31e08e60e0f8a4268f8ceceb91992e1eaac66c905962f26fa6987a5d9c643cb3

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
03/10/2024, 00:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0d13890049bfb3a8845e9da92790f228_JaffaCakes118.exe
Size

2.3MB
MD5

0d13890049bfb3a8845e9da92790f228
SHA1

84160998d30cd43eb7754f670b3606ed90dd03ee
SHA256

31e08e60e0f8a4268f8ceceb91992e1eaac66c905962f26fa6987a5d9c643cb3
SHA512

68f631b6fb2e81174ec5a8575bb11932eb0325f18d5d217be662ffc707b5fe36ab84da9a35ef9ade034fb376f6b5553ffbc836e2016134a8939c8fd1a24efaa9
SSDEEP

49152:Ru26FYYHawTokhyUT7aVa3+gws2GsMI9K2upHJcQrtnGQRoEebA5rOYiZnN:w2+HNj6V4T7IMRp9JGgoEebSivZnN

Score

7^/10

adware discovery persistence privilege_escalation stealer

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	Inbox.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 5 IoCs

pid	Process
1728	0d13890049bfb3a8845e9da92790f228_JaffaCakes118.tmp
4168	Inbox.exe
4776	Inbox.exe
4244	Inbox.exe
3856	Inbox.exe

Loads dropped DLL 6 IoCs

pid	Process
1728	0d13890049bfb3a8845e9da92790f228_JaffaCakes118.tmp
1728	0d13890049bfb3a8845e9da92790f228_JaffaCakes118.tmp
1608	regsvr32.exe
636	regsvr32.exe
1728	0d13890049bfb3a8845e9da92790f228_JaffaCakes118.tmp
1728	0d13890049bfb3a8845e9da92790f228_JaffaCakes118.tmp

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\InboxToolbar = "\"C:\\Program Files (x86)\\Inbox Toolbar\\Inbox.exe\" /STARTUP"	Inbox.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Installs/modifies Browser Helper Object 2 TTPs 6 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D3D233D5-9F6D-436C-B6C7-E63F77503B30}\NoExplorer = "1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{D3D233D5-9F6D-436C-B6C7-E63F77503B30}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D3D233D5-9F6D-436C-B6C7-E63F77503B30}\	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D3D233D5-9F6D-436C-B6C7-E63F77503B30}\NoExplorer = "1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{D3D233D5-9F6D-436C-B6C7-E63F77503B30}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D3D233D5-9F6D-436C-B6C7-E63F77503B30}\	regsvr32.exe

Drops file in Program Files directory 27 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Inbox Toolbar\Buttons\social_facebook_panel.xml	Inbox.exe
File created	C:\Program Files (x86)\Inbox Toolbar\is-UHTAV.tmp	0d13890049bfb3a8845e9da92790f228_JaffaCakes118.tmp
File created	C:\Program Files (x86)\Inbox Toolbar\Buttons\is-KU7AM.tmp	0d13890049bfb3a8845e9da92790f228_JaffaCakes118.tmp
File opened for modification	C:\Program Files (x86)\Inbox Toolbar\Buttons\BTN_2287.xml	Inbox.exe
File opened for modification	C:\Program Files (x86)\Inbox Toolbar\uninstall.ini	0d13890049bfb3a8845e9da92790f228_JaffaCakes118.tmp
File opened for modification	C:\Program Files (x86)\Inbox Toolbar\uninstall.ini	Inbox.exe
File created	C:\Program Files (x86)\Inbox Toolbar\is-3MFFO.tmp	0d13890049bfb3a8845e9da92790f228_JaffaCakes118.tmp
File created	C:\Program Files (x86)\Inbox Toolbar\is-65EC7.tmp	0d13890049bfb3a8845e9da92790f228_JaffaCakes118.tmp
File created	C:\Program Files (x86)\Inbox Toolbar\Buttons\is-BB36B.tmp	0d13890049bfb3a8845e9da92790f228_JaffaCakes118.tmp
File created	C:\Program Files (x86)\Inbox Toolbar\Buttons\is-GD8HS.tmp	0d13890049bfb3a8845e9da92790f228_JaffaCakes118.tmp
File opened for modification	C:\Program Files (x86)\Inbox Toolbar\unins000.dat	0d13890049bfb3a8845e9da92790f228_JaffaCakes118.tmp
File opened for modification	C:\Program Files (x86)\Inbox Toolbar\Buttons\pinterest_button.xml	Inbox.exe
File created	C:\Program Files (x86)\Inbox Toolbar\is-BS6GR.tmp	0d13890049bfb3a8845e9da92790f228_JaffaCakes118.tmp
File created	C:\Program Files (x86)\Inbox Toolbar\Buttons\is-0ACK3.tmp	0d13890049bfb3a8845e9da92790f228_JaffaCakes118.tmp
File opened for modification	C:\Program Files (x86)\Inbox Toolbar\Buttons\general_youtube2.xml	Inbox.exe
File created	C:\Program Files (x86)\Inbox Toolbar\unins000.dat	0d13890049bfb3a8845e9da92790f228_JaffaCakes118.tmp
File created	C:\Program Files (x86)\Inbox Toolbar\Buttons\is-O9HSR.tmp	0d13890049bfb3a8845e9da92790f228_JaffaCakes118.tmp
File opened for modification	C:\Program Files (x86)\Inbox Toolbar\Buttons\social_twitter.xml	Inbox.exe
File opened for modification	C:\Program Files (x86)\Inbox Toolbar\Inbox.ini	Inbox.exe
File created	C:\Program Files (x86)\Inbox Toolbar\Buttons\is-S7H9R.tmp	0d13890049bfb3a8845e9da92790f228_JaffaCakes118.tmp
File created	C:\Program Files (x86)\Inbox Toolbar\unins000.msg	0d13890049bfb3a8845e9da92790f228_JaffaCakes118.tmp
File opened for modification	C:\Program Files (x86)\Inbox Toolbar\Buttons\black_brown.xml	Inbox.exe
File created	C:\Program Files (x86)\Inbox Toolbar\Buttons\is-VISQR.tmp	0d13890049bfb3a8845e9da92790f228_JaffaCakes118.tmp
File opened for modification	C:\Program Files (x86)\Inbox Toolbar\setupcfg.ini	0d13890049bfb3a8845e9da92790f228_JaffaCakes118.tmp
File opened for modification	C:\Program Files (x86)\Inbox Toolbar\Buttons\social_myspace.xml	Inbox.exe
File created	C:\Program Files (x86)\Inbox Toolbar\is-BTLV4.tmp	0d13890049bfb3a8845e9da92790f228_JaffaCakes118.tmp
File created	C:\Program Files (x86)\Inbox Toolbar\setupcfg.ini	0d13890049bfb3a8845e9da92790f228_JaffaCakes118.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Inbox.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Inbox.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0d13890049bfb3a8845e9da92790f228_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0d13890049bfb3a8845e9da92790f228_JaffaCakes118.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Inbox.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Inbox.exe

Modifies Internet Explorer settings 1 TTPs 40 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\AppName = "Inbox64.dll"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\Policy = "3"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{612AD33D-9824-4E87-8396-92374E91C4BB}\AppName = "Inbox.exe"	Inbox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{612AD33D-9824-4E87-8396-92374E91C4BB}\AppPath = "C:\\Program Files (x86)\\Inbox Toolbar"	Inbox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{612AD33D-9824-4E87-8396-92374E91C4BB}\AppName = "Inbox.exe"	Inbox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\AppName = "Inbox64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{C04B7D22-5AEC-4561-8F49-27F6269208F6}\URL = "http://www2.inbox.com/search/dispatcher.aspx?tp=bs&qkw={searchTerms}&tbid=82361&iwk=845&lng=en"	Inbox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{C04B7D22-5AEC-4561-8F49-27F6269208F6}\SuggestionsURL_JSON = "http://www.inbox.com/s.aspx?q={searchTerms}"	Inbox.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Internet Explorer\Main	Inbox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{612AD33D-9824-4E87-8396-92374E91C4BB}	Inbox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}	regsvr32.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Main	regsvr32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{C04B7D22-5AEC-4561-8F49-27F6269208F6}\ShowSearchSuggestions = "1"	Inbox.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{612AD33D-9824-4E87-8396-92374E91C4BB}\Policy = "3"	Inbox.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\Policy = "3"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\IEWatsonEnabled = "0"	regsvr32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Toolbar\{D7E97865-918F-41E4-9CD0-25AB1C574CE8} = 00	regsvr32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{D7E97865-918F-41E4-9CD0-25AB1C574CE8} = 00	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Internet Explorer\SearchScopes\{C04B7D22-5AEC-4561-8F49-27F6269208F6}	Inbox.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\Policy = "3"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\AppPath = "C:\\Program Files (x86)\\Inbox Toolbar"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{C04B7D22-5AEC-4561-8F49-27F6269208F6}\DisplayName = "Inbox Search"	Inbox.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\IEWatsonEnabled = "0"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\Policy = "3"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Toolbar	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{C04B7D22-5AEC-4561-8F49-27F6269208F6}\FaviconURLFallback = "http://www2.inbox.com/favicon.ico"	Inbox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{C04B7D22-5AEC-4561-8F49-27F6269208F6}\FaviconPath = "C:\\Users\\Admin\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services\\search_{C04B7D22-5AEC-4561-8F49-27F6269208F6}.ico"	Inbox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\AppPath = "C:\\Program Files (x86)\\Inbox Toolbar"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\AppName = "Inbox.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\AppPath = "C:\\Program Files (x86)\\Inbox Toolbar"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\AppPath = "C:\\Program Files (x86)\\Inbox Toolbar"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{612AD33D-9824-4E87-8396-92374E91C4BB}	Inbox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{612AD33D-9824-4E87-8396-92374E91C4BB}\AppPath = "C:\\Program Files (x86)\\Inbox Toolbar"	Inbox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\AppName = "Inbox.dll"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{612AD33D-9824-4E87-8396-92374E91C4BB}\Policy = "3"	Inbox.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Main	regsvr32.exe

Modifies Internet Explorer start page 1 TTPs 1 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.inbox.com/homepage.aspx?tbid=82361&iwk=845&lng=en"	Inbox.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{CE057E0D-2D7E-4DFF-A890-07BA69B8C762}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{37540F19-DD4C-478B-B2DF-C19281BCAF27}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{042DA63B-0933-403D-9395-B49307691690}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Inbox.IBX404\	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Inbox.Toolbar	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\inbox\ = "inbox"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8FAE973C-3FE3-44BF-81F0-ADB0D42CE851}	Inbox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8FAE973C-3FE3-44BF-81F0-ADB0D42CE851}\TypeLib\ = "{615E8AA1-6BB8-4A3D-A1CC-373194DB612C}"	Inbox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CBEF8724-D080-4737-88DA-111EEC6651AA}\1.0\0\win32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{37540F19-DD4C-478B-B2DF-C19281BCAF27}\	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{37540F19-DD4C-478B-B2DF-C19281BCAF27}\InProcServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Inbox.AppServer\	Inbox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CBEF8724-D080-4737-88DA-111EEC6651AA}\1.0\FLAGS\ = "0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\InprocServer32\ = "C:\\PROGRA~2\\INBOXT~1\\Inbox.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{37540F19-DD4C-478B-B2DF-C19281BCAF27}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{042DA63B-0933-403D-9395-B49307691690}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}\	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{28C3737A-32D1-492D-B76B-8D75EBBFB887}\TypeLib	Inbox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8FAE973C-3FE3-44BF-81F0-ADB0D42CE851}\TypeLib	Inbox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Inbox.IBX404	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{28C3737A-32D1-492D-B76B-8D75EBBFB887}\ = "IAppServer"	Inbox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CE057E0D-2D7E-4DFF-A890-07BA69B8C762}\TypeLib\ = "{CBEF8724-D080-4737-88DA-111EEC6651AA}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{042DA63B-0933-403D-9395-B49307691690}\ = "Inbox Toolbar"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\InprocServer32\ = "C:\\PROGRA~2\\INBOXT~1\\Inbox64.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{28C3737A-32D1-492D-B76B-8D75EBBFB887}\ProxyStubClsid32	Inbox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\ProgID\ = "Inbox.Toolbar"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{042DA63B-0933-403D-9395-B49307691690}\Implemented Categories\	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{042DA63B-0933-403D-9395-B49307691690}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}\	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{612AD33D-9824-4E87-8396-92374E91C4BB}\ProgID\ = "Inbox.AppServer"	Inbox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CE057E0D-2D7E-4DFF-A890-07BA69B8C762}\ = "IJSServer"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D3D233D5-9F6D-436C-B6C7-E63F77503B30}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\InprocServer32\ = "C:\\Program Files (x86)\\Inbox Toolbar\\Inbox.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{28C3737A-32D1-492D-B76B-8D75EBBFB887}\ = "IAppServer"	Inbox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{042DA63B-0933-403D-9395-B49307691690}\Version	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{37540F19-DD4C-478B-B2DF-C19281BCAF27}\InProcServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8FAE973C-3FE3-44BF-81F0-ADB0D42CE851}\TypeLib\ = "{615E8AA1-6BB8-4A3D-A1CC-373194DB612C}"	Inbox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D3D233D5-9F6D-436C-B6C7-E63F77503B30}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D3D233D5-9F6D-436C-B6C7-E63F77503B30}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\inbox\ = "inbox"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8FAE973C-3FE3-44BF-81F0-ADB0D42CE851}\TypeLib\Version = "1.0"	Inbox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\inbox	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Inbox.Toolbar\Clsid\ = "{D7E97865-918F-41E4-9CD0-25AB1C574CE8}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{612AD33D-9824-4E87-8396-92374E91C4BB}\LocalServer32	Inbox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Inbox.AppServer	Inbox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}\	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\Implemented Categories	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\Implemented Categories\	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\InProcServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\InprocServer32\ = "C:\\Program Files (x86)\\Inbox Toolbar\\Inbox64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{37540F19-DD4C-478B-B2DF-C19281BCAF27}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{28C3737A-32D1-492D-B76B-8D75EBBFB887}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	Inbox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{042DA63B-0933-403D-9395-B49307691690}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{37540F19-DD4C-478B-B2DF-C19281BCAF27}\	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D3D233D5-9F6D-436C-B6C7-E63F77503B30}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D3D233D5-9F6D-436C-B6C7-E63F77503B30}\InProcServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D3D233D5-9F6D-436C-B6C7-E63F77503B30}\ = "Inbox Toolbar"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{042DA63B-0933-403D-9395-B49307691690}\InProcServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D3D233D5-9F6D-436C-B6C7-E63F77503B30}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}\	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{042DA63B-0933-403D-9395-B49307691690}\	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{042DA63B-0933-403D-9395-B49307691690}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}\	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{37540F19-DD4C-478B-B2DF-C19281BCAF27}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Inbox.Toolbar\Clsid	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
1728	0d13890049bfb3a8845e9da92790f228_JaffaCakes118.tmp
1728	0d13890049bfb3a8845e9da92790f228_JaffaCakes118.tmp
1728	0d13890049bfb3a8845e9da92790f228_JaffaCakes118.tmp
1728	0d13890049bfb3a8845e9da92790f228_JaffaCakes118.tmp
1728	0d13890049bfb3a8845e9da92790f228_JaffaCakes118.tmp
1728	0d13890049bfb3a8845e9da92790f228_JaffaCakes118.tmp
1728	0d13890049bfb3a8845e9da92790f228_JaffaCakes118.tmp
1728	0d13890049bfb3a8845e9da92790f228_JaffaCakes118.tmp

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
1728	0d13890049bfb3a8845e9da92790f228_JaffaCakes118.tmp
3856	Inbox.exe
3856	Inbox.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
3856	Inbox.exe
3856	Inbox.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 3940 wrote to memory of 1728	3940	0d13890049bfb3a8845e9da92790f228_JaffaCakes118.exe	82
PID 3940 wrote to memory of 1728	3940	0d13890049bfb3a8845e9da92790f228_JaffaCakes118.exe	82
PID 3940 wrote to memory of 1728	3940	0d13890049bfb3a8845e9da92790f228_JaffaCakes118.exe	82
PID 1728 wrote to memory of 4168	1728	0d13890049bfb3a8845e9da92790f228_JaffaCakes118.tmp	87
PID 1728 wrote to memory of 4168	1728	0d13890049bfb3a8845e9da92790f228_JaffaCakes118.tmp	87
PID 1728 wrote to memory of 4168	1728	0d13890049bfb3a8845e9da92790f228_JaffaCakes118.tmp	87
PID 1728 wrote to memory of 4776	1728	0d13890049bfb3a8845e9da92790f228_JaffaCakes118.tmp	88
PID 1728 wrote to memory of 4776	1728	0d13890049bfb3a8845e9da92790f228_JaffaCakes118.tmp	88
PID 1728 wrote to memory of 4776	1728	0d13890049bfb3a8845e9da92790f228_JaffaCakes118.tmp	88
PID 1728 wrote to memory of 1608	1728	0d13890049bfb3a8845e9da92790f228_JaffaCakes118.tmp	90
PID 1728 wrote to memory of 1608	1728	0d13890049bfb3a8845e9da92790f228_JaffaCakes118.tmp	90
PID 1728 wrote to memory of 1608	1728	0d13890049bfb3a8845e9da92790f228_JaffaCakes118.tmp	90
PID 1728 wrote to memory of 636	1728	0d13890049bfb3a8845e9da92790f228_JaffaCakes118.tmp	92
PID 1728 wrote to memory of 636	1728	0d13890049bfb3a8845e9da92790f228_JaffaCakes118.tmp	92
PID 1728 wrote to memory of 4244	1728	0d13890049bfb3a8845e9da92790f228_JaffaCakes118.tmp	95
PID 1728 wrote to memory of 4244	1728	0d13890049bfb3a8845e9da92790f228_JaffaCakes118.tmp	95
PID 1728 wrote to memory of 4244	1728	0d13890049bfb3a8845e9da92790f228_JaffaCakes118.tmp	95
PID 4244 wrote to memory of 3856	4244	Inbox.exe	96
PID 4244 wrote to memory of 3856	4244	Inbox.exe	96
PID 4244 wrote to memory of 3856	4244	Inbox.exe	96

C:\Users\Admin\AppData\Local\Temp\0d13890049bfb3a8845e9da92790f228_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0d13890049bfb3a8845e9da92790f228_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3940
- C:\Users\Admin\AppData\Local\Temp\is-B69D8.tmp\0d13890049bfb3a8845e9da92790f228_JaffaCakes118.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-B69D8.tmp\0d13890049bfb3a8845e9da92790f228_JaffaCakes118.tmp" /SL5="$70050,1737902,70144,C:\Users\Admin\AppData\Local\Temp\0d13890049bfb3a8845e9da92790f228_JaffaCakes118.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:1728
- - C:\Program Files (x86)\Inbox Toolbar\Inbox.exe
    "C:\Program Files (x86)\Inbox Toolbar\Inbox.exe" /regserver
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Modifies registry class
    PID:4168
- - C:\Program Files (x86)\Inbox Toolbar\Inbox.exe
    "C:\Program Files (x86)\Inbox Toolbar\Inbox.exe" /install
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    PID:4776
- - C:\Windows\SysWOW64\regsvr32.exe
    "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\Inbox Toolbar\Inbox.dll"
    3⤵
    - Loads dropped DLL
    - Installs/modifies Browser Helper Object
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Modifies registry class
    PID:1608
- - C:\Windows\system32\regsvr32.exe
    "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\Inbox Toolbar\Inbox64.dll"
    3⤵
    - Loads dropped DLL
    - Installs/modifies Browser Helper Object
    - Modifies Internet Explorer settings
    - Modifies registry class
    PID:636
- - C:\Program Files (x86)\Inbox Toolbar\Inbox.exe
    "C:\Program Files (x86)\Inbox Toolbar\Inbox.exe" /afterinstall
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Modifies Internet Explorer start page
    - Suspicious use of WriteProcessMemory
    PID:4244
  - - C:\Program Files (x86)\Inbox Toolbar\Inbox.exe
      "C:\Program Files (x86)\Inbox Toolbar\Inbox.exe" /TRAY 0
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:3856

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Browser Extensions

T1176

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Inbox Toolbar\Buttons\BTN_2287.xml

Filesize
5KB

MD5
be1e4827a19ef48648563a9e98b6f188

SHA1
80afc7ad0008a5de7b9731546447589afd5066fd

SHA256
7bbc09b928b2391000a935287b140f5d240206f7b0bda3c3917dbe825a938406

SHA512
ffb55e001edd82cbb3568e8a78afc90a9848efa9d79f4490d9cf707581399c8e4a60048f0c883a5c27944e26588d4f31f944724ca5cd307c3a3473afa03c0fc9

Download Submit
C:\Program Files (x86)\Inbox Toolbar\Buttons\black_brown.xml

Filesize
50KB

MD5
9db9a8baf643a3512feb2f1014782c72

SHA1
04538d23239e716694e5ea17f7bb9132aa0e3939

SHA256
82f18d65fae1ab1f78afabc7d44cf3725b4a65c93d21d40d776ef69762310f41

SHA512
612d7348882a6d0f1ddc86228556bee42e555143ee9ca78000a52d01e764078c80d205796eb9de39e903a35a84b12abf69e4bf4bfb4976396ab1109c34812a36

Download Submit
C:\Program Files (x86)\Inbox Toolbar\Buttons\general_youtube2.xml

Filesize
5KB

MD5
9d25e413b26edd6157f92e120941a856

SHA1
97bfd31d3282cc568e74f8f8b86a3b59f32d36e9

SHA256
694696a703a7e7e27d4da7d7350c6d2eb1cdf3d4494ce523290d94e322436c08

SHA512
481416e4de97faa516d2f3f6a34f2a5a6a9c11f12365e07c712799a9f5e549fc05d1a54a0d46e72eb7c1a1525540bbe8f1e851cf8ef486808e43d77673bae056

Download Submit
C:\Program Files (x86)\Inbox Toolbar\Buttons\pinterest_button.xml

Filesize
5KB

MD5
5edb9f1e0f48304c7e7ac837a54a12d4

SHA1
3380c2b399018cec277fb5111cb2b8dec5868815

SHA256
ad88c981ad1cfad58e72b60dfb9d4357c1337e3b32e81d80c665d3e3a9d60405

SHA512
15c4ab8e80458e5684d2ca9e41f518cbeb48cf8d783e9b75ac0925098f52f4ccec4833f0f8513c40d5330804629b57bc970edcedbcaee168efc8c6a04b585397

Download Submit
C:\Program Files (x86)\Inbox Toolbar\Buttons\social_facebook_panel.xml

Filesize
4KB

MD5
bc28784f4872f3d8a38c058825ecdfd2

SHA1
96f0a1631f4cc51fc71faf3bca0dc27ca971ae23

SHA256
6ffb7375b67cacff0a5c4a83bde7b958fb039f2f87344ea4b2a455828f651c10

SHA512
6585a1055336a4406261d03e4f5239e0cc3a793394f56bd67b26c702de2eaf9bb252be52105f64ba3aad056f601b2e8ec7f811e4a35680489de9d51be7cecae0

Download Submit
C:\Program Files (x86)\Inbox Toolbar\Buttons\social_myspace.xml

Filesize
4KB

MD5
0ae22594aed7c3c0f6a2346a35070bcf

SHA1
4a52f1c230ce76a949aa33d473c504c430e28e42

SHA256
a148bafd6c429e6517c1e11156cc627aa4b4522915e9bf9503319639fe6784f6

SHA512
cc2a151839e7687acf48917d0b65235b0a32011e2342d6951436d84423355efc60ee6da3f83b1fcc29b2bc08cfbfe52d51227d98fda7d2af493652a3479ef90e

Download Submit
C:\Program Files (x86)\Inbox Toolbar\Buttons\social_twitter.xml

Filesize
7KB

MD5
a0670c3f05b5e4c2887c8fa619b8d265

SHA1
0c4f1d91cf9d72bf072ad96e24768147994c2a01

SHA256
690bc31e087aaa869edf7ac2ca8ecb16386464be67c257dcab8fd4d3b27703b8

SHA512
7317d3ca895d34afb88ef7f0a1a2e3f00c335901902bf2a4ad8397d7cb6914a27e5227d1ff63c9ffece1c28aa910813ba75525090fd0695a625baee4fe42d8c1

Download Submit
C:\Program Files (x86)\Inbox Toolbar\Inbox.dll

Filesize
1.0MB

MD5
5c9476a8dd88e998063cad755d08773b

SHA1
0c5bc8c95b89d1387516767f8baee232547aa01a

SHA256
c8b4b6787184a987c15dfbd05876c5bd10de311aecf0ec676b3e9723ffa38da2

SHA512
3756b6fb4fad4135391b8ff277e618270910914ef6c9437ab45c75b769fe8f8f9c09cb6b778d4eab457a2061c7cb8fdc8e6c124e021d39f454a63ce495fad80e

Download Submit
C:\Program Files (x86)\Inbox Toolbar\Inbox.exe

Filesize
1.3MB

MD5
079c19cc6eda45b0ac316b649024e65a

SHA1
962d3750a7c91b19406abe74bfc28b9f1fbf3534

SHA256
04c86ea774eb13964972ea33ce58cf8a5e6ec1a673332f506b2f070d6c6ca4b0

SHA512
ba0fe67704fe5dd06b2c1c645c8fbd3e756883e80f04466926433064e733741fb4289f27f79c96c8c30e2397224ab8cee306836f86c76f5fac23c4cf1b98b0c2

Download Submit
C:\Program Files (x86)\Inbox Toolbar\Inbox.ini

Filesize
2KB

MD5
d41e340d6aecc63f275a2083f4f7672e

SHA1
9c36eadcb1daf21a220e0b980f5f03aa60ed5a52

SHA256
30914795633b9eadf69ab0244c344c58e9236c406b490673d850ce0cf8f55e0d

SHA512
62b8faad3d4f192a3ee7797a6477ceea9c0c6e7752aa7bcd53dfc9430d9080c8660fbbb5ba7272e5a258b05d42591f8e5fded882a247fbadb88d3016d55e002f

Download Submit
C:\Program Files (x86)\Inbox Toolbar\Inbox.ini

Filesize
2KB

MD5
5ce4f8875b8f4ffe6f2ab757253fbfd2

SHA1
e47623b3634cdaa4f69694cf720a4099267881b8

SHA256
638a1000de70a7a95457c315ac03b7c7076a392a141604a89e2b4621ae049591

SHA512
42d86c5c8b879ed6a11370b38800348c4755f7fd6441b01e1a9a3915567d573bfa35ef339df9c7896860e645e1e8b94b99e73a380858fdcf07bc4b9fd30322e1

Download Submit
C:\Program Files (x86)\Inbox Toolbar\Inbox64.dll

Filesize
1.5MB

MD5
eb251f95bc360011a82971390a90ef37

SHA1
51a4ef0f8fb78bd9c60c6f9521eca54a1615f5b7

SHA256
c45aa0cebd159797e58d05777773f7f4de26128386a5c9363eed75877ca04822

SHA512
7331c9264e559aedb9a7f209ab872d5f044e7cc5def5950ce414efee62c26b2224bc8725f0a4bc3f900833ef60654ab4e8b3a6528881238fdbe4b2c78945f8a2

Download Submit
C:\Program Files (x86)\Inbox Toolbar\unins000.exe

Filesize
1.2MB

MD5
626ad431c15bb4c4f835422265a04118

SHA1
ba2c430700d0a6b73d537dc348e6fb5f6f508f8f

SHA256
0e657a55e277781d1e1d1bc9159e3e2eac792256fcd1798e8748df14bc3c26d8

SHA512
7ebd4d23c7dd6fd2505c512b384a960b1e4a82bdfe8d39378773d6c87fd55f7731aa4ad10d84db6b17786f551e7029919eaf15f5e11a01f5ea41d0db63458fe2

Download Submit
C:\Program Files (x86)\Inbox Toolbar\uninstall.ini

Filesize
52B

MD5
84b25f3c870d44a561c6d554aca385ed

SHA1
5c371702a38d5e2c55ce1d7e5786a79449049ffd

SHA256
0a2afa87d19d4c805758903230938781dd7aa15d63013c342d4ca5ed41916687

SHA512
3306dbc5b456bd8b1a6f6ccea90bb6314601b1a1dc026577cb0ab3461561a88f523efb8e90cb0ee17d2fd983966d3b100ff5c9e8de72b30df62ffa0e43350b6b

Download Submit
C:\Users\Admin\AppData\LocalLow\Inbox Toolbar\config.ini

Filesize
30B

MD5
6e154bd2aab28f37a3bbe8ef394802e6

SHA1
6efea9c0fdc55c2345369441ef19c32e182e7ce5

SHA256
b581ae9e6dd4f3dcf66fad7afbba62279d195b5af63a997abb342761a5acd2d0

SHA512
b2b8b962a63cc21b55440c38960c22f9e1c76e377244a63c737a5ac4c15d3ded143f3ebaffed74707291c4526ed9a80f9a9e5ef351b50b4f4bb08b81e92669f4

Download Submit
C:\Users\Admin\AppData\LocalLow\Inbox Toolbar\config.ini

Filesize
70B

MD5
6d1114852117bbd33547ef2b4413d13c

SHA1
a27c3507b713dea0fa66d8c0c175c88dd598e90e

SHA256
96fd13d97c09cd84f097cffd823f41d9a36b2ba2ea45370428c65d56871513a0

SHA512
25fefd5f5ecb71c953af533eb855df7a193373fe28bba351c366e78a8343aa1cd3de40a00fc57a2843a756b039aecea26335d1d75773cb0ac4939398ab0d4f8c

Download Submit
C:\Users\Admin\AppData\LocalLow\Inbox Toolbar\config.ini

Filesize
99B

MD5
58b0a159c9492c589bbe878b8315f27c

SHA1
741bb375b35dd5336b1d7ce6ed937c9987d4a354

SHA256
26300dbd3586e50e3c15103d5a4d9a6fea0c3bef3ccd176e77d900267aeac723

SHA512
494dc9e4f6d8e9ef538145004a6b7d25af17617056bbce01f264828bcb14db44fd1a821d8bc294799a6c39492085d00405a3a1a55d04aa80165432ff4ebe3b20

Download Submit
C:\Users\Admin\AppData\LocalLow\Inbox Toolbar\config.ini

Filesize
153B

MD5
f94b59f1ef3120b2d5cfb4229d1055de

SHA1
39a7d05b651860efd02aaef9a436a22a283d0454

SHA256
eb5f855ff1c172f83abdc10783157b53063842a1c7b4ca16daf54913b0b13706

SHA512
461b8707c40afbe2c98f1edddc0b1e9a06e2aaf5191584f1b101ccaa018438350f8d0aed28518df1be6c6a8e286f2149fbe3f723bc0552e92450538bcd8dd9fd

Download Submit
C:\Users\Admin\AppData\LocalLow\Inbox Toolbar\translate.ini

Filesize
89KB

MD5
6b72fbdc939dffb3c9d268d521459f91

SHA1
948023c34ddd35bab4b83d80cabf6b7fb06eb5f2

SHA256
9b1c3b8a08541289d360526f37a4647a59fa40f474d2288ea6a5c3a947364fff

SHA512
f8948e0cc24361f361886a4f9467b8316ed093e0def78df860ed221e345a69a8cae785f57d08cfd3ac54741ea9dbde97f035eb88aa8d35b5529c32cf50b1d8e3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751

Filesize
717B

MD5
822467b728b7a66b081c91795373789a

SHA1
d8f2f02e1eef62485a9feffd59ce837511749865

SHA256
af2343382b88335eea72251ad84949e244ff54b6995063e24459a7216e9576b9

SHA512
bacea07d92c32078ca6a0161549b4e18edab745dd44947e5f181d28cc24468e07769d6835816cdfb944fd3d0099bde5e21b48f4966824c5c16c1801712303eb6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B624848E7D0C04204BF0E664FB37FBEA

Filesize
504B

MD5
cadfba6b8aae7d14045fd012e3b8131b

SHA1
3f24fb2f11e4b23b1859d2906f0b04284a874129

SHA256
bd4e8dca4b726db95b746b8254e38df6ab9f9742c90d0afe3b64881ade41cff6

SHA512
45b78f8c02ea02c83b9ab35eb401dd89fdda1f8531fe1277525edd2aefe166a8f8b46a0553f40d1fbb4fd5bc2bd0753595cb6d49510c561dbb81b3b56f0ba63e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EF5A8FFDB77E427DAA4FCC1F3D18CADC

Filesize
504B

MD5
6c6224c0cc54437c43f849b575c42c25

SHA1
8573404c60ee20fa8f22659e219ad206a2118147

SHA256
adbc37a8c145b20d0ffe1ad2ca10acfec20be5baaae5b1d1ee82b2c4f9ba2f61

SHA512
4adfc58e0b683222d83ecfe56e2131bdc2bd5591d1f1a909428eae786a168bf8036f5c9f98bbf1de100c60473694cc795cff7723403b171379cd714742919802

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751

Filesize
192B

MD5
21380c66c830f8b0cb5fef3115876308

SHA1
731af0bd41f2a5544cca02fea8a80cfa4682283b

SHA256
7d93fa25fba322f30ac276b04b68a30bc6b0dcc8ce90a1f7ebd17563c036fe57

SHA512
67c485dfab54348eebd46e8011e05a6dca9af6937a00d7522348fb236fd57217b8716131014f05d94baf8c7126b4683425a3d80c180665f0f7ae122dbc832e4b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B624848E7D0C04204BF0E664FB37FBEA

Filesize
550B

MD5
9e09277723d22a60f67c022f4b037d5d

SHA1
2ffc6623dda87b30f8e2230db954f5768b5c2fc3

SHA256
d793e41c27eb50f890c688ca506fd8c3070bb63b732c16f2d475c445914f03fa

SHA512
b7d53d9f91a79d97fdc877e324892bbe70c95aeb39f2def33972e2721438a7c55aa4ba19833ff786583b741cda8d9dd8190807208b8ed76725157864d927a719

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EF5A8FFDB77E427DAA4FCC1F3D18CADC

Filesize
550B

MD5
af26d7f945b8638ed2955450cc765dc0

SHA1
9094e8b2d21a081e26256eef84bef02608064303

SHA256
fa707aa179a31c0651dc91c53d97c6bd7bedf1235b0896b57e53dd303b61f732

SHA512
d9cf165d8f0ea2f23f7b4c1facfa5df7829baf0fc512ccf003862b193996bca26989408a5d855e3898ccde6a2ccd1c18e5549b80dda80033191b3a7c127647bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-B69D8.tmp\0d13890049bfb3a8845e9da92790f228_JaffaCakes118.tmp

Filesize
1.2MB

MD5
e7106fbf42fbc6d5b08a18ada4f781b4

SHA1
36d4a629f79d772c0b0df8bd2ae2ea09108d239d

SHA256
64e1f1fa7d91920b17bc7bc679a4cd8d87ff5b104318b6921bb6bf6a19055635

SHA512
adf876296a952aadeb4f25211c0939bf5a278809b5d3007ad7e26c5d4975e7684d242c1b3de796efd474a47cb7ecdb80f9047935924a1108bf0e4d7c973d1845

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-TAIEO.tmp\DownLib.dll

Filesize
183KB

MD5
db25dfdd4c1f2b65c68a230881072695

SHA1
94cd6a3438041f0e61b0a1bea7b66461854efe69

SHA256
1b66aaf1e7e3c493dd96af3b7442ea60072f6e93ba45281eacd31a14ca7e7e73

SHA512
db69e4ab2218856e5184d9094e7e39705b83e3efdc15225067205c8faf6e5836145364f1d509192defa3b48864e72b9f8c0f2dc53a7adb2b86c655318b7afc2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-TAIEO.tmp\setupcfg.ini

Filesize
44B

MD5
e88ca2a4c90148f9e95e6df37e2fdf98

SHA1
2b83e3543898ac016ace741c42514cf878698440

SHA256
e2c31ad21fbd94cd5ffa2066b88a173085f3c1b869f4ab9ca73540df42c3cc48

SHA512
2eab7002d2da342f95bfad472d30aef74238efb82fbeca5ac277c64111e6dd7bfbbe6335c0ec1bffc7e4e27a8f7645b5bae773926afa8092a9bf145628b08e62

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-TAIEO.tmp\tbr_dots.bmp

Filesize
164B

MD5
adc799ec79eeaef366ea4dddf099c3ae

SHA1
556c915615a34a2499604b7b732ab304b20fdd4e

SHA256
7e7f18c73560f9c020abe1ab1f22705083281e2ea16ab0030fc927901b5b5d1e

SHA512
76962a17cc26d3f9886828be4e43373ac530165e1c627272ed7c0bc731133e97608e55d2e31f44592aad0d0974352155f41a0718aa0666ec128406b1050c1d6c

Download Submit
memory/1728-380-0x0000000000400000-0x0000000000536000-memory.dmp

Filesize
1.2MB

Download
memory/1728-130-0x0000000003C20000-0x0000000003C57000-memory.dmp

Filesize
220KB

Download
memory/1728-7-0x0000000000400000-0x0000000000536000-memory.dmp

Filesize
1.2MB

Download
memory/1728-244-0x0000000000400000-0x0000000000536000-memory.dmp

Filesize
1.2MB

Download
memory/1728-231-0x0000000004930000-0x0000000004A3B000-memory.dmp

Filesize
1.0MB

Download
memory/1728-420-0x0000000000400000-0x0000000000536000-memory.dmp

Filesize
1.2MB

Download
memory/1728-415-0x0000000000400000-0x0000000000536000-memory.dmp

Filesize
1.2MB

Download
memory/1728-229-0x0000000000400000-0x0000000000536000-memory.dmp

Filesize
1.2MB

Download
memory/1728-211-0x0000000004930000-0x0000000004A3B000-memory.dmp

Filesize
1.0MB

Download
memory/1728-411-0x0000000003C20000-0x0000000003C57000-memory.dmp

Filesize
220KB

Download
memory/1728-20-0x0000000003C20000-0x0000000003C57000-memory.dmp

Filesize
220KB

Download
memory/1728-410-0x0000000000400000-0x0000000000536000-memory.dmp

Filesize
1.2MB

Download
memory/1728-129-0x0000000000400000-0x0000000000536000-memory.dmp

Filesize
1.2MB

Download
memory/1728-403-0x0000000000400000-0x0000000000536000-memory.dmp

Filesize
1.2MB

Download
memory/1728-359-0x0000000000400000-0x0000000000536000-memory.dmp

Filesize
1.2MB

Download
memory/1728-398-0x0000000000400000-0x0000000000536000-memory.dmp

Filesize
1.2MB

Download
memory/1728-393-0x0000000000400000-0x0000000000536000-memory.dmp

Filesize
1.2MB

Download
memory/1728-388-0x0000000000400000-0x0000000000536000-memory.dmp

Filesize
1.2MB

Download
memory/1728-390-0x0000000004930000-0x0000000004A3B000-memory.dmp

Filesize
1.0MB

Download
memory/1728-389-0x0000000003C20000-0x0000000003C57000-memory.dmp

Filesize
220KB

Download
memory/3856-362-0x0000000000400000-0x000000000055A000-memory.dmp

Filesize
1.4MB

Download
memory/3940-0-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3940-128-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3940-2-0x0000000000401000-0x000000000040D000-memory.dmp

Filesize
48KB

Download
memory/4168-165-0x0000000000400000-0x000000000055A000-memory.dmp

Filesize
1.4MB

Download
memory/4244-314-0x0000000000400000-0x000000000055A000-memory.dmp

Filesize
1.4MB

Download
memory/4776-204-0x0000000000400000-0x000000000055A000-memory.dmp

Filesize
1.4MB

Download