be33af0711252d2507835a12f453b3c7e1cbfa1c8db527a074e6bb02e55c4236

Analysis

max time kernel
149s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
03-10-2024 05:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0e3e925c0f21e8c9d2fe82be5fda251f_JaffaCakes118.exe
Size

2.7MB
MD5

0e3e925c0f21e8c9d2fe82be5fda251f
SHA1

00da8fd38190c27e4df1da7a289fd13d1b680436
SHA256

be33af0711252d2507835a12f453b3c7e1cbfa1c8db527a074e6bb02e55c4236
SHA512

a0c9762bc06b233e6cfacc7dff2a8b7c130ba42359c3c0a543aa64208bb7b091324d3b0dafb052a2f05ef916ebd0c73175cf4029163f66409b53159518093ed2
SSDEEP

49152:aZ74mej7s9QlRZPswbIEvSD7haUNs/NW5GsA1L5jl89ebA5rOYiZnF:aN4aKfE0IPhaUNs3XtpAebSivZnF

Score

7^/10

adware discovery persistence privilege_escalation stealer

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	Inbox.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 5 IoCs

pid	Process
1628	0e3e925c0f21e8c9d2fe82be5fda251f_JaffaCakes118.tmp
4136	Inbox.exe
4016	Inbox.exe
4996	Inbox.exe
2884	Inbox.exe

Loads dropped DLL 9 IoCs

pid	Process
1628	0e3e925c0f21e8c9d2fe82be5fda251f_JaffaCakes118.tmp
1628	0e3e925c0f21e8c9d2fe82be5fda251f_JaffaCakes118.tmp
4016	Inbox.exe
4016	Inbox.exe
4772	regsvr32.exe
3776	regsvr32.exe
3776	regsvr32.exe
1628	0e3e925c0f21e8c9d2fe82be5fda251f_JaffaCakes118.tmp
1628	0e3e925c0f21e8c9d2fe82be5fda251f_JaffaCakes118.tmp

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\InboxToolbar = "\"C:\\Program Files (x86)\\Inbox Toolbar\\Inbox.exe\" /STARTUP"	Inbox.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Installs/modifies Browser Helper Object 2 TTPs 6 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D3D233D5-9F6D-436C-B6C7-E63F77503B30}\	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D3D233D5-9F6D-436C-B6C7-E63F77503B30}\NoExplorer = "1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{D3D233D5-9F6D-436C-B6C7-E63F77503B30}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D3D233D5-9F6D-436C-B6C7-E63F77503B30}\	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D3D233D5-9F6D-436C-B6C7-E63F77503B30}\NoExplorer = "1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{D3D233D5-9F6D-436C-B6C7-E63F77503B30}	regsvr32.exe

Drops file in Program Files directory 36 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Inbox Toolbar\Buttons\is-5JPDT.tmp	0e3e925c0f21e8c9d2fe82be5fda251f_JaffaCakes118.tmp
File opened for modification	C:\Program Files (x86)\Inbox Toolbar\setupcfg.ini	0e3e925c0f21e8c9d2fe82be5fda251f_JaffaCakes118.tmp
File created	C:\Program Files (x86)\Inbox Toolbar\is-7BDBT.tmp	0e3e925c0f21e8c9d2fe82be5fda251f_JaffaCakes118.tmp
File created	C:\Program Files (x86)\Inbox Toolbar\Plugins\is-49D43.tmp	0e3e925c0f21e8c9d2fe82be5fda251f_JaffaCakes118.tmp
File created	C:\Program Files (x86)\Inbox Toolbar\Buttons\is-R2EPF.tmp	0e3e925c0f21e8c9d2fe82be5fda251f_JaffaCakes118.tmp
File opened for modification	C:\Program Files (x86)\Inbox Toolbar\Inbox.ini	Inbox.exe
File created	C:\Program Files (x86)\Inbox Toolbar\Buttons\is-RK382.tmp	0e3e925c0f21e8c9d2fe82be5fda251f_JaffaCakes118.tmp
File created	C:\Program Files (x86)\Inbox Toolbar\Buttons\is-HI13L.tmp	0e3e925c0f21e8c9d2fe82be5fda251f_JaffaCakes118.tmp
File opened for modification	C:\Program Files (x86)\Inbox Toolbar\unins000.dat	0e3e925c0f21e8c9d2fe82be5fda251f_JaffaCakes118.tmp
File opened for modification	C:\Program Files (x86)\Inbox Toolbar\Buttons\maps_weather_plugin.xml	Inbox.exe
File opened for modification	C:\Program Files (x86)\Inbox Toolbar\uninstall.ini	0e3e925c0f21e8c9d2fe82be5fda251f_JaffaCakes118.tmp
File created	C:\Program Files (x86)\Inbox Toolbar\is-PJRBT.tmp	0e3e925c0f21e8c9d2fe82be5fda251f_JaffaCakes118.tmp
File created	C:\Program Files (x86)\Inbox Toolbar\is-UQITN.tmp	0e3e925c0f21e8c9d2fe82be5fda251f_JaffaCakes118.tmp
File created	C:\Program Files (x86)\Inbox Toolbar\setupcfg.ini	0e3e925c0f21e8c9d2fe82be5fda251f_JaffaCakes118.tmp
File created	C:\Program Files (x86)\Inbox Toolbar\Buttons\is-OAPQR.tmp	0e3e925c0f21e8c9d2fe82be5fda251f_JaffaCakes118.tmp
File created	C:\Program Files (x86)\Inbox Toolbar\unins000.msg	0e3e925c0f21e8c9d2fe82be5fda251f_JaffaCakes118.tmp
File opened for modification	C:\Program Files (x86)\Inbox Toolbar\Buttons\black_green.xml	Inbox.exe
File opened for modification	C:\Program Files (x86)\Inbox Toolbar\Plugins\plugins.ini	Inbox.exe
File opened for modification	C:\Program Files (x86)\Inbox Toolbar\uninstall.ini	Inbox.exe
File created	C:\Program Files (x86)\Inbox Toolbar\is-72DM5.tmp	0e3e925c0f21e8c9d2fe82be5fda251f_JaffaCakes118.tmp
File created	C:\Program Files (x86)\Inbox Toolbar\Buttons\is-0RETP.tmp	0e3e925c0f21e8c9d2fe82be5fda251f_JaffaCakes118.tmp
File created	C:\Program Files (x86)\Inbox Toolbar\Buttons\is-G3NLI.tmp	0e3e925c0f21e8c9d2fe82be5fda251f_JaffaCakes118.tmp
File opened for modification	C:\Program Files (x86)\Inbox Toolbar\Buttons\maps_navigate.xml	Inbox.exe
File opened for modification	C:\Program Files (x86)\Inbox Toolbar\Buttons\news_newser.xml	Inbox.exe
File created	C:\Program Files (x86)\Inbox Toolbar\Plugins\ssleay32.dll	Inbox.exe
File created	C:\Program Files (x86)\Inbox Toolbar\is-1DMSN.tmp	0e3e925c0f21e8c9d2fe82be5fda251f_JaffaCakes118.tmp
File opened for modification	C:\Program Files (x86)\Inbox Toolbar\Buttons\general_facebook2.xml	Inbox.exe
File opened for modification	C:\Program Files (x86)\Inbox Toolbar\Buttons\general_youtube2.xml	Inbox.exe
File created	C:\Program Files (x86)\Inbox Toolbar\Plugins\libeay32.dll	Inbox.exe
File created	C:\Program Files (x86)\Inbox Toolbar\Buttons\is-6FJNN.tmp	0e3e925c0f21e8c9d2fe82be5fda251f_JaffaCakes118.tmp
File opened for modification	C:\Program Files (x86)\Inbox Toolbar\Buttons\reference_search.xml	Inbox.exe
File opened for modification	C:\Program Files (x86)\Inbox Toolbar\Buttons\BTN_1967.xml	Inbox.exe
File opened for modification	C:\Program Files (x86)\Inbox Toolbar\Buttons\mail_plugin.xml	Inbox.exe
File created	C:\Program Files (x86)\Inbox Toolbar\unins000.dat	0e3e925c0f21e8c9d2fe82be5fda251f_JaffaCakes118.tmp
File created	C:\Program Files (x86)\Inbox Toolbar\Buttons\is-V4UA7.tmp	0e3e925c0f21e8c9d2fe82be5fda251f_JaffaCakes118.tmp
File created	C:\Program Files (x86)\Inbox Toolbar\Buttons\is-DMUOF.tmp	0e3e925c0f21e8c9d2fe82be5fda251f_JaffaCakes118.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0e3e925c0f21e8c9d2fe82be5fda251f_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0e3e925c0f21e8c9d2fe82be5fda251f_JaffaCakes118.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Inbox.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Inbox.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Inbox.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Inbox.exe

Modifies Internet Explorer settings 1 TTPs 40 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\AppPath = "C:\\Program Files (x86)\\Inbox Toolbar"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\AppName = "Inbox.dll"	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{C04B7D22-5AEC-4561-8F49-27F6269208F6}\DisplayName = "Inbox Search"	Inbox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{612AD33D-9824-4E87-8396-92374E91C4BB}\AppName = "Inbox.exe"	Inbox.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\Policy = "3"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Toolbar	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\IEWatsonEnabled = "0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{612AD33D-9824-4E87-8396-92374E91C4BB}\AppPath = "C:\\Program Files (x86)\\Inbox Toolbar"	Inbox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{612AD33D-9824-4E87-8396-92374E91C4BB}\AppName = "Inbox.exe"	Inbox.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Main	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\AppPath = "C:\\Program Files (x86)\\Inbox Toolbar"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Internet Explorer\SearchScopes\{C04B7D22-5AEC-4561-8F49-27F6269208F6}	Inbox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{C04B7D22-5AEC-4561-8F49-27F6269208F6}\ShowSearchSuggestions = "1"	Inbox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{C04B7D22-5AEC-4561-8F49-27F6269208F6}\FaviconURLFallback = "http://www2.inbox.com/favicon.ico"	Inbox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{612AD33D-9824-4E87-8396-92374E91C4BB}	Inbox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\AppName = "Inbox.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\AppName = "Inbox64.dll"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\Policy = "3"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{612AD33D-9824-4E87-8396-92374E91C4BB}\Policy = "3"	Inbox.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\IEWatsonEnabled = "0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\Policy = "3"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\AppPath = "C:\\Program Files (x86)\\Inbox Toolbar"	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{C04B7D22-5AEC-4561-8F49-27F6269208F6}\SuggestionsURL_JSON = "http://www.inbox.com/s.aspx?q={searchTerms}"	Inbox.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Internet Explorer\Main	Inbox.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{612AD33D-9824-4E87-8396-92374E91C4BB}\Policy = "3"	Inbox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{C04B7D22-5AEC-4561-8F49-27F6269208F6}\URL = "http://www2.inbox.com/search/dispatcher.aspx?tp=bs&qkw={searchTerms}&tbid=82845&iwk=845&lng=en"	Inbox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\AppPath = "C:\\Program Files (x86)\\Inbox Toolbar"	regsvr32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Toolbar\{D7E97865-918F-41E4-9CD0-25AB1C574CE8} = 00	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\AppName = "Inbox64.dll"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\Policy = "3"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{C04B7D22-5AEC-4561-8F49-27F6269208F6}\FaviconPath = "C:\\Users\\Admin\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services\\search_{C04B7D22-5AEC-4561-8F49-27F6269208F6}.ico"	Inbox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{612AD33D-9824-4E87-8396-92374E91C4BB}	Inbox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}	regsvr32.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Main	regsvr32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{D7E97865-918F-41E4-9CD0-25AB1C574CE8} = 00	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{612AD33D-9824-4E87-8396-92374E91C4BB}\AppPath = "C:\\Program Files (x86)\\Inbox Toolbar"	Inbox.exe

Modifies Internet Explorer start page 1 TTPs 1 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.inbox.com/homepage.aspx?tbid=82845&iwk=845&lng=en"	Inbox.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Inbox.JSServer	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{042DA63B-0933-403D-9395-B49307691690}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Inbox.IBX404\Clsid\ = "{37540F19-DD4C-478B-B2DF-C19281BCAF27}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{612AD33D-9824-4E87-8396-92374E91C4BB}\Version\ = "1.0"	Inbox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{CE057E0D-2D7E-4DFF-A890-07BA69B8C762}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Inbox.JSServer	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{37540F19-DD4C-478B-B2DF-C19281BCAF27}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{042DA63B-0933-403D-9395-B49307691690}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{042DA63B-0933-403D-9395-B49307691690}\Version\ = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{37540F19-DD4C-478B-B2DF-C19281BCAF27}\	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{612AD33D-9824-4E87-8396-92374E91C4BB}\ProgID	Inbox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{042DA63B-0933-403D-9395-B49307691690}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}\	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CBEF8724-D080-4737-88DA-111EEC6651AA}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\Inbox Toolbar\\"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{CE057E0D-2D7E-4DFF-A890-07BA69B8C762}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{042DA63B-0933-403D-9395-B49307691690}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{615E8AA1-6BB8-4A3D-A1CC-373194DB612C}\1.0\0\win32	Inbox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{042DA63B-0933-403D-9395-B49307691690}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{042DA63B-0933-403D-9395-B49307691690}\	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Inbox.Toolbar\Clsid	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{37540F19-DD4C-478B-B2DF-C19281BCAF27}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\inbox	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8FAE973C-3FE3-44BF-81F0-ADB0D42CE851}\ProxyStubClsid32	Inbox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8FAE973C-3FE3-44BF-81F0-ADB0D42CE851}\TypeLib	Inbox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{042DA63B-0933-403D-9395-B49307691690}\Implemented Categories	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{28C3737A-32D1-492D-B76B-8D75EBBFB887}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	Inbox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{28C3737A-32D1-492D-B76B-8D75EBBFB887}\TypeLib	Inbox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{CE057E0D-2D7E-4DFF-A890-07BA69B8C762}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{37540F19-DD4C-478B-B2DF-C19281BCAF27}\InprocServer32\ = "C:\\PROGRA~2\\INBOXT~1\\Inbox.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Inbox.JSServer\Clsid\ = "{042DA63B-0933-403D-9395-B49307691690}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\ = "&Inbox Toolbar"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}\	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D3D233D5-9F6D-436C-B6C7-E63F77503B30}\Implemented Categories\	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{615E8AA1-6BB8-4A3D-A1CC-373194DB612C}\1.0\FLAGS\ = "0"	Inbox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Inbox.JSServer\	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Inbox.JSServer\Clsid\ = "{042DA63B-0933-403D-9395-B49307691690}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{042DA63B-0933-403D-9395-B49307691690}\Version	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D3D233D5-9F6D-436C-B6C7-E63F77503B30}\InprocServer32\ = "C:\\Program Files (x86)\\Inbox Toolbar\\Inbox64.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8FAE973C-3FE3-44BF-81F0-ADB0D42CE851}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	Inbox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D3D233D5-9F6D-436C-B6C7-E63F77503B30}\InprocServer32\ = "C:\\PROGRA~2\\INBOXT~1\\Inbox.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{CE057E0D-2D7E-4DFF-A890-07BA69B8C762}\ = "IJSServer"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{042DA63B-0933-403D-9395-B49307691690}\Implemented Categories\	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{042DA63B-0933-403D-9395-B49307691690}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}\	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{042DA63B-0933-403D-9395-B49307691690}\TypeLib\ = "{CBEF8724-D080-4737-88DA-111EEC6651AA}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8FAE973C-3FE3-44BF-81F0-ADB0D42CE851}\TypeLib\ = "{615E8AA1-6BB8-4A3D-A1CC-373194DB612C}"	Inbox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CBEF8724-D080-4737-88DA-111EEC6651AA}\1.0\HELPDIR	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{042DA63B-0933-403D-9395-B49307691690}\	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\Implemented Categories\	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\InprocServer32\ = "C:\\Program Files (x86)\\Inbox Toolbar\\Inbox.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{37540F19-DD4C-478B-B2DF-C19281BCAF27}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Inbox.Toolbar	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Inbox.Toolbar\	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{37540F19-DD4C-478B-B2DF-C19281BCAF27}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{28C3737A-32D1-492D-B76B-8D75EBBFB887}	Inbox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{28C3737A-32D1-492D-B76B-8D75EBBFB887}\TypeLib\Version = "1.0"	Inbox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8FAE973C-3FE3-44BF-81F0-ADB0D42CE851}\ = "IAppServer2"	Inbox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{042DA63B-0933-403D-9395-B49307691690}\InProcServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{37540F19-DD4C-478B-B2DF-C19281BCAF27}\ProgID\ = "Inbox.IBX404"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{615E8AA1-6BB8-4A3D-A1CC-373194DB612C}\1.0\0\win32\ = "C:\\Program Files (x86)\\Inbox Toolbar\\Inbox.exe"	Inbox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{042DA63B-0933-403D-9395-B49307691690}\ProgID\ = "Inbox.JSServer"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D3D233D5-9F6D-436C-B6C7-E63F77503B30}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}\	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
1628	0e3e925c0f21e8c9d2fe82be5fda251f_JaffaCakes118.tmp
1628	0e3e925c0f21e8c9d2fe82be5fda251f_JaffaCakes118.tmp
1628	0e3e925c0f21e8c9d2fe82be5fda251f_JaffaCakes118.tmp
1628	0e3e925c0f21e8c9d2fe82be5fda251f_JaffaCakes118.tmp
1628	0e3e925c0f21e8c9d2fe82be5fda251f_JaffaCakes118.tmp
1628	0e3e925c0f21e8c9d2fe82be5fda251f_JaffaCakes118.tmp
1628	0e3e925c0f21e8c9d2fe82be5fda251f_JaffaCakes118.tmp
1628	0e3e925c0f21e8c9d2fe82be5fda251f_JaffaCakes118.tmp

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
1628	0e3e925c0f21e8c9d2fe82be5fda251f_JaffaCakes118.tmp
2884	Inbox.exe
2884	Inbox.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
2884	Inbox.exe
2884	Inbox.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 4488 wrote to memory of 1628	4488	0e3e925c0f21e8c9d2fe82be5fda251f_JaffaCakes118.exe	82
PID 4488 wrote to memory of 1628	4488	0e3e925c0f21e8c9d2fe82be5fda251f_JaffaCakes118.exe	82
PID 4488 wrote to memory of 1628	4488	0e3e925c0f21e8c9d2fe82be5fda251f_JaffaCakes118.exe	82
PID 1628 wrote to memory of 4136	1628	0e3e925c0f21e8c9d2fe82be5fda251f_JaffaCakes118.tmp	88
PID 1628 wrote to memory of 4136	1628	0e3e925c0f21e8c9d2fe82be5fda251f_JaffaCakes118.tmp	88
PID 1628 wrote to memory of 4136	1628	0e3e925c0f21e8c9d2fe82be5fda251f_JaffaCakes118.tmp	88
PID 1628 wrote to memory of 4016	1628	0e3e925c0f21e8c9d2fe82be5fda251f_JaffaCakes118.tmp	90
PID 1628 wrote to memory of 4016	1628	0e3e925c0f21e8c9d2fe82be5fda251f_JaffaCakes118.tmp	90
PID 1628 wrote to memory of 4016	1628	0e3e925c0f21e8c9d2fe82be5fda251f_JaffaCakes118.tmp	90
PID 1628 wrote to memory of 4772	1628	0e3e925c0f21e8c9d2fe82be5fda251f_JaffaCakes118.tmp	92
PID 1628 wrote to memory of 4772	1628	0e3e925c0f21e8c9d2fe82be5fda251f_JaffaCakes118.tmp	92
PID 1628 wrote to memory of 4772	1628	0e3e925c0f21e8c9d2fe82be5fda251f_JaffaCakes118.tmp	92
PID 1628 wrote to memory of 3776	1628	0e3e925c0f21e8c9d2fe82be5fda251f_JaffaCakes118.tmp	93
PID 1628 wrote to memory of 3776	1628	0e3e925c0f21e8c9d2fe82be5fda251f_JaffaCakes118.tmp	93
PID 1628 wrote to memory of 4996	1628	0e3e925c0f21e8c9d2fe82be5fda251f_JaffaCakes118.tmp	95
PID 1628 wrote to memory of 4996	1628	0e3e925c0f21e8c9d2fe82be5fda251f_JaffaCakes118.tmp	95
PID 1628 wrote to memory of 4996	1628	0e3e925c0f21e8c9d2fe82be5fda251f_JaffaCakes118.tmp	95
PID 4996 wrote to memory of 2884	4996	Inbox.exe	96
PID 4996 wrote to memory of 2884	4996	Inbox.exe	96
PID 4996 wrote to memory of 2884	4996	Inbox.exe	96

C:\Users\Admin\AppData\Local\Temp\0e3e925c0f21e8c9d2fe82be5fda251f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0e3e925c0f21e8c9d2fe82be5fda251f_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4488
- C:\Users\Admin\AppData\Local\Temp\is-R579C.tmp\0e3e925c0f21e8c9d2fe82be5fda251f_JaffaCakes118.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-R579C.tmp\0e3e925c0f21e8c9d2fe82be5fda251f_JaffaCakes118.tmp" /SL5="$5020E,2132727,70144,C:\Users\Admin\AppData\Local\Temp\0e3e925c0f21e8c9d2fe82be5fda251f_JaffaCakes118.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:1628
- - C:\Program Files (x86)\Inbox Toolbar\Inbox.exe
    "C:\Program Files (x86)\Inbox Toolbar\Inbox.exe" /regserver
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Modifies registry class
    PID:4136
- - C:\Program Files (x86)\Inbox Toolbar\Inbox.exe
    "C:\Program Files (x86)\Inbox Toolbar\Inbox.exe" /install
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    PID:4016
- - C:\Windows\SysWOW64\regsvr32.exe
    "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\Inbox Toolbar\Inbox.dll"
    3⤵
    - Loads dropped DLL
    - Installs/modifies Browser Helper Object
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Modifies registry class
    PID:4772
- - C:\Windows\system32\regsvr32.exe
    "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\Inbox Toolbar\Inbox64.dll"
    3⤵
    - Loads dropped DLL
    - Installs/modifies Browser Helper Object
    - Modifies Internet Explorer settings
    - Modifies registry class
    PID:3776
- - C:\Program Files (x86)\Inbox Toolbar\Inbox.exe
    "C:\Program Files (x86)\Inbox Toolbar\Inbox.exe" /afterinstall
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Modifies Internet Explorer start page
    - Suspicious use of WriteProcessMemory
    PID:4996
  - - C:\Program Files (x86)\Inbox Toolbar\Inbox.exe
      "C:\Program Files (x86)\Inbox Toolbar\Inbox.exe" /TRAY 0
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:2884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Browser Extensions

T1176

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Inbox Toolbar\Buttons\BTN_1967.xml

Filesize
4KB

MD5
641c15fa465fd213fbafe0a08807960c

SHA1
1a10e799d2d680b457ac2a506e6ce9e1eb639885

SHA256
91bff6c4186deda12939e3b4c51c91a85b83a7d4d7524c8fa4b8c97091fec449

SHA512
84815869e1268bd2cccb4d5fce5112aa3467aee9e869d987a2a19768a8a7ea293fdaa9bc8edafc97998df1d8962f07b5b4cfd1f32c16843acde8d3b558507d66

Download Submit
C:\Program Files (x86)\Inbox Toolbar\Buttons\black_green.xml

Filesize
51KB

MD5
01116f926b28cb3442473d8b47a6dd8f

SHA1
5303b4976d13bc6f3ffa0e3c443a0d36ea55fff4

SHA256
01f5b90e46c63749261d30ab669b55b581ae0c41912b54b38f71c7dc2c454511

SHA512
df6debe9debe900ff5338aa9d8637a6c887b9905a1fc77b6e2a50d3f8067cfa806e9fceb3d8d2a57b5b859346267048bca60c5f19d2bd9092f9c08a2d2859271

Download Submit
C:\Program Files (x86)\Inbox Toolbar\Buttons\general_facebook2.xml

Filesize
3KB

MD5
45dc0a638701a1d267778029e7b9439f

SHA1
1a9c21d34cb68498df1687db258a3302d19d10a1

SHA256
8ec30fbed691aaa6aba5f74429b94a7f3b03011347d2179dded2b2a7439d7639

SHA512
0593dab63f4f9a064705531627fdc20977d9afe842f5cd9103a389d1633ee1251f54d5477194a5087e037f0dd075d44ee7fb881104a25ee10988d838148af270

Download Submit
C:\Program Files (x86)\Inbox Toolbar\Buttons\general_youtube2.xml

Filesize
5KB

MD5
1b4bb1996fe1d1607c402b5b9b46bf49

SHA1
fdbfd8bac0cbb53b49c672cce3a995ab74b48bec

SHA256
fd3585fc0affdb6e46591fcd3122b8f3a3e59ee949c7677ec1ba966191b49b6a

SHA512
5aa61fba5d3c7de01040ce72d2956fea8f2f61df13148f0c164c8a7f66d95422e29e986c1b1719985ef98ffc808d4e1a51344b7900c50711c33d8e691c133830

Download Submit
C:\Program Files (x86)\Inbox Toolbar\Buttons\mail_plugin.xml

Filesize
6KB

MD5
d5932b3157fc5d33bf1c2ee608a9cc4e

SHA1
d5c4a96bca0bd1b7de94a0c9b046c0827ec44126

SHA256
2e1f499961575b0d45f4ab87392c21ad9fad77accccb3dff0d6cd7ced17c610b

SHA512
0fcf2edbaee396d543b7a217d6a92804ce82393c7548152693a9a9f4d4bfbb4c44ccbdf388d576c0991b0eaca7c3df894183152392c9c4f07caa85cbac23cdec

Download Submit
C:\Program Files (x86)\Inbox Toolbar\Buttons\maps_navigate.xml

Filesize
4KB

MD5
8e87fe8044e1ba16964d3622a24ce383

SHA1
cf3fc71ca76523e160ba06942c1189035f1a7540

SHA256
fd96c083b5ebbf8d84c24fb45e61a5785d7c56a9a9508e4dae109f02230c8f60

SHA512
c426226546317ff99b9fe61b9b773fbd9be043a58edd1369ef2c305ddd47e66d8e1884726672d1c9d2abf11aa4a1d835b27ea176fd90d0ba9f16958e10e052b8

Download Submit
C:\Program Files (x86)\Inbox Toolbar\Buttons\maps_weather_plugin.xml

Filesize
4KB

MD5
6541f47f14d00caf3a5afd2c400728c5

SHA1
bb0f66eb5dbf1b87b7c22c1ffb73aea9044c2792

SHA256
9e5a228bbf6689e00de5676b10a69b1a131ae9b5ecf72274a5cb141026be75d3

SHA512
3f57a699cc299a0a8a309a4fb6f59cde886024f82dbd427dd14c38d149bd484edb280873d4b5e34f56c0126c9638e93f1ec12c34a4cd63cfb024488770ddeb2e

Download Submit
C:\Program Files (x86)\Inbox Toolbar\Buttons\news_newser.xml

Filesize
4KB

MD5
eed5c90550189bc440bc01a26d26e044

SHA1
fd0a62fb40eb99d267d79e59c32cd0cfbc4b0256

SHA256
402332dd03543861b5290a1994ec97bcbfacc8a9e5d7bc730e363390bf742790

SHA512
6bc13dc9a0e3387b8baa0325812ad2af3641d3cca7dc9fdf6412ceca9f68b29881ab2100bfa9b63744074254fce7e20e38203dcf2f25aacf14dfedfb306c0522

Download Submit
C:\Program Files (x86)\Inbox Toolbar\Buttons\reference_search.xml

Filesize
4KB

MD5
10ccbc4db5529074d66f938af67a0689

SHA1
28ebcb68e41425f8c226e6cda9781df70ddbd087

SHA256
424c44e549be79e027bcf4ed93978ad3c515bb9632d3610d69f94e16d1ed2144

SHA512
f6e33503abb9df68554136ea4c156d70ebf77199e3e8a18d5e7fed056c2d28e581f7db39567f88662f9705a4da5990b070d99d4ff0ce28e91ef5b0eca3e8a8b6

Download Submit
C:\Program Files (x86)\Inbox Toolbar\Inbox.dll

Filesize
1.0MB

MD5
abebbb5e520dcdbad18a67989ce96b60

SHA1
75d8f52df3139e7ff93d8528059ac8be93ae6d1f

SHA256
46fa173e57779f42f71eb2df45a742e05cbf2daa9977f4ecc3f77823894e98f1

SHA512
cbf7047331297ea8ea53b5534d4f965ae9c4a32fb7033919047c27258d90c23ba33c45759be40c2047a8d629cde732466fb409d9ca15449b28673a35b909e0b7

Download Submit
C:\Program Files (x86)\Inbox Toolbar\Inbox.exe

Filesize
1.3MB

MD5
53723b9af00bbd8d2576c75278098e89

SHA1
1608f02f75a5fe00cacd2b8b513bd0c836af77c1

SHA256
464d440bb9d5fc57daaf4d14596cf2bd3f2c4ce209438135604e24635a3d7d86

SHA512
100917f2d5fb447097c3bd87d3a373d8b799ef8f6e061bf3c1663c4508699db107c0a2a88eac8879a171f7173de8e6fbd8ecf0141d862a21ebb672f9fb8d5fde

Download Submit
C:\Program Files (x86)\Inbox Toolbar\Inbox.ini

Filesize
2KB

MD5
421d88d9225bdaeaf58eee12b525616a

SHA1
00884ae0ff662eb19b467fc4bdc781bce3ad6450

SHA256
e526ec11e494dfaf3d3027f43ad545b9f740e9872c2477a61efd7e5aa178dc68

SHA512
3adc47f6494eadd5e2d50bd3d1f9efd8ad13f9f78cf9ce81efd8094da23817407a475f7345d8148f06cb08cee225989881211ec19dd042d6f19bc5dd5541ff25

Download Submit
C:\Program Files (x86)\Inbox Toolbar\Inbox.ini

Filesize
2KB

MD5
dc81f4b39be87df72f28edaf1dc73bb4

SHA1
c0d1253b34fe9bc49bb26dd79aa9c341d8983daf

SHA256
18773282289fd8c3eabeb019caf72e5f080261dd6bfb74c05fe2e83a1cce1c50

SHA512
018ca7100d1c6844d42bde2b8cfd98b13ec2e230ab52199aa2e683297029bf88e5cc56a3ef1d360eda4b360bc00d047d593af96d0c62448994729b753cb3fb3d

Download Submit
C:\Program Files (x86)\Inbox Toolbar\Inbox64.dll

Filesize
1.5MB

MD5
5b26b6a64937976b7e686f4ecd469751

SHA1
3740a577d0ac3650fa9781058cc0059c9974020e

SHA256
f27935bdf97c39b18efdb1480e3549e8320c7e80098f7653e3c07298204be59e

SHA512
0b9e8c6c4d38276121a5f112bf561a7593a6ed95eba941a9eaace1ea0a2e817ff4f254f5acc2411b2231e4657adf9632974cb9b0257a4ed274ff6db6a0971c50

Download Submit
C:\Program Files (x86)\Inbox Toolbar\Plugins\mail.dll

Filesize
1.2MB

MD5
80b1af63d2de40628b1b5f0bf86e827a

SHA1
f7267eb35f8b499c91a6e69db74f9c686286b621

SHA256
7bb3fb17dcc23245d734870b6c2c2cd0f472467a70f32342e08526796f0258ac

SHA512
d5081a83c7df32f20a00e4ec39570fc034e99c9a79f47cab5189a27910b2b25b9c98b65a878211ca2945a2753fb8f37ead2de5daf095ad3317c40b84b539a6f2

Download Submit
C:\Program Files (x86)\Inbox Toolbar\Plugins\plugins.ini

Filesize
80B

MD5
e0cc599ccc766828d1faabbe0bf332bc

SHA1
c8e4c6e6adc848f19bf3d7d192074db4fcc48319

SHA256
15c1c617c744cf37861d8b6c4e33709df25a43dd4e2939ec1287b40173794b67

SHA512
0f5f748674f6d50916fa1b07b6c4196761a894564f9afb6ebd0f48294d09e2401c458919dc7dbd54d560a39bf65b795a565eaf0c17bc6e94e709147be65aff76

Download Submit
C:\Program Files (x86)\Inbox Toolbar\unins000.exe

Filesize
1.2MB

MD5
55f23914e91f0e6a4831df7461a1e509

SHA1
4916aac5ce6e8cac3dd3fbb031a555f3064d4eca

SHA256
a5ad8ae0b68eed8cc163d3d2f0baf67e7bb1075eb38338efb955325227c03239

SHA512
cf0f942c152450b4954e8be634ee093896e0374edcebce686ee42974664997c401fcbdd09a57a70f08eeef49eb85729828f0c164ec8fcfbc9dde5fe7e4742631

Download Submit
C:\Program Files (x86)\Inbox Toolbar\uninstall.ini

Filesize
45B

MD5
24627394cb7f60ffd692223f6af509aa

SHA1
62131efa5525637b9807ed5c4055c5c91d0b1538

SHA256
3068997eae1bcb807d2454e7e282ae60009d5e3bebf233f65036e2f71dba9b11

SHA512
51569e17c60281b94f6899340fcc6da062bcc8771568b30475182f594400b2c22f654cf8486584c4638795398352194f6b2dc4436787cb23202bdb1b7a95771e

Download Submit
C:\Users\Admin\AppData\LocalLow\Inbox Toolbar\config.ini

Filesize
30B

MD5
129a4ce81f9a7b3dc2d98e090a069f05

SHA1
a266de9a5f3fea40e7de85ddfde49f4b6c515c96

SHA256
9ec3cb3f9a5f238ab518e7b57bcad1ca765c429fb37be15057da7eb9170541f7

SHA512
3d15c7ddf93e944ed5ce634f35050f95989b1f1f35b4b8233e10658508f07953579c6dd62cced8efd22cf783c7e9565f39270e5bb46d2959a1312148af6414f2

Download Submit
C:\Users\Admin\AppData\LocalLow\Inbox Toolbar\config.ini

Filesize
70B

MD5
85d9202e14787b5b5018fb1d63f88dd8

SHA1
f887405821229d1f33df7d87215f21677232716d

SHA256
691a2f9ef12266bbb3dd7410da171130a122f168cfbf514fea4dcc765e6ff694

SHA512
f8739267047524144cc3f7035f619b97d2c1617b8b2385a432bf260988abf2eaaf141adb8611d1fc003a8add4869401ed8cb87bc83db742ed982ca49da32d610

Download Submit
C:\Users\Admin\AppData\LocalLow\Inbox Toolbar\config.ini

Filesize
99B

MD5
314c03449de512dc30f5c239710faa03

SHA1
25f9901d35fb8dce6af783c8b5d0471fd6780696

SHA256
a8309a1f4a393c48493af2a63c5095527c903427ca02a71c86f6f195e0522dff

SHA512
d989dc8ee41b7d23278bddbd5501b4d334721c64c4ad72c1d32ea2b787398e51d5f883b346038de55a4040f788e0c0f8ae67ff6b1abaea5de53ea0a645d261e8

Download Submit
C:\Users\Admin\AppData\LocalLow\Inbox Toolbar\config.ini

Filesize
152B

MD5
ee0b686e3b8fc1910de54333c684bd61

SHA1
8b87da1e6e85e6fdc6213d1b7d87c6e97b7f39cf

SHA256
1da5985299042c1841b1baa09b0b7bbb8e9e7eb918e3cd8bbc38b7c551ca2772

SHA512
68b53b14ecae7ab023212da7a00ac729da281203a020c7ae46333d98d9f621cb0d1716f189ef5787c1e21f78f87ef9b1d03bd22562fb4c626344aa776cf49f35

Download Submit
C:\Users\Admin\AppData\LocalLow\Inbox Toolbar\translate.ini

Filesize
89KB

MD5
6b72fbdc939dffb3c9d268d521459f91

SHA1
948023c34ddd35bab4b83d80cabf6b7fb06eb5f2

SHA256
9b1c3b8a08541289d360526f37a4647a59fa40f474d2288ea6a5c3a947364fff

SHA512
f8948e0cc24361f361886a4f9467b8316ed093e0def78df860ed221e345a69a8cae785f57d08cfd3ac54741ea9dbde97f035eb88aa8d35b5529c32cf50b1d8e3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751

Filesize
717B

MD5
822467b728b7a66b081c91795373789a

SHA1
d8f2f02e1eef62485a9feffd59ce837511749865

SHA256
af2343382b88335eea72251ad84949e244ff54b6995063e24459a7216e9576b9

SHA512
bacea07d92c32078ca6a0161549b4e18edab745dd44947e5f181d28cc24468e07769d6835816cdfb944fd3d0099bde5e21b48f4966824c5c16c1801712303eb6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\9DCB39497F031D5F29924F3E93AAF1F2

Filesize
504B

MD5
0808882027abb86954c9a13374895918

SHA1
3951cfdfe7ca9fb796a1bfafd2004280c8aaf26c

SHA256
9d486a7bf1503e43ad844606c2bb43540986137cec460e29ef6a645cc7a78ba2

SHA512
11dd6da41af737a0bc6f4411f1b70ba9e31406d35c7e68ccb326407186550f6ac44c01ebfdfb8fe2e779b58454374bb94fc04f97efcf3615cee8567cecc5d0f8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B624848E7D0C04204BF0E664FB37FBEA

Filesize
504B

MD5
cadfba6b8aae7d14045fd012e3b8131b

SHA1
3f24fb2f11e4b23b1859d2906f0b04284a874129

SHA256
bd4e8dca4b726db95b746b8254e38df6ab9f9742c90d0afe3b64881ade41cff6

SHA512
45b78f8c02ea02c83b9ab35eb401dd89fdda1f8531fe1277525edd2aefe166a8f8b46a0553f40d1fbb4fd5bc2bd0753595cb6d49510c561dbb81b3b56f0ba63e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751

Filesize
192B

MD5
8ac6fce721c5f07adb9cc6012839b01d

SHA1
8d4db8a833a78cc3881963c9d22e83c8b7604109

SHA256
c76e643b0a08d2dec7088a89a179bac29974abd741c6c82ff265ca69c24c7de5

SHA512
3b2781776d613db814d93e70864569a6f2e3919aff28cc8268400a131466d5a7a02ccdb864c41d2c9a69380dc8b3943584f8684edbf257b31e82e46cd462c19f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\9DCB39497F031D5F29924F3E93AAF1F2

Filesize
546B

MD5
01b84c44bd046b02b2a4e7374b00d737

SHA1
5650239c5e4aa8f910d25db3cd9724fb81306280

SHA256
779b9e2739b4445575affa2b7f2a55273feccd38e327377afc458cfddd9decc8

SHA512
91a2347adcde74cf960308da08825325a65dd0184dcbddb28ae25570b908b33a461b7cdfe2722f72e16f0b285b5d2b93a8d0f2d26b16aa54e4361ddf0da81f63

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B624848E7D0C04204BF0E664FB37FBEA

Filesize
550B

MD5
0e2212cb075f3d730003b6dad647159c

SHA1
4460ff653f1413d7f01cfd8f59a9add5f423a60f

SHA256
e1ec07b271d1d10e34c30d39b6fbd39535f22c9f2ca35aae113fdd5ded95af84

SHA512
aab7183332eb83d54951ab1cdf7cd7cee053323495e055ac74a772111e77d4a74f1cd3e1b89ec42b465c4ea999395d7966d8dc966099b811145e961cee3fcbfb

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-76G7J.tmp\DownLib.dll

Filesize
183KB

MD5
db25dfdd4c1f2b65c68a230881072695

SHA1
94cd6a3438041f0e61b0a1bea7b66461854efe69

SHA256
1b66aaf1e7e3c493dd96af3b7442ea60072f6e93ba45281eacd31a14ca7e7e73

SHA512
db69e4ab2218856e5184d9094e7e39705b83e3efdc15225067205c8faf6e5836145364f1d509192defa3b48864e72b9f8c0f2dc53a7adb2b86c655318b7afc2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-76G7J.tmp\setupcfg.ini

Filesize
44B

MD5
866da2aa5e52c6c9924b4f2336486abc

SHA1
f66e44ef2c676ae98e1bebd0a3dc7a5fc53151c1

SHA256
3abf00b9009b703ebf0af45becf2e02697a39b59c063d7ab23e71e597e7ae596

SHA512
fbff64fb5fe598944f9511c0e7ba539da86c33967e692fc51789a8dcbfbc814ad3c4a1a96108cf7f9702a02b16a661d73d4c5b848203a0290ee255f0b27bf509

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-76G7J.tmp\tbr_dots.bmp

Filesize
164B

MD5
adc799ec79eeaef366ea4dddf099c3ae

SHA1
556c915615a34a2499604b7b732ab304b20fdd4e

SHA256
7e7f18c73560f9c020abe1ab1f22705083281e2ea16ab0030fc927901b5b5d1e

SHA512
76962a17cc26d3f9886828be4e43373ac530165e1c627272ed7c0bc731133e97608e55d2e31f44592aad0d0974352155f41a0718aa0666ec128406b1050c1d6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-R579C.tmp\0e3e925c0f21e8c9d2fe82be5fda251f_JaffaCakes118.tmp

Filesize
1.2MB

MD5
e7106fbf42fbc6d5b08a18ada4f781b4

SHA1
36d4a629f79d772c0b0df8bd2ae2ea09108d239d

SHA256
64e1f1fa7d91920b17bc7bc679a4cd8d87ff5b104318b6921bb6bf6a19055635

SHA512
adf876296a952aadeb4f25211c0939bf5a278809b5d3007ad7e26c5d4975e7684d242c1b3de796efd474a47cb7ecdb80f9047935924a1108bf0e4d7c973d1845

Download Submit
memory/1628-7-0x0000000000400000-0x0000000000536000-memory.dmp

Filesize
1.2MB

Download
memory/1628-437-0x0000000000400000-0x0000000000536000-memory.dmp

Filesize
1.2MB

Download
memory/1628-130-0x0000000003C00000-0x0000000003C37000-memory.dmp

Filesize
220KB

Download
memory/1628-129-0x0000000000400000-0x0000000000536000-memory.dmp

Filesize
1.2MB

Download
memory/1628-464-0x0000000000400000-0x0000000000536000-memory.dmp

Filesize
1.2MB

Download
memory/1628-459-0x0000000000400000-0x0000000000536000-memory.dmp

Filesize
1.2MB

Download
memory/1628-285-0x0000000000400000-0x0000000000536000-memory.dmp

Filesize
1.2MB

Download
memory/1628-455-0x0000000003C00000-0x0000000003C37000-memory.dmp

Filesize
220KB

Download
memory/1628-20-0x0000000003C00000-0x0000000003C37000-memory.dmp

Filesize
220KB

Download
memory/1628-272-0x0000000004910000-0x0000000004A1B000-memory.dmp

Filesize
1.0MB

Download
memory/1628-454-0x0000000000400000-0x0000000000536000-memory.dmp

Filesize
1.2MB

Download
memory/1628-270-0x0000000000400000-0x0000000000536000-memory.dmp

Filesize
1.2MB

Download
memory/1628-252-0x0000000004910000-0x0000000004A1B000-memory.dmp

Filesize
1.0MB

Download
memory/1628-448-0x0000000000400000-0x0000000000536000-memory.dmp

Filesize
1.2MB

Download
memory/1628-442-0x0000000000400000-0x0000000000536000-memory.dmp

Filesize
1.2MB

Download
memory/1628-433-0x0000000003C00000-0x0000000003C37000-memory.dmp

Filesize
220KB

Download
memory/1628-403-0x0000000000400000-0x0000000000536000-memory.dmp

Filesize
1.2MB

Download
memory/1628-434-0x0000000004910000-0x0000000004A1B000-memory.dmp

Filesize
1.0MB

Download
memory/1628-424-0x0000000000400000-0x0000000000536000-memory.dmp

Filesize
1.2MB

Download
memory/1628-432-0x0000000000400000-0x0000000000536000-memory.dmp

Filesize
1.2MB

Download
memory/2884-406-0x0000000000400000-0x000000000055A000-memory.dmp

Filesize
1.4MB

Download
memory/3776-248-0x00000000022A0000-0x0000000002431000-memory.dmp

Filesize
1.6MB

Download
memory/4016-243-0x0000000000400000-0x000000000055A000-memory.dmp

Filesize
1.4MB

Download
memory/4016-217-0x00000000035F0000-0x0000000003730000-memory.dmp

Filesize
1.2MB

Download
memory/4136-175-0x0000000000400000-0x000000000055A000-memory.dmp

Filesize
1.4MB

Download
memory/4488-0-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4488-2-0x0000000000401000-0x000000000040D000-memory.dmp

Filesize
48KB

Download
memory/4488-128-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4996-357-0x0000000000400000-0x000000000055A000-memory.dmp

Filesize
1.4MB

Download