F77503B30}\NoExplorer = "1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{D3D233D5-9F6D-436C-B6C7-E63F77503B30}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D3D233D5-9F6D-436C-B6C7-E63F77503B30}\	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D3D233D5-9F6D-436C-B6C7-E63F77503B30}\NoExplorer = "1"	regsvr32.exe

Drops file in Program Files directory 31 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Inbox Toolbar\Buttons\is-B0HVA.tmp	0bb58eec87204e929a119b801f856061_JaffaCakes118.tmp
File created	C:\Program Files (x86)\Inbox Toolbar\Buttons\is-SVB4F.tmp	0bb58eec87204e929a119b801f856061_JaffaCakes118.tmp
File opened for modification	C:\Program Files (x86)\Inbox Toolbar\Buttons\BTN_1680.xml	Inbox.exe
File opened for modification	C:\Program Files (x86)\Inbox Toolbar\Buttons\tv_search.xml	Inbox.exe
File created	C:\Program Files (x86)\Inbox Toolbar\unins000.dat	0bb58eec87204e929a119b801f856061_JaffaCakes118.tmp
File created	C:\Program Files (x86)\Inbox Toolbar\Buttons\is-CHVL2.tmp	0bb58eec87204e929a119b801f856061_JaffaCakes118.tmp
File opened for modification	C:\Program Files (x86)\Inbox Toolbar\Buttons\BTN_2287.xml	Inbox.exe
File opened for modification	C:\Program Files (x86)\Inbox Toolbar\Buttons\tv_live.xml	Inbox.exe
File created	C:\Program Files (x86)\Inbox Toolbar\is-TOD08.tmp	0bb58eec87204e929a119b801f856061_JaffaCakes118.tmp
File created	C:\Program Files (x86)\Inbox Toolbar\setupcfg.ini	0bb58eec87204e929a119b801f856061_JaffaCakes118.tmp
File opened for modification	C:\Program Files (x86)\Inbox Toolbar\Inbox.ini	Inbox.exe
File created	C:\Program Files (x86)\Inbox Toolbar\Buttons\is-VOB1D.tmp	0bb58eec87204e929a119b801f856061_JaffaCakes118.tmp
File created	C:\Program Files (x86)\Inbox Toolbar\Buttons\is-5G4NV.tmp	0bb58eec87204e929a119b801f856061_JaffaCakes118.tmp
File created	C:\Program Files (x86)\Inbox Toolbar\Buttons\is-HCBPT.tmp	0bb58eec87204e929a119b801f856061_JaffaCakes118.tmp
File created	C:\Program Files (x86)\Inbox Toolbar\Buttons\is-PS397.tmp	0bb58eec87204e929a119b801f856061_JaffaCakes118.tmp
File created	C:\Program Files (x86)\Inbox Toolbar\is-TBQ9P.tmp	0bb58eec87204e929a119b801f856061_JaffaCakes118.tmp
File created	C:\Program Files (x86)\Inbox Toolbar\is-JVSCO.tmp	0bb58eec87204e929a119b801f856061_JaffaCakes118.tmp
File created	C:\Program Files (x86)\Inbox Toolbar\Buttons\is-8JI6G.tmp	0bb58eec87204e929a119b801f856061_JaffaCakes118.tmp
File opened for modification	C:\Program Files (x86)\Inbox Toolbar\Buttons\general_youtube2.xml	Inbox.exe
File opened for modification	C:\Program Files (x86)\Inbox Toolbar\Buttons\tv_programs.xml	Inbox.exe
File opened for modification	C:\Program Files (x86)\Inbox Toolbar\Buttons\tv_shows.xml	Inbox.exe
File opened for modification	C:\Program Files (x86)\Inbox Toolbar\setupcfg.ini	0bb58eec87204e929a119b801f856061_JaffaCakes118.tmp
File opened for modification	C:\Program Files (x86)\Inbox Toolbar\Buttons\burgundy_green.xml	Inbox.exe
File opened for modification	C:\Program Files (x86)\Inbox Toolbar\Buttons\tv_news.xml	Inbox.exe
File opened for modification	C:\Program Files (x86)\Inbox Toolbar\uninstall.ini	0bb58eec87204e929a119b801f856061_JaffaCakes118.tmp
File created	C:\Program Files (x86)\Inbox Toolbar\is-TDHQ7.tmp	0bb58eec87204e929a119b801f856061_JaffaCakes118.tmp
File created	C:\Program Files (x86)\Inbox Toolbar\is-R25QQ.tmp	0bb58eec87204e929a119b801f856061_JaffaCakes118.tmp
File created	C:\Program Files (x86)\Inbox Toolbar\Buttons\is-E5I3N.tmp	0bb58eec87204e929a119b801f856061_JaffaCakes118.tmp
File created	C:\Program Files (x86)\Inbox Toolbar\unins000.msg	0bb58eec87204e929a119b801f856061_JaffaCakes118.tmp
File opened for modification	C:\Program Files (x86)\Inbox Toolbar\unins000.dat	0bb58eec87204e929a119b801f856061_JaffaCakes118.tmp
File opened for modification	C:\Program Files (x86)\Inbox Toolbar\uninstall.ini	Inbox.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Inbox.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Inbox.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Inbox.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Inbox.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0bb58eec87204e929a119b801f856061_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0bb58eec87204e929a119b801f856061_JaffaCakes118.tmp

Modifies Internet Explorer settings 1 TTPs 40 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{612AD33D-9824-4E87-8396-92374E91C4BB}\AppName = "Inbox.exe"	Inbox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{612AD33D-9824-4E87-8396-92374E91C4BB}	Inbox.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{D7E97865-918F-41E4-9CD0-25AB1C574CE8} = 00	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Microsoft\Internet Explorer\SearchScopes\{C04B7D22-5AEC-4561-8F49-27F6269208F6}	Inbox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{612AD33D-9824-4E87-8396-92374E91C4BB}\AppPath = "C:\\Program Files (x86)\\Inbox Toolbar"	Inbox.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{612AD33D-9824-4E87-8396-92374E91C4BB}\Policy = "3"	Inbox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\IEWatsonEnabled = "0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\AppPath = "C:\\Program Files (x86)\\Inbox Toolbar"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\Policy = "3"	regsvr32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{C04B7D22-5AEC-4561-8F49-27F6269208F6}\ShowSearchSuggestions = "1"	Inbox.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{612AD33D-9824-4E87-8396-92374E91C4BB}\Policy = "3"	Inbox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\AppName = "Inbox.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\AppPath = "C:\\Program Files (x86)\\Inbox Toolbar"	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{C04B7D22-5AEC-4561-8F49-27F6269208F6}\DisplayName = "Inbox Search"	Inbox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{C04B7D22-5AEC-4561-8F49-27F6269208F6}\URL = "http://www2.inbox.com/search/dispatcher.aspx?tp=bs&qkw={searchTerms}&tbid=82768&iwk=845&lng=en"	Inbox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{C04B7D22-5AEC-4561-8F49-27F6269208F6}\FaviconURLFallback = "http://www2.inbox.com/favicon.ico"	Inbox.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Microsoft\Internet Explorer\Main	Inbox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{612AD33D-9824-4E87-8396-92374E91C4BB}	Inbox.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\IEWatsonEnabled = "0"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\Policy = "3"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\Policy = "3"	regsvr32.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Main	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\AppName = "Inbox64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\AppPath = "C:\\Program Files (x86)\\Inbox Toolbar"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{612AD33D-9824-4E87-8396-92374E91C4BB}\AppPath = "C:\\Program Files (x86)\\Inbox Toolbar"	Inbox.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Main	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\AppName = "Inbox.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\AppName = "Inbox64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{C04B7D22-5AEC-4561-8F49-27F6269208F6}\SuggestionsURL_JSON = "http://www.inbox.com/s.aspx?q={searchTerms}"	Inbox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{612AD33D-9824-4E87-8396-92374E91C4BB}\AppName = "Inbox.exe"	Inbox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\AppPath = "C:\\Program Files (x86)\\Inbox Toolbar"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{C04B7D22-5AEC-4561-8F49-27F6269208F6}\FaviconPath = "C:\\Users\\Admin\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services\\search_{C04B7D22-5AEC-4561-8F49-27F6269208F6}.ico"	Inbox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Toolbar	regsvr32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Toolbar\{D7E97865-918F-41E4-9CD0-25AB1C574CE8} = 00	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\Policy = "3"	regsvr32.exe

Modifies Internet Explorer start page 1 TTPs 1 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.inbox.com/homepage.aspx?tbid=82768&iwk=845&lng=en"	Inbox.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{612AD33D-9824-4E87-8396-92374E91C4BB}\LocalServer32	Inbox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\inbox\CLSID = "{37540F19-DD4C-478B-B2DF-C19281BCAF27}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{28C3737A-32D1-492D-B76B-8D75EBBFB887}\TypeLib\Version = "1.0"	Inbox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CBEF8724-D080-4737-88DA-111EEC6651AA}\1.0\HELPDIR	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{37540F19-DD4C-478B-B2DF-C19281BCAF27}\	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D3D233D5-9F6D-436C-B6C7-E63F77503B30}\InProcServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Inbox.Toolbar\Clsid\ = "{D7E97865-918F-41E4-9CD0-25AB1C574CE8}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{28C3737A-32D1-492D-B76B-8D75EBBFB887}	Inbox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{CE057E0D-2D7E-4DFF-A890-07BA69B8C762}\TypeLib\ = "{CBEF8724-D080-4737-88DA-111EEC6651AA}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Inbox.JSServer\	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}\	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Inbox.JSServer\Clsid	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{28C3737A-32D1-492D-B76B-8D75EBBFB887}\ProxyStubClsid32	Inbox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8FAE973C-3FE3-44BF-81F0-ADB0D42CE851}\ProxyStubClsid32	Inbox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{042DA63B-0933-403D-9395-B49307691690}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\inbox\ = "inbox"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CBEF8724-D080-4737-88DA-111EEC6651AA}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CBEF8724-D080-4737-88DA-111EEC6651AA}\1.0\FLAGS	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{042DA63B-0933-403D-9395-B49307691690}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}\	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\ProgID\ = "Inbox.Toolbar"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Inbox.Toolbar\Clsid	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{37540F19-DD4C-478B-B2DF-C19281BCAF27}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{28C3737A-32D1-492D-B76B-8D75EBBFB887}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	Inbox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{042DA63B-0933-403D-9395-B49307691690}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}\	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{37540F19-DD4C-478B-B2DF-C19281BCAF27}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D3D233D5-9F6D-436C-B6C7-E63F77503B30}\Implemented Categories\	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{28C3737A-32D1-492D-B76B-8D75EBBFB887}\ = "IAppServer"	Inbox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8FAE973C-3FE3-44BF-81F0-ADB0D42CE851}	Inbox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\InProcServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{37540F19-DD4C-478B-B2DF-C19281BCAF27}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D3D233D5-9F6D-436C-B6C7-E63F77503B30}\InprocServer32\ = "C:\\PROGRA~2\\INBOXT~1\\Inbox64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\ProgID\ = "Inbox.Toolbar"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{37540F19-DD4C-478B-B2DF-C19281BCAF27}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{042DA63B-0933-403D-9395-B49307691690}\Implemented Categories\	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8FAE973C-3FE3-44BF-81F0-ADB0D42CE851}\TypeLib	Inbox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8FAE973C-3FE3-44BF-81F0-ADB0D42CE851}\TypeLib\ = "{615E8AA1-6BB8-4A3D-A1CC-373194DB612C}"	Inbox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{042DA63B-0933-403D-9395-B49307691690}\TypeLib\ = "{CBEF8724-D080-4737-88DA-111EEC6651AA}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{042DA63B-0933-403D-9395-B49307691690}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{615E8AA1-6BB8-4A3D-A1CC-373194DB612C}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\Inbox Toolbar\\"	Inbox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CBEF8724-D080-4737-88DA-111EEC6651AA}\1.0\0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{042DA63B-0933-403D-9395-B49307691690}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{042DA63B-0933-403D-9395-B49307691690}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D3D233D5-9F6D-436C-B6C7-E63F77503B30}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{615E8AA1-6BB8-4A3D-A1CC-373194DB612C}\1.0\FLAGS	Inbox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{615E8AA1-6BB8-4A3D-A1CC-373194DB612C}\1.0\0\win32	Inbox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Inbox.Toolbar\Clsid\ = "{D7E97865-918F-41E4-9CD0-25AB1C574CE8}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CBEF8724-D080-4737-88DA-111EEC6651AA}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\Inbox Toolbar\\"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CE057E0D-2D7E-4DFF-A890-07BA69B8C762}\ = "IJSServer"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{042DA63B-0933-403D-9395-B49307691690}\ProgID\ = "Inbox.JSServer"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{CE057E0D-2D7E-4DFF-A890-07BA69B8C762}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{612AD33D-9824-4E87-8396-92374E91C4BB}\TypeLib	Inbox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{CE057E0D-2D7E-4DFF-A890-07BA69B8C762}\ = "IJSServer"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{CE057E0D-2D7E-4DFF-A890-07BA69B8C762}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Inbox.JSServer\Clsid	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D3D233D5-9F6D-436C-B6C7-E63F77503B30}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\InprocServer32\ = "C:\\Program Files (x86)\\Inbox Toolbar\\Inbox.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{042DA63B-0933-403D-9395-B49307691690}\Implemented Categories\	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{042DA63B-0933-403D-9395-B49307691690}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D3D233D5-9F6D-436C-B6C7-E63F77503B30}\InprocServer32\ = "C:\\Program Files (x86)\\Inbox Toolbar\\Inbox.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{37540F19-DD4C-478B-B2DF-C19281BCAF27}\	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{042DA63B-0933-403D-9395-B49307691690}\TypeLib	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2524	0bb58eec87204e929a119b801f856061_JaffaCakes118.tmp
2524	0bb58eec87204e929a119b801f856061_JaffaCakes118.tmp
2524	0bb58eec87204e929a119b801f856061_JaffaCakes118.tmp
2524	0bb58eec87204e929a119b801f856061_JaffaCakes118.tmp
2524	0bb58eec87204e929a119b801f856061_JaffaCakes118.tmp
2524	0bb58eec87204e929a119b801f856061_JaffaCakes118.tmp
2524	0bb58eec87204e929a119b801f856061_JaffaCakes118.tmp
2524	0bb58eec87204e929a119b801f856061_JaffaCakes118.tmp

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2524	0bb58eec87204e929a119b801f856061_JaffaCakes118.tmp
1236	Inbox.exe
1236	Inbox.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1236	Inbox.exe
1236	Inbox.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 3256 wrote to memory of 2524	3256	0bb58eec87204e929a119b801f856061_JaffaCakes118.exe	82
PID 3256 wrote to memory of 2524	3256	0bb58eec87204e929a119b801f856061_JaffaCakes118.exe	82
PID 3256 wrote to memory of 2524	3256	0bb58eec87204e929a119b801f856061_JaffaCakes118.exe	82
PID 2524 wrote to memory of 3572	2524	0bb58eec87204e929a119b801f856061_JaffaCakes118.tmp	83
PID 2524 wrote to memory of 3572	2524	0bb58eec87204e929a119b801f856061_JaffaCakes118.tmp	83
PID 2524 wrote to memory of 3572	2524	0bb58eec87204e929a119b801f856061_JaffaCakes118.tmp	83
PID 2524 wrote to memory of 4656	2524	0bb58eec87204e929a119b801f856061_JaffaCakes118.tmp	84
PID 2524 wrote to memory of 4656	2524	0bb58eec87204e929a119b801f856061_JaffaCakes118.tmp	84
PID 2524 wrote to memory of 4656	2524	0bb58eec87204e929a119b801f856061_JaffaCakes118.tmp	84
PID 2524 wrote to memory of 2872	2524	0bb58eec87204e929a119b801f856061_JaffaCakes118.tmp	85
PID 2524 wrote to memory of 2872	2524	0bb58eec87204e929a119b801f856061_JaffaCakes118.tmp	85
PID 2524 wrote to memory of 2872	2524	0bb58eec87204e929a119b801f856061_JaffaCakes118.tmp	85
PID 2524 wrote to memory of 2412	2524	0bb58eec87204e929a119b801f856061_JaffaCakes118.tmp	86
PID 2524 wrote to memory of 2412	2524	0bb58eec87204e929a119b801f856061_JaffaCakes118.tmp	86
PID 2524 wrote to memory of 4420	2524	0bb58eec87204e929a119b801f856061_JaffaCakes118.tmp	89
PID 2524 wrote to memory of 4420	2524	0bb58eec87204e929a119b801f856061_JaffaCakes118.tmp	89
PID 2524 wrote to memory of 4420	2524	0bb58eec87204e929a119b801f856061_JaffaCakes118.tmp	89
PID 4420 wrote to memory of 1236	4420	Inbox.exe	90
PID 4420 wrote to memory of 1236	4420	Inbox.exe	90
PID 4420 wrote to memory of 1236	4420	Inbox.exe	90

C:\Users\Admin\AppData\Local\Temp\0bb58eec87204e929a119b801f856061_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0bb58eec87204e929a119b801f856061_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3256
- C:\Users\Admin\AppData\Local\Temp\is-TB0H9.tmp\0bb58eec87204e929a119b801f856061_JaffaCakes118.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-TB0H9.tmp\0bb58eec87204e929a119b801f856061_JaffaCakes118.tmp" /SL5="$50222,1743406,70144,C:\Users\Admin\AppData\Local\Temp\0bb58eec87204e929a119b801f856061_JaffaCakes118.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2524
- - C:\Program Files (x86)\Inbox Toolbar\Inbox.exe
    "C:\Program Files (x86)\Inbox Toolbar\Inbox.exe" /regserver
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Modifies registry class
    PID:3572
- - C:\Program Files (x86)\Inbox Toolbar\Inbox.exe
    "C:\Program Files (x86)\Inbox Toolbar\Inbox.exe" /install
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    PID:4656
- - C:\Windows\SysWOW64\regsvr32.exe
    "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\Inbox Toolbar\Inbox.dll"
    3⤵
    - Loads dropped DLL
    - Installs/modifies Browser Helper Object
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Modifies registry class
    PID:2872
- - C:\Windows\system32\regsvr32.exe
    "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\Inbox Toolbar\Inbox64.dll"
    3⤵
    - Loads dropped DLL
    - Installs/modifies Browser Helper Object
    - Modifies Internet Explorer settings
    - Modifies registry class
    PID:2412
- - C:\Program Files (x86)\Inbox Toolbar\Inbox.exe
    "C:\Program Files (x86)\Inbox Toolbar\Inbox.exe" /afterinstall
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Modifies Internet Explorer start page
    - Suspicious use of WriteProcessMemory
    PID:4420
  - - C:\Program Files (x86)\Inbox Toolbar\Inbox.exe
      "C:\Program Files (x86)\Inbox Toolbar\Inbox.exe" /TRAY 0
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:1236

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Browser Extensions

T1176

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Inbox Toolbar\Buttons\BTN_1680.xml

Filesize
3KB

MD5
4edebd13c2714943f32c7e9f0b6818a5

SHA1
b2f8e577a887e9fee093035c71761105640cea74

SHA256
7323bb377e784a29f2e81d2b3432f1663138ec309ff189b7d346b8e851f46142

SHA512
4744af6b543f3edbda226da491a94ad3f56a2a3f7490d6523f9e05c8e41e9e0030d70fa37950fa657c75634228dc3bb65a5e437322b0fa0d164a6725114ed082

Download Submit
C:\Program Files (x86)\Inbox Toolbar\Buttons\BTN_2287.xml

Filesize
5KB

MD5
be1e4827a19ef48648563a9e98b6f188

SHA1
80afc7ad0008a5de7b9731546447589afd5066fd

SHA256
7bbc09b928b2391000a935287b140f5d240206f7b0bda3c3917dbe825a938406

SHA512
ffb55e001edd82cbb3568e8a78afc90a9848efa9d79f4490d9cf707581399c8e4a60048f0c883a5c27944e26588d4f31f944724ca5cd307c3a3473afa03c0fc9

Download Submit
C:\Program Files (x86)\Inbox Toolbar\Buttons\burgundy_green.xml

Filesize
53KB

MD5
0a60b9a90fd7fdaa1c8df3f302f5dfc4

SHA1
77a9f81cfb07bee2a2422c221f960aaadcc55059

SHA256
ea287230b6a53920a486ded3eab7c1e8dc2c29e931a208ff998445d92e75a8fb

SHA512
b6abc42751978c32224932a55d0a36b8c07febcbe6dd80111e9297096b17a898709b1a9312e3c3f1813cb65b4817e1f9f4326f87a183f47bab82fcfb03732d5b

Download Submit
C:\Program Files (x86)\Inbox Toolbar\Buttons\general_youtube2.xml

Filesize
5KB

MD5
960165c51e36c851607ddef8715c22ff

SHA1
f09282417b8b94b6485196d03df1884ce0acb16e

SHA256
0a0b39ee8e0c64281f26470b4f6e3c48c5dff21eef5557f6a9b6df9c69422e3e

SHA512
0488719e9c49792bdd68a3595b5de47d61fb2eb4ee20150fc14803787c7b27e9321bd2db9148d0f1126c3af265b52ec5054b6161e245e23f4bca70b7e6fb3cbf

Download Submit
C:\Program Files (x86)\Inbox Toolbar\Buttons\tv_live.xml

Filesize
5KB

MD5
0f8cef472356ff7f66fc9d97da0939b0

SHA1
43b6ae01f7693abaed6a261bc990372785fe138e

SHA256
918dcf2201beeb0fe33305aece4740cf7399372771e97fbe2d234598a9e9d783

SHA512
799571ddecdc56e710ee6f27c3b0aa78529635a6f86cd05de20cc28a63cb6fdc4ce7e265d1ca45b9a06f50c3281997bb5a0368b62140c4f76b56c48ce56b5b5a

Download Submit
C:\Program Files (x86)\Inbox Toolbar\Buttons\tv_news.xml

Filesize
5KB

MD5
94e00813a7690c6a1538faaff2c5319d

SHA1
bf2bb617c2f42c67f31091b7e6007eb2b5d5bef9

SHA256
e3c77deb3174b38f11b30e8b1311163d054a18e48269c84a56223a6025fbf969

SHA512
a07846a20f5a7afdd2146931413aa4f871330987bb5835902a1e9bb10114d20bfe5cb9951c34bcc9b48d046840fefe4159a79fab1f30951ee1ad49cb7f5bdea5

Download Submit
C:\Program Files (x86)\Inbox Toolbar\Buttons\tv_programs.xml

Filesize
4KB

MD5
014c8fb335e8eb0d1159d19ec1e15307

SHA1
c12c591c004a660881c6274c9d2856f4976ae9e0

SHA256
af85a3226ccb99ddeac1fa1f06a512f60e5c3f63561d43c78dfa59d3a910de75

SHA512
07cf7e749db733d6bc4abd4765b0d954f58a52f527bd3f4c6bfdde8643dda5dba3a59703456bbfa941034faf1373b782c599691b2974b41a133cc2c9e116786d

Download Submit
C:\Program Files (x86)\Inbox Toolbar\Buttons\tv_search.xml

Filesize
4KB

MD5
1afb7494ef8263024b61fc71acf666b4

SHA1
41fe2d249b1ca494136d897b392bf942e161df24

SHA256
8721a023cacf4d228fa2d3262bc3012654f278e86baa85d212ab8df1a8010e93

SHA512
2f09ef930b1adb37141ae49594e285c9d6397b725a15df976f338ae59767254dc6b69d2043ea365a6519e531ce7c1d8d34ba77e50dc7b87683b65a26d6e8a27c

Download Submit
C:\Program Files (x86)\Inbox Toolbar\Buttons\tv_shows.xml

Filesize
5KB

MD5
26d06948da503780332192f16dfa9c7f

SHA1
52dfd84dbf6e4125c3f03bb91ac684aef414d12f

SHA256
ddbda7aa61691af921f24c50b65cba2ec7585ac086044a69bd502786764b7375

SHA512
271eb0139189342b127728e3d24ea89594884bda3deaeee93f89d6840ac61243b0cdee8498cd9fc5cf21b6773ccd9b38ee9b43acd9937964e1cf28662a1754d8

Download Submit
C:\Program Files (x86)\Inbox Toolbar\Inbox.dll

Filesize
1.0MB

MD5
0bb185dff67d7fb7a27094ebc54feffa

SHA1
f0209c4f0b743ed4f0652f1b447d933493e510ce

SHA256
95b90ef3b5563a69b257d744ef09ec51f9bb78485620e8b972e2fd2b59dc9317

SHA512
7b82090456c80f8f600951b223250a4b9be4304bbc6eff935f14f46c6710f3f6e017aa8a2b6560dc9863f3cdaef26828d23805736d7d883ee017cbab435f9a9d

Download Submit
C:\Program Files (x86)\Inbox Toolbar\Inbox.exe

Filesize
1.3MB

MD5
cae485fc3d2d8f0fffa09d8b1d4c5b01

SHA1
6c5281ff34bf004f94db98ba40df7ed2532bdbc7

SHA256
54e43ba50a09b709bd0071e530ea4a964d9a93bdfbc29c253b7be35ecc7acdcd

SHA512
525091bb79543354c80a91ad81a0614cfcbb6b26a0c8b280dd67efbb79cddd4eb9d38bb94d2aca97bbea13ef5a594ab9d7b916b991364dce322381cb8b9438a4

Download Submit
C:\Program Files (x86)\Inbox Toolbar\Inbox.ini

Filesize
2KB

MD5
16185b418ebd90b5c14e264cb844b324

SHA1
bc9bab5d0bf335bccfa6ee78c0f78f20f4a7bd56

SHA256
b31d5ffa476d12440c78923f51b56bec6dfef848782c1dd4ae10014878b73cfc

SHA512
c69787d9869d27a5a11e62a4c19b8b016be410464203426ec137dc109ab52e96085c1150138f30fb4d3b31398c8af2682278d2f60ebf2c4bcdf5720b90eb382f

Download Submit
C:\Program Files (x86)\Inbox Toolbar\Inbox.ini

Filesize
2KB

MD5
2e702cd9856907e893b5d0b5194c6c2f

SHA1
d4ff80d0d61c2685e6fa8815a401e7a30ee7b0ed

SHA256
34616102863f28bc367bdc9d12b9ecb5094de33caf18e1428e376eb8e4391aca

SHA512
647903aa01bbf83547a48b4504037e7ff617d1a59b4440461b6300127774e25004d8e6802d02757a47ab7ef445260ab5752a3f0a5abb6b4aa55551037ed9bd0f

Download Submit
C:\Program Files (x86)\Inbox Toolbar\Inbox64.dll

Filesize
1.5MB

MD5
3640e7b34d35f0463e4f344db7320036

SHA1
c68f6778b4f826bf02656fc1ce348a019926dc3b

SHA256
bba138413cf2db21ef3b5bc3f0ba12ba55a6b79608c5601fa5dbe65cf69e943b

SHA512
cf2cad69e40aae47acdf82a0c32359a01f64c033404227cb144f4f43072370594c989d00ea1f58aeb31ce1feb944e5c3523d3a7a3cb5b98e26def589dd7c248c

Download Submit
C:\Program Files (x86)\Inbox Toolbar\unins000.exe

Filesize
1.2MB

MD5
ae3bb81cbc29aad4d242edd5e610b0f1

SHA1
86229d912f476c9457e00440c16ca7d08769b5fd

SHA256
4c6bdc7a576ebb72b421010b6c5bc5147eba859a5b83760fa72a1080639f9f7a

SHA512
243d08e2fa4ee2263978db4918073124255d3860852493bb0e891fabe274b20c511b6755f3f257126226346f24e58a686903db56fe6fa20d465fd85d4f548e97

Download Submit
C:\Program Files (x86)\Inbox Toolbar\uninstall.ini

Filesize
48B

MD5
15e73dc0db4c29f674afff33c33dce23

SHA1
7c5cc605ddd00c547f1c2ba33226e49b980907be

SHA256
9329c6d1fce8f45261dea7ff282bcee09d97cdafb4baf6415731a06263adac63

SHA512
7bf64670204e4ff3727879bcf34ef9bb3c4ede7ee51f2e33edef22faa77fd85e01e68fb61ef6e77b874125a5f748edac89126797e7033548607ab0fa659d19b8

Download Submit
C:\Users\Admin\AppData\LocalLow\Inbox Toolbar\config.ini

Filesize
33B

MD5
6e93957e19ad8332caeae0f9ddbf1210

SHA1
029d970d1963dd406b839e0af491f016c3ee8418

SHA256
e820a0e36422cf2ea464aa75072c4999a864697c843b11f6c551c8c108fd090b

SHA512
735c35ecde6b0df284ea42156af4fcc400539d5a2a8ce05df8a0727b77b737a08edb1e619fbf8ed4c34dab626ef5ee73e89b19bda2e4aacceb94667fc63e26d9

Download Submit
C:\Users\Admin\AppData\LocalLow\Inbox Toolbar\config.ini

Filesize
73B

MD5
e03e6d67d3da7fc43d0726eced274fce

SHA1
206764936c46644a6108bddfa82437d5706b486d

SHA256
0af05aa2920b1b3c8f0978ac876058377f8be6a8acc2536dd8d8bd9e95504d35

SHA512
3cc0cb2dd0ff3b825bf0541ee86e7db42f08ab6419c4c8ebbe9294606b7835a056501f9cbfa61485ebeaac3d8d8601631e8f567434993a6052bb63502f8b0e60

Download Submit
C:\Users\Admin\AppData\LocalLow\Inbox Toolbar\config.ini

Filesize
102B

MD5
3dcab083bb91579c7cd4e9839629025c

SHA1
4eb912fa10c0ffd0f0da8e3a35cf4f0ceac39fed

SHA256
45f202f9f8321f86dc5c3eb80086f47b5d535f9fc2c5854c749ff244f5862db1

SHA512
755828ac6c279d63ec56cde1a8244e333e0b8174f53b1cba32c040be13d32392ab88a7aacb4519393cf99c4cfdd0cfbfeb914faba8a034c4d13bbb4b51aaf201

Download Submit
C:\Users\Admin\AppData\LocalLow\Inbox Toolbar\config.ini

Filesize
155B

MD5
ac8079425681a352ee257975bd39e72e

SHA1
5a15d6327b305abcd3c59abc0a97e4e1efe016f1

SHA256
ab77ce2dafd95ae9cdc4f75c2f02abcb2198268fedc4902ee279226f194c2a88

SHA512
1fff8540b7f09ea410dccdb78d55e8290f2669f295328c48d94d9e5768f7ec6966d40d70a3b92aabb0a9318e484c6629fd26e6975f65b069948217d3c7e36302

Download Submit
C:\Users\Admin\AppData\LocalLow\Inbox Toolbar\translate.ini

Filesize
89KB

MD5
6b72fbdc939dffb3c9d268d521459f91

SHA1
948023c34ddd35bab4b83d80cabf6b7fb06eb5f2

SHA256
9b1c3b8a08541289d360526f37a4647a59fa40f474d2288ea6a5c3a947364fff

SHA512
f8948e0cc24361f361886a4f9467b8316ed093e0def78df860ed221e345a69a8cae785f57d08cfd3ac54741ea9dbde97f035eb88aa8d35b5529c32cf50b1d8e3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751

Filesize
717B

MD5
822467b728b7a66b081c91795373789a

SHA1
d8f2f02e1eef62485a9feffd59ce837511749865

SHA256
af2343382b88335eea72251ad84949e244ff54b6995063e24459a7216e9576b9

SHA512
bacea07d92c32078ca6a0161549b4e18edab745dd44947e5f181d28cc24468e07769d6835816cdfb944fd3d0099bde5e21b48f4966824c5c16c1801712303eb6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\4EBB0BB1994A5FEA68A685E8E6F35B7A

Filesize
504B

MD5
e0717e44510fbcf7fa39b4f7b47c92d8

SHA1
9ac41015c6d9dae5d5e49a3342a7e4be54786e3a

SHA256
c0f89e1711e47bd8352da6ebf81be9ff89d539233743ba38c8c04ef2c3ae114b

SHA512
b70afa8cd4416efd9be76df5f201ac87970dcea4a482e461813ddfbd4b9ec5c3fdef5eb9ad0eceb13b847c45b336aa046e9967d7ba3bd396295b6ccf1c7f7f84

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B624848E7D0C04204BF0E664FB37FBEA

Filesize
504B

MD5
cadfba6b8aae7d14045fd012e3b8131b

SHA1
3f24fb2f11e4b23b1859d2906f0b04284a874129

SHA256
bd4e8dca4b726db95b746b8254e38df6ab9f9742c90d0afe3b64881ade41cff6

SHA512
45b78f8c02ea02c83b9ab35eb401dd89fdda1f8531fe1277525edd2aefe166a8f8b46a0553f40d1fbb4fd5bc2bd0753595cb6d49510c561dbb81b3b56f0ba63e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751

Filesize
192B

MD5
403d7d89f18a5e74b598cbf087ec397f

SHA1
96b16b8e18bb1f3192b9d2ee5aee4782eef54b80

SHA256
08ffdff6cb7b73fe5e6ca4fe90e5a0a7db5938c196dcd7a23fcbfaaeb2995d84

SHA512
2735b228f9df2f5ad2bb7713abbb53e2004af437465a71a2c64f96689467e7c2d2b9a48736f1b029013b8772d87e396ff4188c72bcb6bff635d449c3fa65175b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\4EBB0BB1994A5FEA68A685E8E6F35B7A

Filesize
546B

MD5
290bb756f5da471c124ceca8e605e492

SHA1
8de91d7c5087a6d0ec7d943c21049a39aace4916

SHA256
30009415cc0d2f6acd74a13bf4833142b6647c12d709bc1328c512f71a7d46f6

SHA512
e47b8ee20bef79e2b647f3296c84b8d17643cd313e31b5cef33e8410ffd069db1b2bd4bf96c4822e3540d87a2fa78c15d519705e03d95d666e05c69b59cc8049

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B624848E7D0C04204BF0E664FB37FBEA

Filesize
550B

MD5
27bdc33d1c270cd007b2d8d5556efbcf

SHA1
df694bf83179e5aeceb9846013f5e9d21ab95aae

SHA256
7c3bb8bb2003e4921536252cbc1ec00db5711a4b7f0f3477523d6469b0e02224

SHA512
46c6974dde45c64bfc06b80628e00467a76237f2898aa7a8cd97fdfa1bf12e1d30ed80681d98a1b474bab0656df39c3e627c011030bffe81326793b36e3d0281

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-8SS47.tmp\DownLib.dll

Filesize
183KB

MD5
db25dfdd4c1f2b65c68a230881072695

SHA1
94cd6a3438041f0e61b0a1bea7b66461854efe69

SHA256
1b66aaf1e7e3c493dd96af3b7442ea60072f6e93ba45281eacd31a14ca7e7e73

SHA512
db69e4ab2218856e5184d9094e7e39705b83e3efdc15225067205c8faf6e5836145364f1d509192defa3b48864e72b9f8c0f2dc53a7adb2b86c655318b7afc2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-8SS47.tmp\setupcfg.ini

Filesize
44B

MD5
36b6662d1bcd2ba4af8310b66209f60f

SHA1
a7d765388a0cbbe4f2d7cf647052f291b26ede2e

SHA256
fc3ee7916f0622db385ab91ecae930c6c5913306eec91a5144a9c0691e9c09b1

SHA512
edb4b1c0c9673baf5c79dbca511fbcc975da9a2a4decb9e5db7280c555121e5502033e6299301c127616ca95503cc998d721e06ea9d6e19d3006ce6fe2c9c54e

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-8SS47.tmp\tbr_dots.bmp

Filesize
164B

MD5
adc799ec79eeaef366ea4dddf099c3ae

SHA1
556c915615a34a2499604b7b732ab304b20fdd4e

SHA256
7e7f18c73560f9c020abe1ab1f22705083281e2ea16ab0030fc927901b5b5d1e

SHA512
76962a17cc26d3f9886828be4e43373ac530165e1c627272ed7c0bc731133e97608e55d2e31f44592aad0d0974352155f41a0718aa0666ec128406b1050c1d6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-TB0H9.tmp\0bb58eec87204e929a119b801f856061_JaffaCakes118.tmp

Filesize
1.2MB

MD5
e7106fbf42fbc6d5b08a18ada4f781b4

SHA1
36d4a629f79d772c0b0df8bd2ae2ea09108d239d

SHA256
64e1f1fa7d91920b17bc7bc679a4cd8d87ff5b104318b6921bb6bf6a19055635

SHA512
adf876296a952aadeb4f25211c0939bf5a278809b5d3007ad7e26c5d4975e7684d242c1b3de796efd474a47cb7ecdb80f9047935924a1108bf0e4d7c973d1845

Download Submit
memory/1236-376-0x0000000000400000-0x000000000055A000-memory.dmp

Filesize
1.4MB

Download
memory/2524-403-0x0000000003C00000-0x0000000003C37000-memory.dmp

Filesize
220KB

Download
memory/2524-407-0x0000000000400000-0x0000000000536000-memory.dmp

Filesize
1.2MB

Download
memory/2524-434-0x0000000000400000-0x0000000000536000-memory.dmp

Filesize
1.2MB

Download
memory/2524-129-0x0000000000400000-0x0000000000536000-memory.dmp

Filesize
1.2MB

Download
memory/2524-130-0x0000000003C00000-0x0000000003C37000-memory.dmp

Filesize
220KB

Download
memory/2524-257-0x0000000003C00000-0x0000000003C37000-memory.dmp

Filesize
220KB

Download
memory/2524-256-0x0000000000400000-0x0000000000536000-memory.dmp

Filesize
1.2MB

Download
memory/2524-20-0x0000000003C00000-0x0000000003C37000-memory.dmp

Filesize
220KB

Download
memory/2524-428-0x0000000000400000-0x0000000000536000-memory.dmp

Filesize
1.2MB

Download
memory/2524-424-0x0000000003C00000-0x0000000003C37000-memory.dmp

Filesize
220KB

Download
memory/2524-7-0x0000000000400000-0x0000000000536000-memory.dmp

Filesize
1.2MB

Download
memory/2524-239-0x0000000004EC0000-0x0000000004FCB000-memory.dmp

Filesize
1.0MB

Download
memory/2524-238-0x0000000003C00000-0x0000000003C37000-memory.dmp

Filesize
220KB

Download
memory/2524-423-0x0000000000400000-0x0000000000536000-memory.dmp

Filesize
1.2MB

Download
memory/2524-417-0x0000000000400000-0x0000000000536000-memory.dmp

Filesize
1.2MB

Download
memory/2524-237-0x0000000000400000-0x0000000000536000-memory.dmp

Filesize
1.2MB

Download
memory/2524-373-0x0000000000400000-0x0000000000536000-memory.dmp

Filesize
1.2MB

Download
memory/2524-219-0x0000000004EC0000-0x0000000004FCB000-memory.dmp

Filesize
1.0MB

Download
memory/2524-394-0x0000000000400000-0x0000000000536000-memory.dmp

Filesize
1.2MB

Download
memory/2524-395-0x0000000003C00000-0x0000000003C37000-memory.dmp

Filesize
220KB

Download
memory/2524-412-0x0000000000400000-0x0000000000536000-memory.dmp

Filesize
1.2MB

Download
memory/2524-402-0x0000000000400000-0x0000000000536000-memory.dmp

Filesize
1.2MB

Download
memory/2872-213-0x0000000000970000-0x0000000000A7B000-memory.dmp

Filesize
1.0MB

Download
memory/3256-0-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3256-2-0x0000000000401000-0x000000000040D000-memory.dmp

Filesize
48KB

Download
memory/3256-128-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3572-169-0x0000000000400000-0x000000000055A000-memory.dmp

Filesize
1.4MB

Download
memory/4420-328-0x0000000000400000-0x000000000055A000-memory.dmp

Filesize
1.4MB

Download
memory/4656-243-0x0000000000400000-0x000000000055A000-memory.dmp

Filesize
1.4MB

Download