a98d87fabab8e660425c9c1f9960070fbaf3a8f0b5f64c90537ce848b9e3ba83

Analysis

max time kernel
141s
max time network
145s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
05/10/2024, 08:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

16e11b36262eb534ee829e2de2848e72_JaffaCakes118.exe
Size

2.5MB
MD5

16e11b36262eb534ee829e2de2848e72
SHA1

3f9d8e152540ce5ab007314eac12f5810350efee
SHA256

a98d87fabab8e660425c9c1f9960070fbaf3a8f0b5f64c90537ce848b9e3ba83
SHA512

60cbba94e0ca6ba8734cf40045ad19e1f38c1d6fcbe2745798fd61ef0b039d7fd7c2343b3a2645fc6e325fe0aa4f031977235e6be8f33cbde71b87e2e1bd09d3
SSDEEP

49152:naSDJLr+Be0SeBk2a5wL18ou9DjMYcOajZqOLBNwDaebA5rOYiZnU:ntO0iaaB879Dj3cOodB+GebSivZnU

Score

8^/10

adware discovery persistence privilege_escalation stealer

Malware Config

Signatures

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\DRIVERS\SET908C.tmp	RUNDLL32.EXE
File created	C:\Windows\system32\DRIVERS\SET908C.tmp	RUNDLL32.EXE
File opened for modification	C:\Windows\system32\DRIVERS\tbrdrv.sys	RUNDLL32.EXE

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 8 IoCs

pid	Process
1400	16e11b36262eb534ee829e2de2848e72_JaffaCakes118.tmp
2900	Inbox.exe
1480	Inbox.exe
520	Inbox.exe
2340	Inbox.exe
564	AGupdate.exe
1284	AGupdate.exe
1080	Inbox.exe

Loads dropped DLL 20 IoCs

pid	Process
3064	16e11b36262eb534ee829e2de2848e72_JaffaCakes118.exe
1400	16e11b36262eb534ee829e2de2848e72_JaffaCakes118.tmp
1400	16e11b36262eb534ee829e2de2848e72_JaffaCakes118.tmp
1400	16e11b36262eb534ee829e2de2848e72_JaffaCakes118.tmp
1400	16e11b36262eb534ee829e2de2848e72_JaffaCakes118.tmp
1480	Inbox.exe
1480	Inbox.exe
2684	regsvr32.exe
3020	regsvr32.exe
1400	16e11b36262eb534ee829e2de2848e72_JaffaCakes118.tmp
520	Inbox.exe
520	Inbox.exe
520	Inbox.exe
520	Inbox.exe
2340	Inbox.exe
2340	Inbox.exe
2340	Inbox.exe
2340	Inbox.exe
1400	16e11b36262eb534ee829e2de2848e72_JaffaCakes118.tmp
1400	16e11b36262eb534ee829e2de2848e72_JaffaCakes118.tmp

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\InboxToolbar = "\"C:\\Program Files (x86)\\Inbox Toolbar\\Inbox.exe\" /STARTUP"	Inbox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\GrpConv = "grpconv -o"	RUNDLL32.EXE

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Installs/modifies Browser Helper Object 2 TTPs 6 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{D3D233D5-9F6D-436C-B6C7-E63F77503B30}\NoExplorer = "1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{D3D233D5-9F6D-436C-B6C7-E63F77503B30}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D3D233D5-9F6D-436C-B6C7-E63F77503B30}\	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D3D233D5-9F6D-436C-B6C7-E63F77503B30}\NoExplorer = "1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{D3D233D5-9F6D-436C-B6C7-E63F77503B30}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{D3D233D5-9F6D-436C-B6C7-E63F77503B30}\	regsvr32.exe

Drops file in Program Files directory 25 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Inbox Toolbar\Buttons\games_portals_gb.xml	Inbox.exe
File created	C:\Program Files (x86)\Inbox Toolbar\is-OEM3V.tmp	16e11b36262eb534ee829e2de2848e72_JaffaCakes118.tmp
File created	C:\Program Files (x86)\Inbox Toolbar\Buttons\is-ULBUH.tmp	16e11b36262eb534ee829e2de2848e72_JaffaCakes118.tmp
File created	C:\Program Files (x86)\Inbox Toolbar\Buttons\is-49AML.tmp	16e11b36262eb534ee829e2de2848e72_JaffaCakes118.tmp
File created	C:\Program Files (x86)\Inbox Toolbar\Buttons\is-Q54FG.tmp	16e11b36262eb534ee829e2de2848e72_JaffaCakes118.tmp
File created	C:\Program Files (x86)\Inbox Toolbar\Buttons\is-CGDCU.tmp	16e11b36262eb534ee829e2de2848e72_JaffaCakes118.tmp
File created	C:\Program Files (x86)\Inbox Toolbar\unins000.msg	16e11b36262eb534ee829e2de2848e72_JaffaCakes118.tmp
File opened for modification	C:\Program Files (x86)\Inbox Toolbar\unins000.dat	16e11b36262eb534ee829e2de2848e72_JaffaCakes118.tmp
File opened for modification	C:\Program Files (x86)\Inbox Toolbar\Buttons\games_search.xml	Inbox.exe
File opened for modification	C:\Program Files (x86)\Inbox Toolbar\Driver\tbrdrv.inf	Inbox.exe
File created	C:\Program Files (x86)\Inbox Toolbar\unins000.dat	16e11b36262eb534ee829e2de2848e72_JaffaCakes118.tmp
File created	C:\Program Files (x86)\Inbox Toolbar\is-SPUPN.tmp	16e11b36262eb534ee829e2de2848e72_JaffaCakes118.tmp
File opened for modification	C:\Program Files (x86)\Inbox Toolbar\Buttons\games_online_gb.xml	Inbox.exe
File opened for modification	C:\Program Files (x86)\Inbox Toolbar\Inbox.ini	Inbox.exe
File created	C:\Program Files (x86)\Inbox Toolbar\Driver\driver.cab	Inbox.exe
File opened for modification	C:\Program Files (x86)\Inbox Toolbar\Driver\tbrdrv.cat	Inbox.exe
File created	C:\Program Files (x86)\Inbox Toolbar\is-2LK08.tmp	16e11b36262eb534ee829e2de2848e72_JaffaCakes118.tmp
File created	C:\Program Files (x86)\Inbox Toolbar\is-VH6JT.tmp	16e11b36262eb534ee829e2de2848e72_JaffaCakes118.tmp
File created	C:\Program Files (x86)\Inbox Toolbar\setupcfg.ini	16e11b36262eb534ee829e2de2848e72_JaffaCakes118.tmp
File opened for modification	C:\Program Files (x86)\Inbox Toolbar\setupcfg.ini	16e11b36262eb534ee829e2de2848e72_JaffaCakes118.tmp
File opened for modification	C:\Program Files (x86)\Inbox Toolbar\uninstall.ini	Inbox.exe
File created	C:\Program Files (x86)\Inbox Toolbar\is-17285.tmp	16e11b36262eb534ee829e2de2848e72_JaffaCakes118.tmp
File opened for modification	C:\Program Files (x86)\Inbox Toolbar\Buttons\black_green.xml	Inbox.exe
File opened for modification	C:\Program Files (x86)\Inbox Toolbar\uninstall.ini	16e11b36262eb534ee829e2de2848e72_JaffaCakes118.tmp
File opened for modification	C:\Program Files (x86)\Inbox Toolbar\Driver\tbrdrv.sys	Inbox.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\INF\setupapi.app.log	RUNDLL32.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	16e11b36262eb534ee829e2de2848e72_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	16e11b36262eb534ee829e2de2848e72_JaffaCakes118.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Inbox.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Inbox.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AGupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Inbox.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Inbox.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Inbox.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AGupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	runonce.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	runonce.exe

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007b88b8645d6de74ab21efaf0de98379b00000000020000000000106600000001000020000000f8ee61987b13d4ac19648303ab5b3afad8592b92d15840819d922acdcf41d806000000000e800000000200002000000083bd56ba74497ab5309ec99ae0954b6c221525bc4bdbcc8d4799b303f9b8c6bef00100009d42e2ab61eb3437291eab0a1c21e997c7a34485dbf512ea95114d5f7835604ca65c218147880be1ea1d3657f657e6395cbf8bd82b9e3b8c707cba5361af161cbcaf6fa1030701a421735c57deaef7683709fe735060b6420284e6b3c9c8298082ec7087469eb2817671862e021e7b45dca4a5bf775e95d417ce897ad770d69d84c84f655e37c7022d8c6e264b17c8e52f8b465df33b948d579c5954eb5cb57666f088473798d28e7c87588cbadee027d01eefd2bd784d409f91a688880d2892f041f66c1fbf80fc008ba3f7f5ca4510baad402e24b9f7dc55d948ebd12e9ca1af4182f33458a5d00cdde85b218344aa5f40faa1e40641003ed3a67d009c3ac4c18475828d741cd7baa163067c2f8ccb8f0e7e61a58fe998e425c2cfb231e277783660423e99cf61151682a5eb5b24dc90d55faa96f18d6ff9b491074a7be9249e26c6582ebd880190103ee529862b628d8e55654654125fc47fc79833773694db3a815950bcc4f994fd15a41ddc64fcfc9c032ffcf860e9a0ec8aba7904fa0c3b090f5c13e5831c136178f1cb84df0022a7e516eede4866e55f419b6a9e38624286d38953d3396ad1ae966efac8604ac8ba589c8b82ed85c77f40f8243fd5ae6b28d051ec5333fef62749098694111f836146e8a26e524c7d777d0b57d52394fc5861795c890cee16e634cea3ae150940000000254993cdc1b91b28290fa0717452037673c9e43fbc82c515c4f2de9fe5319b2e686a34e70dc688c5bbbbd88a9653f15ceb85ce3357d086a27a38804ae5666618	iexplore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\IEWatsonEnabled = "0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\AppName = "Inbox.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\AppPath = "C:\\Program Files (x86)\\Inbox Toolbar"	regsvr32.exe
Key deleted	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\User Preferences	Inbox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPageShow = "1"	Inbox.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\Policy = "3"	regsvr32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar\{D7E97865-918F-41E4-9CD0-25AB1C574CE8} = 00	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\AppName = "Inbox64.dll"	regsvr32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{D7E97865-918F-41E4-9CD0-25AB1C574CE8} = 00	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main\	Inbox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\SearchScopes\{C04B7D22-5AEC-4561-8F49-27F6269208F6}\URL = "http://search2.inbox.com/search/dispatcher.aspx?tp=bs&qkw={searchTerms}&tbid=80139&iwk=845&lng=en&rt=1"	Inbox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\SearchScopes\{C04B7D22-5AEC-4561-8F49-27F6269208F6}\FaviconPath = "C:\\Users\\Admin\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services\\search_{C04B7D22-5AEC-4561-8F49-27F6269208F6}.ico"	Inbox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{612AD33D-9824-4E87-8396-92374E91C4BB}\AppName = "Inbox.exe"	Inbox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Approved Extensions\{D3D233D5-9F6D-436C-B6C7-E63F77503B30} = 51667a6c4c1d3b35c529c5cd53cb0b0da9c4b9607e1a7e2e	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\SearchScopes\{C04B7D22-5AEC-4561-8F49-27F6269208F6}\FaviconURLFallback = "http://www2.inbox.com/favicon.ico"	Inbox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "434277867"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	Inbox.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\IEWatsonEnabled = "0"	regsvr32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Approved Extensions\{D7E97865-918F-41E4-9CD0-25AB1C574CE8} = 51667a6c4c1d3b357562fec9b1c5830f83d37af4151d09f6	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\SearchScopes\	Inbox.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main	Inbox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{612AD33D-9824-4E87-8396-92374E91C4BB}	Inbox.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\Policy = "3"	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\SearchScopes\{C04B7D22-5AEC-4561-8F49-27F6269208F6}\SuggestionsURL_JSON = "http://www.inbox.com/s.aspx?q={searchTerms}"	Inbox.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\SearchScopes\{C04B7D22-5AEC-4561-8F49-27F6269208F6}	Inbox.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Approved Extensions\{D7E97865-918F-41E4-9CD0-25AB1C574CE8} = 51667a6c4c1d3b357562fec9b1c5830f83d37af4151d09f6	regsvr32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Approved Extensions\{D3D233D5-9F6D-436C-B6C7-E63F77503B30} = 51667a6c4c1d3b35c529c5cd53cb0b0da9c4b9607e1a7e2e	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\SearchScopes\{C04B7D22-5AEC-4561-8F49-27F6269208F6}\FaviconPath = "C:\\Users\\Admin\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services\\search_{C04B7D22-5AEC-4561-8F49-27F6269208F6}.ico"	Inbox.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{612AD33D-9824-4E87-8396-92374E91C4BB}\Policy = "3"	Inbox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Approved Extensions	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{612AD33D-9824-4E87-8396-92374E91C4BB}	Inbox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar	regsvr32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{ADFB46F1-82F1-11EF-B6DF-4A174794FC88} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\SearchScopes\{C04B7D22-5AEC-4561-8F49-27F6269208F6}	Inbox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\SearchScopes\DefaultScope = "{C04B7D22-5AEC-4561-8F49-27F6269208F6}"	Inbox.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\User Preferences\88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977 = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007b88b8645d6de74ab21efaf0de98379b00000000020000000000106600000001000020000000c5dfbd7d17603f06db47f8c3741a55e8b55d0366eebe50c25850e8289ac5ab4d000000000e8000000002000020000000195977f44bab988c94b20af187b06fdc8836a744382ff210a4e48b35ce62e70c50000000a7614c37bf32f8763a9f992eeead3327cf1ea9de8ef59d7c11f04424e9f26a9531605aab92e1fef37f77f50d9983cd392cfd9fb5a3cea4f2f738726803ed097a6cc7e8cfe4a91e2c6549973014a719954000000023058b6ba4766b5b91ef6f96bb3ac2b44b637a4a892ed9c8b7379841e2e6c88eafd1249a80bce57aafa615431519dfead5d515b245793e4884fe1c1529e31e52	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\User Preferences\2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81 = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007b88b8645d6de74ab21efaf0de98379b00000000020000000000106600000001000020000000c854d9c879a8f2f2f35fba2d2b9f941c85dc67ca9cb44ed1197563c30a1270d4000000000e8000000002000020000000c54930afc4bd780bd40ec23b51ef852a2219274085ff32c8c651d1fd699d24fb10000000e42374c07eed72af9daccd58448fcbbd40000000b558eb05767af7a53c1890f0eb821e0198af44aa3ba5c59f1806b42c0a769044d63a7d6bf2e5a85e8d740e184909731bb60fe710d2d07f9b12ee8ac48d9003c3	iexplore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{612AD33D-9824-4E87-8396-92374E91C4BB}\Policy = "3"	Inbox.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION\Inbox.exe = "11000"	Inbox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\SearchScopes\{C04B7D22-5AEC-4561-8F49-27F6269208F6}\DisplayName = "Inbox Search"	Inbox.exe

Modifies Internet Explorer start page 1 TTPs 1 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.inbox.com/homepage.aspx?tbid=80139&iwk=845&lng=en"	Inbox.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D3D233D5-9F6D-436C-B6C7-E63F77503B30}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{042DA63B-0933-403D-9395-B49307691690}\InprocServer32\ = "C:\\Program Files (x86)\\Inbox Toolbar\\Inbox64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0E56FAFA-1B09-480E-B653-4B23918DC58A}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\inbox\CLSID = "{37540F19-DD4C-478B-B2DF-C19281BCAF27}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{042DA63B-0933-403D-9395-B49307691690}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{612AD33D-9824-4E87-8396-92374E91C4BB}\TypeLib\ = "{615E8AA1-6BB8-4A3D-A1CC-373194DB612C}"	Inbox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D3D233D5-9F6D-436C-B6C7-E63F77503B30}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}\	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{612AD33D-9824-4E87-8396-92374E91C4BB}\LocalServer32\ = "C:\\PROGRA~2\\INBOXT~1\\Inbox.exe"	Inbox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Inbox.AppServer\Clsid	Inbox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{612AD33D-9824-4E87-8396-92374E91C4BB}\Version	Inbox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C7C55C60-F5B5-40A3-A2E9-EC00E1FE08F3}\TypeLib\ = "{CBEF8724-D080-4737-88DA-111EEC6651AA}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{042DA63B-0933-403D-9395-B49307691690}\ = "Inbox Toolbar"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{615E8AA1-6BB8-4A3D-A1CC-373194DB612C}\1.0	Inbox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C7C55C60-F5B5-40A3-A2E9-EC00E1FE08F3}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{612AD33D-9824-4E87-8396-92374E91C4BB}\LocalServer32	Inbox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8FAE973C-3FE3-44BF-81F0-ADB0D42CE851}\ = "IAppServer2"	Inbox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0E56FAFA-1B09-480E-B653-4B23918DC58A}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C7C55C60-F5B5-40A3-A2E9-EC00E1FE08F3}\ProgID\ = "Inbox.JSServer2"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D3D233D5-9F6D-436C-B6C7-E63F77503B30}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}\	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{28C3737A-32D1-492D-B76B-8D75EBBFB887}\TypeLib\ = "{615E8AA1-6BB8-4A3D-A1CC-373194DB612C}"	Inbox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Inbox.JSServer2\	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{042DA63B-0933-403D-9395-B49307691690}\ProgID\ = "Inbox.JSServer"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{042DA63B-0933-403D-9395-B49307691690}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{042DA63B-0933-403D-9395-B49307691690}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C7C55C60-F5B5-40A3-A2E9-EC00E1FE08F3}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{37540F19-DD4C-478B-B2DF-C19281BCAF27}\InProcServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C7C55C60-F5B5-40A3-A2E9-EC00E1FE08F3}\Version	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{042DA63B-0933-403D-9395-B49307691690}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{28C3737A-32D1-492D-B76B-8D75EBBFB887}\TypeLib\Version = "1.0"	Inbox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0E56FAFA-1B09-480E-B653-4B23918DC58A}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Inbox.JSServer2\Clsid	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\inbox\CLSID = "{37540F19-DD4C-478B-B2DF-C19281BCAF27}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CBEF8724-D080-4737-88DA-111EEC6651AA}\1.0\0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CBEF8724-D080-4737-88DA-111EEC6651AA}\1.0\0\win32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CE057E0D-2D7E-4DFF-A890-07BA69B8C762}\TypeLib\ = "{CBEF8724-D080-4737-88DA-111EEC6651AA}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Inbox.AppServer	Inbox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8FAE973C-3FE3-44BF-81F0-ADB0D42CE851}\ProxyStubClsid32	Inbox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C7C55C60-F5B5-40A3-A2E9-EC00E1FE08F3}\Version\ = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C7C55C60-F5B5-40A3-A2E9-EC00E1FE08F3}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D3D233D5-9F6D-436C-B6C7-E63F77503B30}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Inbox.JSServer\	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{28C3737A-32D1-492D-B76B-8D75EBBFB887}\ProxyStubClsid32	Inbox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C7C55C60-F5B5-40A3-A2E9-EC00E1FE08F3}\TypeLib\ = "{CBEF8724-D080-4737-88DA-111EEC6651AA}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CE057E0D-2D7E-4DFF-A890-07BA69B8C762}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CE057E0D-2D7E-4DFF-A890-07BA69B8C762}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{37540F19-DD4C-478B-B2DF-C19281BCAF27}\	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D3D233D5-9F6D-436C-B6C7-E63F77503B30}\Implemented Categories\	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{37540F19-DD4C-478B-B2DF-C19281BCAF27}\	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{CE057E0D-2D7E-4DFF-A890-07BA69B8C762}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CBEF8724-D080-4737-88DA-111EEC6651AA}\1.0\0\win32\ = "C:\\Program Files (x86)\\Inbox Toolbar\\Inbox.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D3D233D5-9F6D-436C-B6C7-E63F77503B30}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Inbox.Toolbar	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Inbox.Toolbar\Clsid	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C7C55C60-F5B5-40A3-A2E9-EC00E1FE08F3}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{28C3737A-32D1-492D-B76B-8D75EBBFB887}\ProxyStubClsid32	Inbox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C7C55C60-F5B5-40A3-A2E9-EC00E1FE08F3}\InprocServer32\ = "C:\\PROGRA~2\\INBOXT~1\\Inbox64.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C7C55C60-F5B5-40A3-A2E9-EC00E1FE08F3}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{042DA63B-0933-403D-9395-B49307691690}\ = "Inbox Toolbar"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{042DA63B-0933-403D-9395-B49307691690}\Implemented Categories\	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\Implemented Categories	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{37540F19-DD4C-478B-B2DF-C19281BCAF27}	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1400	16e11b36262eb534ee829e2de2848e72_JaffaCakes118.tmp
1400	16e11b36262eb534ee829e2de2848e72_JaffaCakes118.tmp
1400	16e11b36262eb534ee829e2de2848e72_JaffaCakes118.tmp
1400	16e11b36262eb534ee829e2de2848e72_JaffaCakes118.tmp

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
468	Process not Found

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeRestorePrivilege	340	RUNDLL32.EXE
Token: SeRestorePrivilege	340	RUNDLL32.EXE
Token: SeRestorePrivilege	340	RUNDLL32.EXE
Token: SeRestorePrivilege	340	RUNDLL32.EXE
Token: SeRestorePrivilege	340	RUNDLL32.EXE
Token: SeRestorePrivilege	340	RUNDLL32.EXE
Token: SeRestorePrivilege	340	RUNDLL32.EXE

Suspicious use of FindShellTrayWindow 8 IoCs

pid	Process
1400	16e11b36262eb534ee829e2de2848e72_JaffaCakes118.tmp
2340	Inbox.exe
2340	Inbox.exe
1400	16e11b36262eb534ee829e2de2848e72_JaffaCakes118.tmp
2340	Inbox.exe
2340	Inbox.exe
2340	Inbox.exe
1280	iexplore.exe

Suspicious use of SendNotifyMessage 4 IoCs

pid	Process
2340	Inbox.exe
2340	Inbox.exe
2340	Inbox.exe
2340	Inbox.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1280	iexplore.exe
1280	iexplore.exe
2124	IEXPLORE.EXE
2124	IEXPLORE.EXE
2124	IEXPLORE.EXE
2124	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3064 wrote to memory of 1400	3064	16e11b36262eb534ee829e2de2848e72_JaffaCakes118.exe	30
PID 3064 wrote to memory of 1400	3064	16e11b36262eb534ee829e2de2848e72_JaffaCakes118.exe	30
PID 3064 wrote to memory of 1400	3064	16e11b36262eb534ee829e2de2848e72_JaffaCakes118.exe	30
PID 3064 wrote to memory of 1400	3064	16e11b36262eb534ee829e2de2848e72_JaffaCakes118.exe	30
PID 3064 wrote to memory of 1400	3064	16e11b36262eb534ee829e2de2848e72_JaffaCakes118.exe	30
PID 3064 wrote to memory of 1400	3064	16e11b36262eb534ee829e2de2848e72_JaffaCakes118.exe	30
PID 3064 wrote to memory of 1400	3064	16e11b36262eb534ee829e2de2848e72_JaffaCakes118.exe	30
PID 1400 wrote to memory of 2900	1400	16e11b36262eb534ee829e2de2848e72_JaffaCakes118.tmp	31
PID 1400 wrote to memory of 2900	1400	16e11b36262eb534ee829e2de2848e72_JaffaCakes118.tmp	31
PID 1400 wrote to memory of 2900	1400	16e11b36262eb534ee829e2de2848e72_JaffaCakes118.tmp	31
PID 1400 wrote to memory of 2900	1400	16e11b36262eb534ee829e2de2848e72_JaffaCakes118.tmp	31
PID 1400 wrote to memory of 1480	1400	16e11b36262eb534ee829e2de2848e72_JaffaCakes118.tmp	32
PID 1400 wrote to memory of 1480	1400	16e11b36262eb534ee829e2de2848e72_JaffaCakes118.tmp	32
PID 1400 wrote to memory of 1480	1400	16e11b36262eb534ee829e2de2848e72_JaffaCakes118.tmp	32
PID 1400 wrote to memory of 1480	1400	16e11b36262eb534ee829e2de2848e72_JaffaCakes118.tmp	32
PID 1400 wrote to memory of 2684	1400	16e11b36262eb534ee829e2de2848e72_JaffaCakes118.tmp	33
PID 1400 wrote to memory of 2684	1400	16e11b36262eb534ee829e2de2848e72_JaffaCakes118.tmp	33
PID 1400 wrote to memory of 2684	1400	16e11b36262eb534ee829e2de2848e72_JaffaCakes118.tmp	33
PID 1400 wrote to memory of 2684	1400	16e11b36262eb534ee829e2de2848e72_JaffaCakes118.tmp	33
PID 1400 wrote to memory of 2684	1400	16e11b36262eb534ee829e2de2848e72_JaffaCakes118.tmp	33
PID 1400 wrote to memory of 2684	1400	16e11b36262eb534ee829e2de2848e72_JaffaCakes118.tmp	33
PID 1400 wrote to memory of 2684	1400	16e11b36262eb534ee829e2de2848e72_JaffaCakes118.tmp	33
PID 1400 wrote to memory of 3020	1400	16e11b36262eb534ee829e2de2848e72_JaffaCakes118.tmp	34
PID 1400 wrote to memory of 3020	1400	16e11b36262eb534ee829e2de2848e72_JaffaCakes118.tmp	34
PID 1400 wrote to memory of 3020	1400	16e11b36262eb534ee829e2de2848e72_JaffaCakes118.tmp	34
PID 1400 wrote to memory of 3020	1400	16e11b36262eb534ee829e2de2848e72_JaffaCakes118.tmp	34
PID 1400 wrote to memory of 3020	1400	16e11b36262eb534ee829e2de2848e72_JaffaCakes118.tmp	34
PID 1400 wrote to memory of 3020	1400	16e11b36262eb534ee829e2de2848e72_JaffaCakes118.tmp	34
PID 1400 wrote to memory of 3020	1400	16e11b36262eb534ee829e2de2848e72_JaffaCakes118.tmp	34
PID 1400 wrote to memory of 520	1400	16e11b36262eb534ee829e2de2848e72_JaffaCakes118.tmp	35
PID 1400 wrote to memory of 520	1400	16e11b36262eb534ee829e2de2848e72_JaffaCakes118.tmp	35
PID 1400 wrote to memory of 520	1400	16e11b36262eb534ee829e2de2848e72_JaffaCakes118.tmp	35
PID 1400 wrote to memory of 520	1400	16e11b36262eb534ee829e2de2848e72_JaffaCakes118.tmp	35
PID 520 wrote to memory of 340	520	Inbox.exe	36
PID 520 wrote to memory of 340	520	Inbox.exe	36
PID 520 wrote to memory of 340	520	Inbox.exe	36
PID 520 wrote to memory of 340	520	Inbox.exe	36
PID 340 wrote to memory of 1944	340	RUNDLL32.EXE	37
PID 340 wrote to memory of 1944	340	RUNDLL32.EXE	37
PID 340 wrote to memory of 1944	340	RUNDLL32.EXE	37
PID 1944 wrote to memory of 1360	1944	runonce.exe	38
PID 1944 wrote to memory of 1360	1944	runonce.exe	38
PID 1944 wrote to memory of 1360	1944	runonce.exe	38
PID 520 wrote to memory of 2340	520	Inbox.exe	40
PID 520 wrote to memory of 2340	520	Inbox.exe	40
PID 520 wrote to memory of 2340	520	Inbox.exe	40
PID 520 wrote to memory of 2340	520	Inbox.exe	40
PID 1400 wrote to memory of 564	1400	16e11b36262eb534ee829e2de2848e72_JaffaCakes118.tmp	42
PID 1400 wrote to memory of 564	1400	16e11b36262eb534ee829e2de2848e72_JaffaCakes118.tmp	42
PID 1400 wrote to memory of 564	1400	16e11b36262eb534ee829e2de2848e72_JaffaCakes118.tmp	42
PID 1400 wrote to memory of 564	1400	16e11b36262eb534ee829e2de2848e72_JaffaCakes118.tmp	42
PID 1400 wrote to memory of 564	1400	16e11b36262eb534ee829e2de2848e72_JaffaCakes118.tmp	42
PID 1400 wrote to memory of 564	1400	16e11b36262eb534ee829e2de2848e72_JaffaCakes118.tmp	42
PID 1400 wrote to memory of 564	1400	16e11b36262eb534ee829e2de2848e72_JaffaCakes118.tmp	42
PID 1400 wrote to memory of 1284	1400	16e11b36262eb534ee829e2de2848e72_JaffaCakes118.tmp	43
PID 1400 wrote to memory of 1284	1400	16e11b36262eb534ee829e2de2848e72_JaffaCakes118.tmp	43
PID 1400 wrote to memory of 1284	1400	16e11b36262eb534ee829e2de2848e72_JaffaCakes118.tmp	43
PID 1400 wrote to memory of 1284	1400	16e11b36262eb534ee829e2de2848e72_JaffaCakes118.tmp	43
PID 1400 wrote to memory of 1284	1400	16e11b36262eb534ee829e2de2848e72_JaffaCakes118.tmp	43
PID 1400 wrote to memory of 1284	1400	16e11b36262eb534ee829e2de2848e72_JaffaCakes118.tmp	43
PID 1400 wrote to memory of 1284	1400	16e11b36262eb534ee829e2de2848e72_JaffaCakes118.tmp	43
PID 1400 wrote to memory of 1080	1400	16e11b36262eb534ee829e2de2848e72_JaffaCakes118.tmp	44
PID 1400 wrote to memory of 1080	1400	16e11b36262eb534ee829e2de2848e72_JaffaCakes118.tmp	44
PID 1400 wrote to memory of 1080	1400	16e11b36262eb534ee829e2de2848e72_JaffaCakes118.tmp	44

C:\Users\Admin\AppData\Local\Temp\16e11b36262eb534ee829e2de2848e72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\16e11b36262eb534ee829e2de2848e72_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3064
- C:\Users\Admin\AppData\Local\Temp\is-MJPI8.tmp\16e11b36262eb534ee829e2de2848e72_JaffaCakes118.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-MJPI8.tmp\16e11b36262eb534ee829e2de2848e72_JaffaCakes118.tmp" /SL5="$400DE,1888839,70144,C:\Users\Admin\AppData\Local\Temp\16e11b36262eb534ee829e2de2848e72_JaffaCakes118.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:1400
- - C:\Program Files (x86)\Inbox Toolbar\Inbox.exe
    "C:\Program Files (x86)\Inbox Toolbar\Inbox.exe" /regserver
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Modifies registry class
    PID:2900
- - C:\Program Files (x86)\Inbox Toolbar\Inbox.exe
    "C:\Program Files (x86)\Inbox Toolbar\Inbox.exe" /install
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    PID:1480
- - C:\Windows\SysWOW64\regsvr32.exe
    "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\Inbox Toolbar\Inbox.dll"
    3⤵
    - Loads dropped DLL
    - Installs/modifies Browser Helper Object
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Modifies registry class
    PID:2684
- - C:\Windows\system32\regsvr32.exe
    "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\Inbox Toolbar\Inbox64.dll"
    3⤵
    - Loads dropped DLL
    - Installs/modifies Browser Helper Object
    - Modifies Internet Explorer settings
    - Modifies registry class
    PID:3020
- - C:\Program Files (x86)\Inbox Toolbar\Inbox.exe
    "C:\Program Files (x86)\Inbox Toolbar\Inbox.exe" /afterinstall
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Modifies Internet Explorer start page
    - Suspicious use of WriteProcessMemory
    PID:520
  - - C:\Windows\system32\RUNDLL32.EXE
      "C:\Windows\sysnative\RUNDLL32.EXE" SETUPAPI.DLL,InstallHinfSection DefaultInstall 128 C:\PROGRA~2\INBOXT~1\Driver\tbrdrv.inf
      4⤵
      Drops file in Drivers directory
      Adds Run key to start application
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:340
    - - C:\Windows\system32\runonce.exe
        
        "C:\Windows\system32\runonce.exe" -r
        5⤵
        Checks processor information in registry
        Suspicious use of WriteProcessMemory
        
        PID:1944
      - C:\Windows\System32\grpconv.exe
        
        "C:\Windows\System32\grpconv.exe" -o
        6⤵
        
        PID:1360
  - - C:\Program Files (x86)\Inbox Toolbar\Inbox.exe
      "C:\Program Files (x86)\Inbox Toolbar\Inbox.exe" /TRAY 0
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:2340
- - C:\Users\Admin\AppData\Local\Temp\is-PMCKF.tmp\AGupdate.exe
    "C:\Users\Admin\AppData\Local\Temp\is-PMCKF.tmp\AGupdate.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:564
- - C:\Users\Admin\AppData\Local\Temp\is-PMCKF.tmp\AGupdate.exe
    "C:\Users\Admin\AppData\Local\Temp\is-PMCKF.tmp\AGupdate.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1284
- - C:\Program Files (x86)\Inbox Toolbar\Inbox.exe
    "C:\Program Files (x86)\Inbox Toolbar\Inbox.exe" /postinstall
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1080
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -noframemerging "http://toolbar.inbox.com/lp/inst.aspx?tname=Games&c=4&tbid=80139&iwk=845&addons=1&addonlist=&afa=3&lng=en"
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      PID:1280
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1280 CREDAT:275457 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2124

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Browser Extensions

T1176

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Inbox Toolbar\Buttons\black_green.xml

Filesize
51KB

MD5
01116f926b28cb3442473d8b47a6dd8f

SHA1
5303b4976d13bc6f3ffa0e3c443a0d36ea55fff4

SHA256
01f5b90e46c63749261d30ab669b55b581ae0c41912b54b38f71c7dc2c454511

SHA512
df6debe9debe900ff5338aa9d8637a6c887b9905a1fc77b6e2a50d3f8067cfa806e9fceb3d8d2a57b5b859346267048bca60c5f19d2bd9092f9c08a2d2859271

Download Submit
C:\Program Files (x86)\Inbox Toolbar\Buttons\games_online_gb.xml

Filesize
4KB

MD5
04e1df757b9b5a6418d79d072db000ce

SHA1
f118b45fa1092a7d473886b05984580dfa5eb5b8

SHA256
20ddca93499bb0a82627577b4cac56b6bb4c0ccb2c10ad92d16bac8b09a96864

SHA512
380eeaa2bd01629c7128a0971d6855f30d4e99bb9347d465a670419d8684585b1f7d52c6ea6e30d12bd7b0101ea1c9399c7e4f1f781db35c225f97a5e0d8d871

Download Submit
C:\Program Files (x86)\Inbox Toolbar\Buttons\games_portals_gb.xml

Filesize
4KB

MD5
4b3274899a510ce0a0eaa6427bfd2869

SHA1
bbc6075fd32dbb95a254ceec0083f008113f7dc3

SHA256
1799d52866f0579798e7817e9168017bfd5a0a6e452af848e1dbe7311324c0f6

SHA512
4e9ebb12d5e6fa334bf7cb3dd4424036b3493958b9d6755fcaa5b61af9cc2898c588e6914b16298012b385cd0e890c024a607f120332c677f7b7d521952d4059

Download Submit
C:\Program Files (x86)\Inbox Toolbar\Buttons\games_search.xml

Filesize
3KB

MD5
ccd6e298e340f9adc0e7359e9e924441

SHA1
87a1a8110e60fe6e0322e253170fb07c64dfc97b

SHA256
81857ce2a92da97d87e489612c6b5a82fb37f2a5856a36b772764f7072452701

SHA512
2bd078aaf07ece5a21c7353bd1843f9be60615775f19d1f14e0551c688b63bd21ac8c158230669f719180a724d64de9665720ba593323b87a638e3163ace5d17

Download Submit
C:\Program Files (x86)\Inbox Toolbar\Driver\tbrdrv.cat

Filesize
7KB

MD5
dacf44f0b690f4c0053d31535fef87f2

SHA1
d2318c6c771a4adddd507c2fa6aa7d81ebc7aca6

SHA256
9175d7ad0f699049214a066e3b7672036a64354fbd88b002fb34f1d8c583d334

SHA512
60c7e1f3fa5c5515907b4e2702b0ffc1f32129fc92c75653ab7591745d78f7fa59b0a6c505b21cedb36151d4ca4a0fa1b90f09f8d267f7c9bd91a9605a87b7ce

Download Submit
C:\Program Files (x86)\Inbox Toolbar\Driver\tbrdrv.inf

Filesize
1KB

MD5
c84b4baaa44b8989b2e76b42c1ab5301

SHA1
36ee3212aec954e82fd73c914717c7ad32cfc367

SHA256
94ecff1e1ce8d5d5ef349769ee4236d230a7f58dfbd0a7d32ebf84c2b41fcec8

SHA512
230bab43937d5ec8600882b2ca6249b07fc580fea5b1c8817ede28fae6566bc78fb8f2088dc4dea0997e217c94659063dc3d2adff0405944b427d325ebe373a7

Download Submit
C:\Program Files (x86)\Inbox Toolbar\Driver\tbrdrv.sys

Filesize
35KB

MD5
e7c0aac166d688ab41dff2f17e420a3a

SHA1
00b70a50af14b497cebd100344fafbd3a564fd5b

SHA256
babb144ed6471079b6922914646a110f9fe5588ca3d94deeeda584c484e4ed26

SHA512
fe539d89e28204b1d09607e9f0450ae619ff71efdfccb4597641a27cb3234fce1a2061e273bd8490c9bf15d19871aa93c1bf98c909b6c252549c40915d62721e

Download Submit
C:\Program Files (x86)\Inbox Toolbar\Inbox.dll

Filesize
1014KB

MD5
cef98a42f1f86652b0ca1c31fdc2e288

SHA1
39d597dffab6d36bc47f21fe20f2eedba864a5ba

SHA256
39490eab802f21e6d00ef5eef0e1532b69a64dbed537c39f6c6129c14b6406bb

SHA512
498fe3191d3d9852c5d7ccd960847f24dc41af43cd2d4d05569b11a2b2f0b5b1c74d66ce520b58a7a6759bbc729d11dccfe5d0a1e6c5b2422ddd083adffae5e6

Download Submit
C:\Program Files (x86)\Inbox Toolbar\Inbox.ini

Filesize
2KB

MD5
7e2839c0e98367690b3af21d6408aa17

SHA1
99d41f4b0c57b5e6ef1efa2350038e10d4188035

SHA256
8cec384377ada9c4f9bfa6d03b8e6a2ed0dc650cad45b82594e11338458271ba

SHA512
d637ad72dd205f47ba4a163a88eb503dfb24f03a4f0b0c01aef8c29dc49942679eb5db47a1c63ed042f1f1fecd06d8ca6121972f33360cce5b956c0fc530286a

Download Submit
C:\Program Files (x86)\Inbox Toolbar\Inbox.ini

Filesize
2KB

MD5
565371d1e7f731b426c5e36e61d9f003

SHA1
c7752a54f5ad38002ed6452c19570adc833f9e89

SHA256
ac43b254a21613bce70efc92a047cec6c5b9d5c4d6a2ab231ca5fd3b3665520e

SHA512
f498bfb9dc3016cf8be350b837d668441e0a4fd0611c1f28dff72f87d305ebbbf5656a8521245b7d388cff8a19d57ba1eb747f50d140beaab6a1902f66af0e92

Download Submit
C:\Program Files (x86)\Inbox Toolbar\Inbox64.dll

Filesize
1.5MB

MD5
5c2c888c50585ade35e03fa261e6c7a3

SHA1
228f8b2423945596d44892fff79cee851e725d89

SHA256
b88171732c2054dbc64a1649430646eeaf7b5d63c491e515a66736aacbb7aba9

SHA512
af463a375586f7a07f29c5855146be05ad74bd18fc90d46c653bc6911761b911472ab5bd7eab75a7bd8b9533704118d2d756368c74ccca7b88c4de294e8ee3d1

Download Submit
C:\Program Files (x86)\Inbox Toolbar\uninstall.ini

Filesize
51B

MD5
5cfece4d6b6cb11ab8873514f6b8558e

SHA1
0ea00aeadc1ead04b07bc2b6b045d4f46695fef5

SHA256
ee1745199faa9908c7f87fcfdcbb5e625af6d80c30799a4615196adfa50a244e

SHA512
1d99834ab647d5f7fc03ecac7ec4648367744b1a58dbfa5a510f370a6d187056ebfd49e0696ef0810573701d4ffcefff0fc0dfd330f079b52c0b5761ff6f7fa8

Download Submit
C:\Users\Admin\AppData\LocalLow\Inbox Toolbar\config.ini

Filesize
30B

MD5
129a4ce81f9a7b3dc2d98e090a069f05

SHA1
a266de9a5f3fea40e7de85ddfde49f4b6c515c96

SHA256
9ec3cb3f9a5f238ab518e7b57bcad1ca765c429fb37be15057da7eb9170541f7

SHA512
3d15c7ddf93e944ed5ce634f35050f95989b1f1f35b4b8233e10658508f07953579c6dd62cced8efd22cf783c7e9565f39270e5bb46d2959a1312148af6414f2

Download Submit
C:\Users\Admin\AppData\LocalLow\Inbox Toolbar\config.ini

Filesize
89B

MD5
a6f5a84a2b7080aca568f258ef8d360f

SHA1
683be796d32ac6d119405907e0c0b7ffa15ff56c

SHA256
276dfae1d29b1f9848a317188670fff54d98680e70db7a7aadd5c870b64882ae

SHA512
e21544fef5ad46fda1d2b84057cecbe7df78652323950c2dc01c9b0198fcc1d062f039106388bf95ef2346d60d9922308c85f89bba09e20b674304c938c3bf8f

Download Submit
C:\Users\Admin\AppData\LocalLow\Inbox Toolbar\config.ini

Filesize
119B

MD5
4cac12bd9b7e89bee207df7fa117610a

SHA1
d05b8e03f446c117508902ae6de3c0afa5562618

SHA256
ef04c98f7ab58ea2e79251038cb6353bd0f03acb4da1dc18995722464846a884

SHA512
9fa0632cd19578f58cbe8d2f02816badff2d56e05f7a7368e56321a29a6c50e2f2c756313c61545d2232b4a18fc8e9a514d68fbcf047d04e93507d634800efca

Download Submit
C:\Users\Admin\AppData\LocalLow\Inbox Toolbar\config.ini

Filesize
132B

MD5
462a77d2e953cae9903df4e4fe13ea90

SHA1
e69004a7659f1dc8038fe6db50f2a6fcb89b1a02

SHA256
48e524ddcb7f919a1d70ce703d1d515231be824bbe2124112c00244cd0e5fa51

SHA512
bab2300687ba9ed83d37fdc133642f2de580171f107478e1e6d8492f7ecbb64a748c6cfd581e860a020d49b0bd4780f4d90d84d93d1266ea9525b3322339abc4

Download Submit
C:\Users\Admin\AppData\LocalLow\Inbox Toolbar\config.ini

Filesize
209B

MD5
00afc69868375c54098616f7868fb5d8

SHA1
1699cd7fbcd9ffc30a645a476bd33235f528c67e

SHA256
51631ba0009db3b456ab5634f5b684e6894cdf045dabcbd6adf97734041598ec

SHA512
b76443aeaf7b19679d59c196d3345bcbcaf3cbfcd93f57adfd5dbd453f6aeeae6410e10c240f3245f25133eb952d0b23d53b8d237596dd8ca28788dc90ab2833

Download Submit
C:\Users\Admin\AppData\LocalLow\Inbox Toolbar\config.ini

Filesize
252B

MD5
2b42259c2a9ef84f272ac9fe91364451

SHA1
582b64f433744d05e109e010f0f16365448b703f

SHA256
763555c5ff85513b8db937296d2a596af8b4eed9a524320b34142bda637e9c53

SHA512
9fbaaf9f5640e8e070647aea5c5e801bbcd6736397cdaf0395d9484229d5a83d58a2c16cf02deff211b08b15f6815398dc30406118db3a5e3a96c6e7c10581f2

Download Submit
C:\Users\Admin\AppData\LocalLow\Inbox Toolbar\config.ini

Filesize
263B

MD5
6feaaaad09be57d67ff67a9ceac81e5e

SHA1
673b4a21229ed9c01b9e782a9cbca025d3f6a143

SHA256
6097ca54fa0b346ebd47e50ff174ea5c25b239ce3f594fb5c7276696f3069e26

SHA512
f078cf8d1716e18455386d1154418e845cd01771c13e3f94724ed513666c1e86232b38238b7018756831c6dc4cd31fa0950a13225ca88ce5792b4d02e5c61ab2

Download Submit
C:\Users\Admin\AppData\LocalLow\Inbox Toolbar\config.ini

Filesize
271B

MD5
89dcafa186a9d8c209f89f89a8fb05e8

SHA1
63bf04f786e70d1fb6cd1b97aaf99a926df92138

SHA256
b26427e121f82cdd8e1935f6b2859d863347cad4f585323fb6e6664d2b555475

SHA512
b14f108f244cbf0ace72c7dddad11d7aa3f3e013661c412b756d1b23db32257f2a1ed41a08e4b11c69dfa43c6422748e9c33f93b0ef575a1bd48aee718176b45

Download Submit
C:\Users\Admin\AppData\LocalLow\Inbox Toolbar\translate.ini

Filesize
93KB

MD5
6aa650efb4605f4bb39bdcfd8a2198ba

SHA1
da12240ffb9984e3f3d8e93a859bc8d768a242a4

SHA256
8729058fc0a109bfaf82d84abdc954805cd46ed499ff235d5181ff3facdaf2cf

SHA512
6893a2f796546c859c1a9ab2a8c1960f2606fe779a07bbe3cf3c0ebdb9579defa87c3b1d4dbb7e4934839a0cd5062255fb6d019bee11cf57e09b0cf350ce2819

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3470e1a0057f77406f3b90fbbd286ac1

SHA1
519b5dbbfe4ae81696306c5c86fa51bc5e1f7132

SHA256
6994fada019939d6feaf9d35e7bb3ea7fe525be7508e124d45137b38cc0aa962

SHA512
3a8ce5f07006e0ecd5b4cd1e1807f337c721b2582754d318bc58d1f81e14a97e33ae654e1ae504aa85bda416d7101b2d64b47367379d8a6a889d439d7727b40a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4aa06f51ae7427813145787df264b6ca

SHA1
971f362d1627961e0adf32c1ae2af2e1affe4ae3

SHA256
a2c98f060e91debd9a5a093ff069a10d7d1f83b2a288766e4e71dc455ecfbe83

SHA512
2a67f76ff524f6444110e8a7995e7c76633b8a6c78608d203faf62035ac7710df12878db63ed75a9fa7b12060ea12b889f4736b277d8262996b498e30f72422c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6bef292084c2890f968ac34b648676f1

SHA1
e03189b8b4b4e65bd32e629e167f4c9fe111ae11

SHA256
5cbb820c8d06013c7fc1da8b90b4ae5cfc983f7e6fb0e33e6e40dc96d56eee92

SHA512
199ea4a8028acf97b29c08906b655ce279244f921fbcd1d0ebed0531d1099ef70d3e4f55e74291a9f5fbbe28cc4dae86245af4aaba84394703ca664b3802f0d9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cac7fc66328a78ed4700003489785e51

SHA1
fbbb27136a2e57cd1ddc2ddb0b9f8161d568ef35

SHA256
6144cbae1d793142e9885a5a0b4b7810e28700ef67b1954bc464d889230c30cb

SHA512
0c14ea8fd860f4a8e96c303c8490cd0f1a0bd7a173d44cf50be521b755948c10e6efe289671420172fae928da37e4ba0c1cc5a00786259afec83b7cbc68f0bfb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
179258970704d813b4d2e0f029b3fa4d

SHA1
113dd06e3998b3e99e34f48d242173ec0f7110d0

SHA256
6ea37d6d13f1b54976e684d2b8f034beb9ea48d4295f0939df3d445fc3eccc3f

SHA512
df911557c08b53cfc48402a25271bf5c103190c12fbfe345d94a9b39e708653d44fc63831763d4baba3cdabba400b99280483f6528a10e2aba888d07956bd251

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
38493f4cdd974d381478027e4b6249b2

SHA1
53aeb929b9ecacde579bf490d7559182beeff0f9

SHA256
da3495bb7208da7cd66660a9040ea57db4a54745547ac78f68438760a4c5c427

SHA512
0ff7a324cf9906510a5038099ac73e3b3b2842234d34f0528e90c7c78d1e7fbfa81e617cc4ba6685b7465af212432c537dc004427f109c4228e24e2a56e0b30b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e106c10571b70175ffdd4e8b8cffe766

SHA1
21b6fc7d875d57bb4c7248ad11b2f1abacae2af8

SHA256
ea6d7c8fc508ca18e8175dce2c778565571c4854230fc7c0a9ea6377b65f76e8

SHA512
9e8ead6eb0868507a14a54b8213825f7be1fd6436749844b0f6101da54de4d5d40513ceef5f96f93c2ac12f5da47abe286f9dd540c6e9c189fa7cec86fca9658

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
eff016620b2c413d4ca2fca0d1283e7a

SHA1
406fd4f0555986a52a5f013d395188d2998047cb

SHA256
abcd5880eba2b38e411cbdeba9aa8bc016542b7685cc7cc76ab175d867f7a9a5

SHA512
24aa9a4153a7dd4d341856c9d5230d2eefc155525f3a0f90d001c9686ada1dd6d4ed6f2caa5ae32775ea3497fe0353922d5fad5112162cbfe7c5c084283c1b4b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f4362dbc3b08fd315308e32fe6b0a77c

SHA1
39ae5d25ac97e3a8e2d278a0185ae6080ffd21e6

SHA256
624a12644677cfdb4f2e22723c7f63783fe5fbd3fb93871a548d14e34b9a54ec

SHA512
06396c3d5ebc8635ed17695362ca62d5a74cbbe8198adc67ace48451e3b2512d3da63954fb0048197ac69390ae3353628cea91257ec90d822891980b2eb8d76b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0cdef7736cb7f32277b4ae07547100b8

SHA1
27b9d003797a5d7aa36f0090844261e81dc0ffbd

SHA256
f7c9cb65a2727993f72bf9c2ed916934eb67611151311d2229f76cb8f85bf9c5

SHA512
c631209edd4b4e55ef21511f3a8bea323cb166a300bc7553bb12a70b61a74332aec58a30da55180fdacd5b9c330456f4d17aef4893dca031ea35fbab08d52e96

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a6732fa84682ea75ff99459523a26fab

SHA1
4590cf0fa781c5525be1a747504f15f85499568e

SHA256
fd1b197e0b258fd347f02e2c7c09cf43fe853d3d5f0d9a54772cfbb06141ea92

SHA512
fb8357a8840ed9f5a7a22f2ef762afb32ab3a1865e1073da9ce89c00a6a17f57c8ace1f20b9ad193cf614c031c939cbe9dbf50bc18f20254898d75f88ba80d9a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c5cd66506aed320b96d58537273b43fa

SHA1
c032b353f8d31faf4b795dc8542c946971919b6e

SHA256
fad5f817535585d642a499bb669c6ff4d5933d9d6fe599bbf9fbc0be04b3e55d

SHA512
80225c2d5cb802a363e1030413cf566415f4e484ecd93d9622bc7faaceb5823766bb31ec0944e8d5b2bbcaf82e7861e16248286bf712913a9addcd112d4233c6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
67c25136f0bc2193d02d4336672f23c1

SHA1
4cd2843e4aba929c95e22168cb3b3f0349c8726b

SHA256
eec4c999775518d3695de812dc87315705fb558d860fb442cf142f37111640ba

SHA512
76640b2de87c51eac1f2af30f1e43d9e7acc1b379c283e9f6a87be69be8117bd0f88825cb6075966c082e308dce160c0309131f83134d5d2b8b33bb6b913efb1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
05fcdc340c04961b0db95e49fe026253

SHA1
66e1cae450e8a3b7405186887ccfbf1f6485871e

SHA256
aa4149e60c8c9bf1cd77edac87d48af7f967bb58a7de19525ba45a1abe788765

SHA512
a0b8b217de3c50d9f330c339e05fac34ddd9f87d82af2d759c2e703c5188ff5a3f32e0a1edfc6160adf8ba081275b92e4505359887d48add69b746aebe736b00

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4bc59c18d1dad07c4318eddef152c9dd

SHA1
42e404bf12bbe4fae00248396a7057b4048e7d95

SHA256
ee1a4177844513c54517f2cce1967bc93feb54c1e5ca574532642977ce2b1225

SHA512
22cdea1dd0c8acf7c81cae423f53fc53a2dc35207697f149cd26aa98aa7707c3e2475b9916407a4eb0622aa55502bc75a376f2194058c79a554c4fc4de23e7b0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
dfe7a47284fd7d4347ed5547271bb359

SHA1
99deffeaf1af8c2c3542b6ddbe4fa472ce5e6414

SHA256
a1fe78e0b40c509288922d51588b1f8f6a72f1244c7a627c264e8786a7d59d2f

SHA512
48c6cb7aade0a77296a5c09620b1ab3458e7b6452351ae4b0c78b6284013ff244ab044c5bb311f2a7b02225216b4e1f1f6f4a785912a724c99578854401aef9a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c4a41232885f5cc77afd61bc8c499d3c

SHA1
8c975200f981e3e57e09ea2e703d954cab7297ef

SHA256
f33f048aee37bb9c084a8ea3e668b306eb8d1e6ae9ea9e576ae4ad161f3dfdc3

SHA512
d179ed423a6b8468c83962a7c4c4460280ee6c8c5b227ede483ba648cef254befd9e018cdd673dd5db574b082d92851c80406f57fdb4ab30380298faa874ddc7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
37de40c4c99f5bf0e6427f8f9a38e176

SHA1
e2e20a564433bcfd9b2b0641a064d4eb5206217f

SHA256
53bab2e6a5b18b97ae635ac3561b336510008aba4d0386f5ca4e04d6284398b3

SHA512
2e92907e7703279a84bf338efa6dc0323293cf517f993ac40f0914c2dde0552f19eb631baa7c8f687e82fcf69adf0b5c01c81cc50401f3f9b8c0ef765aff68f0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c2340b963bb9e945211e39aa37e47264

SHA1
aa0888f826abd3f6d8f8993eabb4b0a6da9ee4c3

SHA256
c9a358f323f95b18fa61f3fbafd0cdfacfdd883f8f53fdfae0a25fb4c9e5c3db

SHA512
c161f1ad8307a753028175ed60e813a88cb03db068a0e72c627a88a546c252192ec522ceaa9b53c71e0b0a18d8e0ec7d6f8f8026c3448e21225f05863d1a2d7b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1ee3a721006f319b4c4dac134967f516

SHA1
eebb88b6739847d7d9c9a53b21a2ad5172c58cfb

SHA256
339c453ceb1ae8dc1d3aa0d7b4058a62806554cc42ddca40517dd5da432275fa

SHA512
4e4d5db539b5c068e9d3c30aa0610d9e1052ccd90d4009b03eb667bb04dbaffd8617e1b5f3cc6eeb799f5c64c6ac2e61568e630a5cf9932a78c38c5b550f5f48

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c7503746ef083ba9ad15c4f8af08f21f

SHA1
f1398eae821a721f25f6e295d4c3bf52f171e7b0

SHA256
c5381dd6d838d62dedbd6d3b3e2378da995bcd06e9d9ee95d1e03335e2ca203a

SHA512
566e77bd80c425784da84acd10adf5733c8146911282f7b6ba87316f1b11a3c301e354a91b724c6fa5fe6b906fe83de3aaad8613eaaa8d095334dbb3ca63d31c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
be8c3da9ecbb76b7e05c812c7694f2ff

SHA1
5d2d067b1f295e58dd4eb68798bf8dd5864141b6

SHA256
498a05b24a4dad011e2dd8523c570118ec8dd922593176aeb50f031bcceaab4d

SHA512
1d8cb263d4af408ae69ee9ad30b7d48b71b361f01c56a32d671726f184a075d33815460ae20cae0c7bcfafd216d622b8b0c565123fb3bc7f5aa7a1c50bb1d3e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabEB3C.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarEBEC.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-PMCKF.tmp\setupcfg.ini

Filesize
85B

MD5
a6b61555593b8bbffe830a5886cffa9c

SHA1
0d25251000418b6d7984804e2548aa63c38b4114

SHA256
ef852e5af8ea1479848dc76fcd01e429ae8dbba04f840a3989af3a0b49c184d2

SHA512
104bb334170c592be3c212fda887f34bfb62e0526f1714dab737077affa2896b60d1d8944895f3de863f6af6661efcba0239a2ae3fac5bee8e49eb307583113c

Download Submit
\Program Files (x86)\Inbox Toolbar\Inbox.exe

Filesize
2.3MB

MD5
7bfb9bd61a69e7a4717f34f22dae8b4e

SHA1
a8b1ba82ee7172e9e5f184fef35bd41bdd373906

SHA256
f8404bd34230c1db313e2659ea483e7640c10987917e2cebdd4dd9c4ae67a19d

SHA512
19e6a0c065b1f6980b6927c6af5accf7b5d29f450daf37e57feb9ec901f3105cedd34e2129f2c5c320b516bd6a709a3b8a6885f4ee032e12dbae0dfd4b9a3273

Download Submit
\Program Files (x86)\Inbox Toolbar\unins000.exe

Filesize
1.2MB

MD5
67e866dbad2c21354f585086d3f3e5b2

SHA1
6b0ccd164c9108b01a81f249a2d9c05ed3b5f67b

SHA256
6d7c851b4dc1acb135aa18ef28c5921472ca46d555358fc97bf2b10fc82ad8da

SHA512
ff0945ec265d3c04335e3a0ab08737ae68ba893455ffa3fa9e45e73ae2d58df737d247827e6b110f904fb18dd40e0d45882655f43b17c6bccd88265ad2aa494e

Download Submit
\Users\Admin\AppData\Local\Temp\is-MJPI8.tmp\16e11b36262eb534ee829e2de2848e72_JaffaCakes118.tmp

Filesize
1.2MB

MD5
e7106fbf42fbc6d5b08a18ada4f781b4

SHA1
36d4a629f79d772c0b0df8bd2ae2ea09108d239d

SHA256
64e1f1fa7d91920b17bc7bc679a4cd8d87ff5b104318b6921bb6bf6a19055635

SHA512
adf876296a952aadeb4f25211c0939bf5a278809b5d3007ad7e26c5d4975e7684d242c1b3de796efd474a47cb7ecdb80f9047935924a1108bf0e4d7c973d1845

Download Submit
\Users\Admin\AppData\Local\Temp\is-PMCKF.tmp\AGupdate.exe

Filesize
873KB

MD5
a3ccbbb0735800b89931b73ccb69f9b1

SHA1
53c70f80017eff22ad88a53fdb3ffc518354af59

SHA256
97d0684ab1ecb2f89a3c8e53dc383aede506a1f9367aa283c0b9992a19854d43

SHA512
e4461a7cf5e8b8e655a2985be672af25e44276b018b7b532a665f26c1a44032bbada7e5a071a78827020c3f18d9d5c79bd0f59fe97876b1eb4279ec4094f3704

Download Submit
\Users\Admin\AppData\Local\Temp\is-PMCKF.tmp\DownLib.dll

Filesize
183KB

MD5
db25dfdd4c1f2b65c68a230881072695

SHA1
94cd6a3438041f0e61b0a1bea7b66461854efe69

SHA256
1b66aaf1e7e3c493dd96af3b7442ea60072f6e93ba45281eacd31a14ca7e7e73

SHA512
db69e4ab2218856e5184d9094e7e39705b83e3efdc15225067205c8faf6e5836145364f1d509192defa3b48864e72b9f8c0f2dc53a7adb2b86c655318b7afc2c

Download Submit
\Users\Admin\AppData\Local\Temp\is-PMCKF.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
memory/520-313-0x0000000000400000-0x0000000000660000-memory.dmp

Filesize
2.4MB

Download
memory/564-381-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download
memory/1080-418-0x0000000000400000-0x0000000000660000-memory.dmp

Filesize
2.4MB

Download
memory/1284-401-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download
memory/1400-416-0x0000000000400000-0x0000000000536000-memory.dmp

Filesize
1.2MB

Download
memory/1400-404-0x0000000000400000-0x0000000000536000-memory.dmp

Filesize
1.2MB

Download
memory/1400-25-0x0000000000930000-0x0000000000967000-memory.dmp

Filesize
220KB

Download
memory/1400-117-0x0000000000930000-0x0000000000967000-memory.dmp

Filesize
220KB

Download
memory/1400-9-0x0000000000400000-0x0000000000536000-memory.dmp

Filesize
1.2MB

Download
memory/1400-336-0x0000000000400000-0x0000000000536000-memory.dmp

Filesize
1.2MB

Download
memory/1400-338-0x0000000003D00000-0x0000000003E07000-memory.dmp

Filesize
1.0MB

Download
memory/1400-126-0x0000000003D00000-0x0000000003E07000-memory.dmp

Filesize
1.0MB

Download
memory/1400-118-0x0000000000400000-0x0000000000536000-memory.dmp

Filesize
1.2MB

Download
memory/1480-114-0x0000000000400000-0x0000000000660000-memory.dmp

Filesize
2.4MB

Download
memory/2340-403-0x0000000000400000-0x0000000000660000-memory.dmp

Filesize
2.4MB

Download
memory/2340-424-0x0000000000400000-0x0000000000660000-memory.dmp

Filesize
2.4MB

Download
memory/2684-120-0x0000000001F40000-0x0000000002047000-memory.dmp

Filesize
1.0MB

Download
memory/2900-91-0x0000000000400000-0x0000000000660000-memory.dmp

Filesize
2.4MB

Download
memory/3020-123-0x0000000001FB0000-0x000000000213E000-memory.dmp

Filesize
1.6MB

Download
memory/3064-115-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3064-0-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3064-417-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3064-2-0x0000000000401000-0x000000000040D000-memory.dmp

Filesize
48KB

Download