a98d87fabab8e660425c9c1f9960070fbaf3a8f0b5f64c90537ce848b9e3ba83

Analysis

max time kernel
144s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
05/10/2024, 08:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

16e11b36262eb534ee829e2de2848e72_JaffaCakes118.exe
Size

2.5MB
MD5

16e11b36262eb534ee829e2de2848e72
SHA1

3f9d8e152540ce5ab007314eac12f5810350efee
SHA256

a98d87fabab8e660425c9c1f9960070fbaf3a8f0b5f64c90537ce848b9e3ba83
SHA512

60cbba94e0ca6ba8734cf40045ad19e1f38c1d6fcbe2745798fd61ef0b039d7fd7c2343b3a2645fc6e325fe0aa4f031977235e6be8f33cbde71b87e2e1bd09d3
SSDEEP

49152:naSDJLr+Be0SeBk2a5wL18ou9DjMYcOajZqOLBNwDaebA5rOYiZnU:ntO0iaaB879Dj3cOodB+GebSivZnU

Score

8^/10

adware discovery persistence privilege_escalation stealer

Malware Config

Signatures

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\DRIVERS\SETE53F.tmp	RUNDLL32.EXE
File created	C:\Windows\system32\DRIVERS\SETE53F.tmp	RUNDLL32.EXE
File opened for modification	C:\Windows\system32\DRIVERS\tbrdrv.sys	RUNDLL32.EXE

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	16e11b36262eb534ee829e2de2848e72_JaffaCakes118.tmp
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	Inbox.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	Inbox.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 9 IoCs

pid	Process
100	16e11b36262eb534ee829e2de2848e72_JaffaCakes118.tmp
5116	Inbox.exe
3636	Inbox.exe
4672	Inbox.exe
764	Inbox.exe
3424	AGupdate.exe
876	AGupdate.exe
4828	AGupdate.exe
3716	Inbox.exe

Loads dropped DLL 7 IoCs

pid	Process
100	16e11b36262eb534ee829e2de2848e72_JaffaCakes118.tmp
100	16e11b36262eb534ee829e2de2848e72_JaffaCakes118.tmp
1316	regsvr32.exe
1064	regsvr32.exe
1064	regsvr32.exe
100	16e11b36262eb534ee829e2de2848e72_JaffaCakes118.tmp
100	16e11b36262eb534ee829e2de2848e72_JaffaCakes118.tmp

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\GrpConv = "grpconv -o"	RUNDLL32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\InboxToolbar = "\"C:\\Program Files (x86)\\Inbox Toolbar\\Inbox.exe\" /STARTUP"	Inbox.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Installs/modifies Browser Helper Object 2 TTPs 6 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D3D233D5-9F6D-436C-B6C7-E63F77503B30}\	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D3D233D5-9F6D-436C-B6C7-E63F77503B30}\NoExplorer = "1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{D3D233D5-9F6D-436C-B6C7-E63F77503B30}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D3D233D5-9F6D-436C-B6C7-E63F77503B30}\	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D3D233D5-9F6D-436C-B6C7-E63F77503B30}\NoExplorer = "1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{D3D233D5-9F6D-436C-B6C7-E63F77503B30}	regsvr32.exe

Drops file in Program Files directory 25 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Inbox Toolbar\setupcfg.ini	16e11b36262eb534ee829e2de2848e72_JaffaCakes118.tmp
File opened for modification	C:\Program Files (x86)\Inbox Toolbar\setupcfg.ini	16e11b36262eb534ee829e2de2848e72_JaffaCakes118.tmp
File opened for modification	C:\Program Files (x86)\Inbox Toolbar\Buttons\games_online_gb.xml	Inbox.exe
File opened for modification	C:\Program Files (x86)\Inbox Toolbar\Buttons\games_portals_gb.xml	Inbox.exe
File opened for modification	C:\Program Files (x86)\Inbox Toolbar\Driver\tbrdrv.sys	Inbox.exe
File created	C:\Program Files (x86)\Inbox Toolbar\is-CGV6O.tmp	16e11b36262eb534ee829e2de2848e72_JaffaCakes118.tmp
File created	C:\Program Files (x86)\Inbox Toolbar\Buttons\is-8U6E5.tmp	16e11b36262eb534ee829e2de2848e72_JaffaCakes118.tmp
File created	C:\Program Files (x86)\Inbox Toolbar\unins000.msg	16e11b36262eb534ee829e2de2848e72_JaffaCakes118.tmp
File opened for modification	C:\Program Files (x86)\Inbox Toolbar\uninstall.ini	Inbox.exe
File opened for modification	C:\Program Files (x86)\Inbox Toolbar\uninstall.ini	16e11b36262eb534ee829e2de2848e72_JaffaCakes118.tmp
File opened for modification	C:\Program Files (x86)\Inbox Toolbar\Driver\tbrdrv.inf	Inbox.exe
File created	C:\Program Files (x86)\Inbox Toolbar\is-PGI40.tmp	16e11b36262eb534ee829e2de2848e72_JaffaCakes118.tmp
File created	C:\Program Files (x86)\Inbox Toolbar\Buttons\is-ENC1P.tmp	16e11b36262eb534ee829e2de2848e72_JaffaCakes118.tmp
File opened for modification	C:\Program Files (x86)\Inbox Toolbar\unins000.dat	16e11b36262eb534ee829e2de2848e72_JaffaCakes118.tmp
File opened for modification	C:\Program Files (x86)\Inbox Toolbar\Inbox.ini	Inbox.exe
File created	C:\Program Files (x86)\Inbox Toolbar\Buttons\is-DIV97.tmp	16e11b36262eb534ee829e2de2848e72_JaffaCakes118.tmp
File created	C:\Program Files (x86)\Inbox Toolbar\Buttons\is-ITC2R.tmp	16e11b36262eb534ee829e2de2848e72_JaffaCakes118.tmp
File opened for modification	C:\Program Files (x86)\Inbox Toolbar\Buttons\black_green.xml	Inbox.exe
File created	C:\Program Files (x86)\Inbox Toolbar\is-9I3EI.tmp	16e11b36262eb534ee829e2de2848e72_JaffaCakes118.tmp
File opened for modification	C:\Program Files (x86)\Inbox Toolbar\Buttons\games_search.xml	Inbox.exe
File created	C:\Program Files (x86)\Inbox Toolbar\Driver\driver.cab	Inbox.exe
File opened for modification	C:\Program Files (x86)\Inbox Toolbar\Driver\tbrdrv.cat	Inbox.exe
File created	C:\Program Files (x86)\Inbox Toolbar\unins000.dat	16e11b36262eb534ee829e2de2848e72_JaffaCakes118.tmp
File created	C:\Program Files (x86)\Inbox Toolbar\is-65IAI.tmp	16e11b36262eb534ee829e2de2848e72_JaffaCakes118.tmp
File created	C:\Program Files (x86)\Inbox Toolbar\is-37L7C.tmp	16e11b36262eb534ee829e2de2848e72_JaffaCakes118.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	16e11b36262eb534ee829e2de2848e72_JaffaCakes118.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Inbox.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Inbox.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AGupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Inbox.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	16e11b36262eb534ee829e2de2848e72_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Inbox.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Inbox.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AGupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AGupdate.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	runonce.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	runonce.exe

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\AppPath = "C:\\Program Files (x86)\\Inbox Toolbar"	regsvr32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Secondary Start Pages = 68007400740070003a002f002f007700770077002e0069006e0062006f0078002e0063006f006d002f0068006f006d00650070006100670065002e0061007300700078003f0074006200690064003d00380030003100330039002600690077006b003d0038003400350026006c006e0067003d0065006e0000000000	Inbox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2404460805"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000003f945ed72d44d3489ac9a36be9e2e8b10000000002000000000010660000000100002000000094564cba15fb9893c8cdc6cdda07abcace10821148c556d61b63ef0a6b2f4344000000000e8000000002000020000000278544964e8f162459d4e1e5e11412b5b2c0d00b02223cb9280791db13a7e9fd20000000a8c08ef739aa9f968f9875ac9bd0035e38bf1873ba5c36bd974346bde9a9d87a400000000dc29034fea1848de485f0130af97103384d398db59d2894748d2bdbd7ee4ad9fe8866d3d96d4e94eac0b8a874d28ef83d4ab0749d1c81ce98251163044374c8	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Microsoft\Internet Explorer\Approved Extensions	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{C04B7D22-5AEC-4561-8F49-27F6269208F6}\URL = "http://www2.inbox.com/search/dispatcher.aspx?tp=bs&qkw={searchTerms}&tbid=80139&iwk=845&lng=en"	Inbox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks\{D3D233D5-9F6D-436C-B6C7-E63F77503B30}	Inbox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\AppPath = "C:\\Program Files (x86)\\Inbox Toolbar"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\AppPath = "C:\\Program Files (x86)\\Inbox Toolbar"	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\Policy = "3"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Toolbar	regsvr32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\Approved Extensions\{D3D233D5-9F6D-436C-B6C7-E63F77503B30} = 51667a6c4c1d3b35c529c1c258cc0a06a9caac7f75167c2d	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\Policy = "3"	regsvr32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}	regsvr32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Toolbar\{D7E97865-918F-41E4-9CD0-25AB1C574CE8} = 00	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{C04B7D22-5AEC-4561-8F49-27F6269208F6}\FaviconURLFallback = "http://www2.inbox.com/favicon.ico"	Inbox.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\IEWatsonEnabled = "0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Main	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key deleted	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\User Preferences	Inbox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{612AD33D-9824-4E87-8396-92374E91C4BB}	Inbox.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{612AD33D-9824-4E87-8396-92374E91C4BB}\Policy = "3"	Inbox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\AppName = "Inbox64.dll"	regsvr32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Microsoft\Internet Explorer\IESettingSync	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Microsoft\Internet Explorer\Approved Extensions	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{C04B7D22-5AEC-4561-8F49-27F6269208F6}\FaviconPath = "C:\\Users\\Admin\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services\\search_{C04B7D22-5AEC-4561-8F49-27F6269208F6}.ico"	Inbox.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Microsoft\Internet Explorer\SearchScopes\	Inbox.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e0939090fe16db01	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\Approved Extensions\{D7E97865-918F-41E4-9CD0-25AB1C574CE8} = 51667a6c4c1d3b357562fac6bac2820483dd6feb1e110bf5	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\IEWatsonEnabled = "0"	regsvr32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "434880995"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Microsoft\Internet Explorer\User Preferences	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2403523383"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\	Inbox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPageShow = "1"	Inbox.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Microsoft\Internet Explorer\URLSearchHooks	Inbox.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{612AD33D-9824-4E87-8396-92374E91C4BB}\AppPath = "C:\\Program Files (x86)\\Inbox Toolbar"	Inbox.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{612AD33D-9824-4E87-8396-92374E91C4BB}\AppName = "Inbox.exe"	Inbox.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Main	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\AppName = "Inbox64.dll"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2404460805"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\Inbox.exe = "11000"	Inbox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}	regsvr32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{BAD229DB-82F1-11EF-9A03-D6586EC96307} = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\User Preferences\3DB9590C4C4C26C4CCBDD94ECAD790359708C3267B = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000003f945ed72d44d3489ac9a36be9e2e8b100000000020000000000106600000001000020000000d2f7444e023304171d1cd762ccac59f2c3d1e1ba750d6801156f89d913444e46000000000e8000000002000020000000e2f168f950d06924ab7ef578c0ee4dedcee2239623126e62238d4bc1a69c9300500000006fe3ad5b6a83e4101c3e15b12b2f099c6d930284d2f13ce9ad4d8815f69591649426c11ede51cd6899d8b245ad1fdcbf75cfa55e5a5b1732c1f1d8d74e9f530e6636ccfae5b09691300c79c77f566913400000001441019373cf226ad29834f8efd656d4c7b5137fcfb1b33bd0c47edea97136b102266e18e8039dc2ea3d4be865f36eb4bc173c4b34c2bc87d220397c8f7a07b6	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31135486"	IEXPLORE.EXE

Modifies Internet Explorer start page 1 TTPs 1 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.inbox.com/homepage.aspx?tbid=80139&iwk=845&lng=en"	Inbox.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{042DA63B-0933-403D-9395-B49307691690}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Inbox.IBX404\Clsid\ = "{37540F19-DD4C-478B-B2DF-C19281BCAF27}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{28C3737A-32D1-492D-B76B-8D75EBBFB887}\ProxyStubClsid32	Inbox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{28C3737A-32D1-492D-B76B-8D75EBBFB887}\TypeLib	Inbox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8FAE973C-3FE3-44BF-81F0-ADB0D42CE851}\ProxyStubClsid32	Inbox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8FAE973C-3FE3-44BF-81F0-ADB0D42CE851}\TypeLib\Version = "1.0"	Inbox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{612AD33D-9824-4E87-8396-92374E91C4BB}\ProgID\ = "Inbox.AppServer"	Inbox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{612AD33D-9824-4E87-8396-92374E91C4BB}	Inbox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C7C55C60-F5B5-40A3-A2E9-EC00E1FE08F3}\ProgID\ = "Inbox.JSServer2"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D3D233D5-9F6D-436C-B6C7-E63F77503B30}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{37540F19-DD4C-478B-B2DF-C19281BCAF27}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C7C55C60-F5B5-40A3-A2E9-EC00E1FE08F3}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}\	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\InprocServer32\ = "C:\\Program Files (x86)\\Inbox Toolbar\\Inbox.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{612AD33D-9824-4E87-8396-92374E91C4BB}\ProgID	Inbox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0E56FAFA-1B09-480E-B653-4B23918DC58A}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C7C55C60-F5B5-40A3-A2E9-EC00E1FE08F3}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}\	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\ = "&Inbox Toolbar"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{042DA63B-0933-403D-9395-B49307691690}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{612AD33D-9824-4E87-8396-92374E91C4BB}\LocalServer32\ = "C:\\PROGRA~2\\INBOXT~1\\Inbox.exe"	Inbox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0E56FAFA-1B09-480E-B653-4B23918DC58A}\ = "IJSServer2"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0E56FAFA-1B09-480E-B653-4B23918DC58A}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C7C55C60-F5B5-40A3-A2E9-EC00E1FE08F3}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Inbox.JSServer\Clsid\ = "{042DA63B-0933-403D-9395-B49307691690}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{28C3737A-32D1-492D-B76B-8D75EBBFB887}\TypeLib	Inbox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{042DA63B-0933-403D-9395-B49307691690}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Inbox.Toolbar\Clsid	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{37540F19-DD4C-478B-B2DF-C19281BCAF27}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{37540F19-DD4C-478B-B2DF-C19281BCAF27}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8FAE973C-3FE3-44BF-81F0-ADB0D42CE851}\TypeLib	Inbox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CE057E0D-2D7E-4DFF-A890-07BA69B8C762}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Inbox.JSServer\Clsid\ = "{042DA63B-0933-403D-9395-B49307691690}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Inbox.Toolbar\Clsid	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{042DA63B-0933-403D-9395-B49307691690}\Implemented Categories\	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C7C55C60-F5B5-40A3-A2E9-EC00E1FE08F3}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{37540F19-DD4C-478B-B2DF-C19281BCAF27}\	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{615E8AA1-6BB8-4A3D-A1CC-373194DB612C}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\Inbox Toolbar\\"	Inbox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{042DA63B-0933-403D-9395-B49307691690}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C7C55C60-F5B5-40A3-A2E9-EC00E1FE08F3}\Implemented Categories	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C7C55C60-F5B5-40A3-A2E9-EC00E1FE08F3}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C7C55C60-F5B5-40A3-A2E9-EC00E1FE08F3}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}\	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CBEF8724-D080-4737-88DA-111EEC6651AA}\1.0\FLAGS	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C7C55C60-F5B5-40A3-A2E9-EC00E1FE08F3}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}\	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{042DA63B-0933-403D-9395-B49307691690}\InprocServer32\ = "C:\\PROGRA~2\\INBOXT~1\\Inbox.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D3D233D5-9F6D-436C-B6C7-E63F77503B30}\Implemented Categories	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{615E8AA1-6BB8-4A3D-A1CC-373194DB612C}\1.0\ = "Inbox"	Inbox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{28C3737A-32D1-492D-B76B-8D75EBBFB887}	Inbox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Inbox.JSServer2\Clsid\ = "{C7C55C60-F5B5-40A3-A2E9-EC00E1FE08F3}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{042DA63B-0933-403D-9395-B49307691690}\TypeLib\ = "{CBEF8724-D080-4737-88DA-111EEC6651AA}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Inbox.JSServer\Clsid	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\Implemented Categories\	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{37540F19-DD4C-478B-B2DF-C19281BCAF27}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C7C55C60-F5B5-40A3-A2E9-EC00E1FE08F3}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}\	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Inbox.JSServer2\	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Inbox.JSServer	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\InprocServer32\ = "C:\\Program Files (x86)\\Inbox Toolbar\\Inbox64.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{615E8AA1-6BB8-4A3D-A1CC-373194DB612C}\1.0\0\win32	Inbox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CBEF8724-D080-4737-88DA-111EEC6651AA}\1.0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CBEF8724-D080-4737-88DA-111EEC6651AA}\1.0\0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0E56FAFA-1B09-480E-B653-4B23918DC58A}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D3D233D5-9F6D-436C-B6C7-E63F77503B30}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{042DA63B-0933-403D-9395-B49307691690}\Version\ = "1.0"	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
100	16e11b36262eb534ee829e2de2848e72_JaffaCakes118.tmp
100	16e11b36262eb534ee829e2de2848e72_JaffaCakes118.tmp
100	16e11b36262eb534ee829e2de2848e72_JaffaCakes118.tmp
100	16e11b36262eb534ee829e2de2848e72_JaffaCakes118.tmp
100	16e11b36262eb534ee829e2de2848e72_JaffaCakes118.tmp
100	16e11b36262eb534ee829e2de2848e72_JaffaCakes118.tmp
100	16e11b36262eb534ee829e2de2848e72_JaffaCakes118.tmp
100	16e11b36262eb534ee829e2de2848e72_JaffaCakes118.tmp

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
660	Process not Found

Suspicious use of FindShellTrayWindow 6 IoCs

pid	Process
100	16e11b36262eb534ee829e2de2848e72_JaffaCakes118.tmp
764	Inbox.exe
764	Inbox.exe
100	16e11b36262eb534ee829e2de2848e72_JaffaCakes118.tmp
764	Inbox.exe
1424	iexplore.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
764	Inbox.exe
764	Inbox.exe
764	Inbox.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1424	iexplore.exe
1424	iexplore.exe
3360	IEXPLORE.EXE
3360	IEXPLORE.EXE
3360	IEXPLORE.EXE
3360	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 43 IoCs

description	pid	Process	procid_target
PID 3904 wrote to memory of 100	3904	16e11b36262eb534ee829e2de2848e72_JaffaCakes118.exe	82
PID 3904 wrote to memory of 100	3904	16e11b36262eb534ee829e2de2848e72_JaffaCakes118.exe	82
PID 3904 wrote to memory of 100	3904	16e11b36262eb534ee829e2de2848e72_JaffaCakes118.exe	82
PID 100 wrote to memory of 5116	100	16e11b36262eb534ee829e2de2848e72_JaffaCakes118.tmp	87
PID 100 wrote to memory of 5116	100	16e11b36262eb534ee829e2de2848e72_JaffaCakes118.tmp	87
PID 100 wrote to memory of 5116	100	16e11b36262eb534ee829e2de2848e72_JaffaCakes118.tmp	87
PID 100 wrote to memory of 3636	100	16e11b36262eb534ee829e2de2848e72_JaffaCakes118.tmp	89
PID 100 wrote to memory of 3636	100	16e11b36262eb534ee829e2de2848e72_JaffaCakes118.tmp	89
PID 100 wrote to memory of 3636	100	16e11b36262eb534ee829e2de2848e72_JaffaCakes118.tmp	89
PID 100 wrote to memory of 1316	100	16e11b36262eb534ee829e2de2848e72_JaffaCakes118.tmp	90
PID 100 wrote to memory of 1316	100	16e11b36262eb534ee829e2de2848e72_JaffaCakes118.tmp	90
PID 100 wrote to memory of 1316	100	16e11b36262eb534ee829e2de2848e72_JaffaCakes118.tmp	90
PID 100 wrote to memory of 1064	100	16e11b36262eb534ee829e2de2848e72_JaffaCakes118.tmp	91
PID 100 wrote to memory of 1064	100	16e11b36262eb534ee829e2de2848e72_JaffaCakes118.tmp	91
PID 100 wrote to memory of 4672	100	16e11b36262eb534ee829e2de2848e72_JaffaCakes118.tmp	96
PID 100 wrote to memory of 4672	100	16e11b36262eb534ee829e2de2848e72_JaffaCakes118.tmp	96
PID 100 wrote to memory of 4672	100	16e11b36262eb534ee829e2de2848e72_JaffaCakes118.tmp	96
PID 4672 wrote to memory of 976	4672	Inbox.exe	97
PID 4672 wrote to memory of 976	4672	Inbox.exe	97
PID 976 wrote to memory of 3812	976	RUNDLL32.EXE	99
PID 976 wrote to memory of 3812	976	RUNDLL32.EXE	99
PID 3812 wrote to memory of 3020	3812	runonce.exe	100
PID 3812 wrote to memory of 3020	3812	runonce.exe	100
PID 4672 wrote to memory of 764	4672	Inbox.exe	102
PID 4672 wrote to memory of 764	4672	Inbox.exe	102
PID 4672 wrote to memory of 764	4672	Inbox.exe	102
PID 100 wrote to memory of 3424	100	16e11b36262eb534ee829e2de2848e72_JaffaCakes118.tmp	103
PID 100 wrote to memory of 3424	100	16e11b36262eb534ee829e2de2848e72_JaffaCakes118.tmp	103
PID 100 wrote to memory of 3424	100	16e11b36262eb534ee829e2de2848e72_JaffaCakes118.tmp	103
PID 100 wrote to memory of 876	100	16e11b36262eb534ee829e2de2848e72_JaffaCakes118.tmp	104
PID 100 wrote to memory of 876	100	16e11b36262eb534ee829e2de2848e72_JaffaCakes118.tmp	104
PID 100 wrote to memory of 876	100	16e11b36262eb534ee829e2de2848e72_JaffaCakes118.tmp	104
PID 100 wrote to memory of 4828	100	16e11b36262eb534ee829e2de2848e72_JaffaCakes118.tmp	105
PID 100 wrote to memory of 4828	100	16e11b36262eb534ee829e2de2848e72_JaffaCakes118.tmp	105
PID 100 wrote to memory of 4828	100	16e11b36262eb534ee829e2de2848e72_JaffaCakes118.tmp	105
PID 100 wrote to memory of 3716	100	16e11b36262eb534ee829e2de2848e72_JaffaCakes118.tmp	106
PID 100 wrote to memory of 3716	100	16e11b36262eb534ee829e2de2848e72_JaffaCakes118.tmp	106
PID 100 wrote to memory of 3716	100	16e11b36262eb534ee829e2de2848e72_JaffaCakes118.tmp	106
PID 3716 wrote to memory of 1424	3716	Inbox.exe	107
PID 3716 wrote to memory of 1424	3716	Inbox.exe	107
PID 1424 wrote to memory of 3360	1424	iexplore.exe	108
PID 1424 wrote to memory of 3360	1424	iexplore.exe	108
PID 1424 wrote to memory of 3360	1424	iexplore.exe	108

C:\Users\Admin\AppData\Local\Temp\16e11b36262eb534ee829e2de2848e72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\16e11b36262eb534ee829e2de2848e72_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3904
- C:\Users\Admin\AppData\Local\Temp\is-S0FLE.tmp\16e11b36262eb534ee829e2de2848e72_JaffaCakes118.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-S0FLE.tmp\16e11b36262eb534ee829e2de2848e72_JaffaCakes118.tmp" /SL5="$601E0,1888839,70144,C:\Users\Admin\AppData\Local\Temp\16e11b36262eb534ee829e2de2848e72_JaffaCakes118.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:100
- - C:\Program Files (x86)\Inbox Toolbar\Inbox.exe
    "C:\Program Files (x86)\Inbox Toolbar\Inbox.exe" /regserver
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Modifies registry class
    PID:5116
- - C:\Program Files (x86)\Inbox Toolbar\Inbox.exe
    "C:\Program Files (x86)\Inbox Toolbar\Inbox.exe" /install
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    PID:3636
- - C:\Windows\SysWOW64\regsvr32.exe
    "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\Inbox Toolbar\Inbox.dll"
    3⤵
    - Loads dropped DLL
    - Installs/modifies Browser Helper Object
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Modifies registry class
    PID:1316
- - C:\Windows\system32\regsvr32.exe
    "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\Inbox Toolbar\Inbox64.dll"
    3⤵
    - Loads dropped DLL
    - Installs/modifies Browser Helper Object
    - Modifies Internet Explorer settings
    - Modifies registry class
    PID:1064
- - C:\Program Files (x86)\Inbox Toolbar\Inbox.exe
    "C:\Program Files (x86)\Inbox Toolbar\Inbox.exe" /afterinstall
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Modifies Internet Explorer start page
    - Suspicious use of WriteProcessMemory
    PID:4672
  - - C:\Windows\system32\RUNDLL32.EXE
      "C:\Windows\sysnative\RUNDLL32.EXE" SETUPAPI.DLL,InstallHinfSection DefaultInstall 128 C:\PROGRA~2\INBOXT~1\Driver\tbrdrv.inf
      4⤵
      Drops file in Drivers directory
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:976
    - - C:\Windows\system32\runonce.exe
        
        "C:\Windows\system32\runonce.exe" -r
        5⤵
        Checks processor information in registry
        Suspicious use of WriteProcessMemory
        
        PID:3812
      - C:\Windows\System32\grpconv.exe
        
        "C:\Windows\System32\grpconv.exe" -o
        6⤵
        
        PID:3020
  - - C:\Program Files (x86)\Inbox Toolbar\Inbox.exe
      "C:\Program Files (x86)\Inbox Toolbar\Inbox.exe" /TRAY 0
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:764
- - C:\Users\Admin\AppData\Local\Temp\is-8E04N.tmp\AGupdate.exe
    "C:\Users\Admin\AppData\Local\Temp\is-8E04N.tmp\AGupdate.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3424
- - C:\Users\Admin\AppData\Local\Temp\is-8E04N.tmp\AGupdate.exe
    "C:\Users\Admin\AppData\Local\Temp\is-8E04N.tmp\AGupdate.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:876
- - C:\Users\Admin\AppData\Local\Temp\is-8E04N.tmp\AGupdate.exe
    "C:\Users\Admin\AppData\Local\Temp\is-8E04N.tmp\AGupdate.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4828
- - C:\Program Files (x86)\Inbox Toolbar\Inbox.exe
    "C:\Program Files (x86)\Inbox Toolbar\Inbox.exe" /postinstall
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3716
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -noframemerging "http://toolbar.inbox.com/lp/inst.aspx?tname=Games&c=4&tbid=80139&iwk=845&addons=1&addonlist=&afa=3&lng=en"
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1424
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1424 CREDAT:17410 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:3360

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Browser Extensions

T1176

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Inbox Toolbar\Buttons\black_green.xml

Filesize
51KB

MD5
01116f926b28cb3442473d8b47a6dd8f

SHA1
5303b4976d13bc6f3ffa0e3c443a0d36ea55fff4

SHA256
01f5b90e46c63749261d30ab669b55b581ae0c41912b54b38f71c7dc2c454511

SHA512
df6debe9debe900ff5338aa9d8637a6c887b9905a1fc77b6e2a50d3f8067cfa806e9fceb3d8d2a57b5b859346267048bca60c5f19d2bd9092f9c08a2d2859271

Download Submit
C:\Program Files (x86)\Inbox Toolbar\Buttons\games_online_gb.xml

Filesize
4KB

MD5
04e1df757b9b5a6418d79d072db000ce

SHA1
f118b45fa1092a7d473886b05984580dfa5eb5b8

SHA256
20ddca93499bb0a82627577b4cac56b6bb4c0ccb2c10ad92d16bac8b09a96864

SHA512
380eeaa2bd01629c7128a0971d6855f30d4e99bb9347d465a670419d8684585b1f7d52c6ea6e30d12bd7b0101ea1c9399c7e4f1f781db35c225f97a5e0d8d871

Download Submit
C:\Program Files (x86)\Inbox Toolbar\Buttons\games_portals_gb.xml

Filesize
4KB

MD5
4b3274899a510ce0a0eaa6427bfd2869

SHA1
bbc6075fd32dbb95a254ceec0083f008113f7dc3

SHA256
1799d52866f0579798e7817e9168017bfd5a0a6e452af848e1dbe7311324c0f6

SHA512
4e9ebb12d5e6fa334bf7cb3dd4424036b3493958b9d6755fcaa5b61af9cc2898c588e6914b16298012b385cd0e890c024a607f120332c677f7b7d521952d4059

Download Submit
C:\Program Files (x86)\Inbox Toolbar\Buttons\games_search.xml

Filesize
3KB

MD5
ccd6e298e340f9adc0e7359e9e924441

SHA1
87a1a8110e60fe6e0322e253170fb07c64dfc97b

SHA256
81857ce2a92da97d87e489612c6b5a82fb37f2a5856a36b772764f7072452701

SHA512
2bd078aaf07ece5a21c7353bd1843f9be60615775f19d1f14e0551c688b63bd21ac8c158230669f719180a724d64de9665720ba593323b87a638e3163ace5d17

Download Submit
C:\Program Files (x86)\Inbox Toolbar\Driver\tbrdrv.cat

Filesize
7KB

MD5
dacf44f0b690f4c0053d31535fef87f2

SHA1
d2318c6c771a4adddd507c2fa6aa7d81ebc7aca6

SHA256
9175d7ad0f699049214a066e3b7672036a64354fbd88b002fb34f1d8c583d334

SHA512
60c7e1f3fa5c5515907b4e2702b0ffc1f32129fc92c75653ab7591745d78f7fa59b0a6c505b21cedb36151d4ca4a0fa1b90f09f8d267f7c9bd91a9605a87b7ce

Download Submit
C:\Program Files (x86)\Inbox Toolbar\Driver\tbrdrv.inf

Filesize
1KB

MD5
c84b4baaa44b8989b2e76b42c1ab5301

SHA1
36ee3212aec954e82fd73c914717c7ad32cfc367

SHA256
94ecff1e1ce8d5d5ef349769ee4236d230a7f58dfbd0a7d32ebf84c2b41fcec8

SHA512
230bab43937d5ec8600882b2ca6249b07fc580fea5b1c8817ede28fae6566bc78fb8f2088dc4dea0997e217c94659063dc3d2adff0405944b427d325ebe373a7

Download Submit
C:\Program Files (x86)\Inbox Toolbar\Driver\tbrdrv.sys

Filesize
35KB

MD5
e7c0aac166d688ab41dff2f17e420a3a

SHA1
00b70a50af14b497cebd100344fafbd3a564fd5b

SHA256
babb144ed6471079b6922914646a110f9fe5588ca3d94deeeda584c484e4ed26

SHA512
fe539d89e28204b1d09607e9f0450ae619ff71efdfccb4597641a27cb3234fce1a2061e273bd8490c9bf15d19871aa93c1bf98c909b6c252549c40915d62721e

Download Submit
C:\Program Files (x86)\Inbox Toolbar\Inbox.dll

Filesize
1014KB

MD5
cef98a42f1f86652b0ca1c31fdc2e288

SHA1
39d597dffab6d36bc47f21fe20f2eedba864a5ba

SHA256
39490eab802f21e6d00ef5eef0e1532b69a64dbed537c39f6c6129c14b6406bb

SHA512
498fe3191d3d9852c5d7ccd960847f24dc41af43cd2d4d05569b11a2b2f0b5b1c74d66ce520b58a7a6759bbc729d11dccfe5d0a1e6c5b2422ddd083adffae5e6

Download Submit
C:\Program Files (x86)\Inbox Toolbar\Inbox.exe

Filesize
2.3MB

MD5
7bfb9bd61a69e7a4717f34f22dae8b4e

SHA1
a8b1ba82ee7172e9e5f184fef35bd41bdd373906

SHA256
f8404bd34230c1db313e2659ea483e7640c10987917e2cebdd4dd9c4ae67a19d

SHA512
19e6a0c065b1f6980b6927c6af5accf7b5d29f450daf37e57feb9ec901f3105cedd34e2129f2c5c320b516bd6a709a3b8a6885f4ee032e12dbae0dfd4b9a3273

Download Submit
C:\Program Files (x86)\Inbox Toolbar\Inbox.ini

Filesize
2KB

MD5
7e2839c0e98367690b3af21d6408aa17

SHA1
99d41f4b0c57b5e6ef1efa2350038e10d4188035

SHA256
8cec384377ada9c4f9bfa6d03b8e6a2ed0dc650cad45b82594e11338458271ba

SHA512
d637ad72dd205f47ba4a163a88eb503dfb24f03a4f0b0c01aef8c29dc49942679eb5db47a1c63ed042f1f1fecd06d8ca6121972f33360cce5b956c0fc530286a

Download Submit
C:\Program Files (x86)\Inbox Toolbar\Inbox.ini

Filesize
2KB

MD5
565371d1e7f731b426c5e36e61d9f003

SHA1
c7752a54f5ad38002ed6452c19570adc833f9e89

SHA256
ac43b254a21613bce70efc92a047cec6c5b9d5c4d6a2ab231ca5fd3b3665520e

SHA512
f498bfb9dc3016cf8be350b837d668441e0a4fd0611c1f28dff72f87d305ebbbf5656a8521245b7d388cff8a19d57ba1eb747f50d140beaab6a1902f66af0e92

Download Submit
C:\Program Files (x86)\Inbox Toolbar\Inbox64.dll

Filesize
1.5MB

MD5
5c2c888c50585ade35e03fa261e6c7a3

SHA1
228f8b2423945596d44892fff79cee851e725d89

SHA256
b88171732c2054dbc64a1649430646eeaf7b5d63c491e515a66736aacbb7aba9

SHA512
af463a375586f7a07f29c5855146be05ad74bd18fc90d46c653bc6911761b911472ab5bd7eab75a7bd8b9533704118d2d756368c74ccca7b88c4de294e8ee3d1

Download Submit
C:\Program Files (x86)\Inbox Toolbar\unins000.exe

Filesize
1.2MB

MD5
67e866dbad2c21354f585086d3f3e5b2

SHA1
6b0ccd164c9108b01a81f249a2d9c05ed3b5f67b

SHA256
6d7c851b4dc1acb135aa18ef28c5921472ca46d555358fc97bf2b10fc82ad8da

SHA512
ff0945ec265d3c04335e3a0ab08737ae68ba893455ffa3fa9e45e73ae2d58df737d247827e6b110f904fb18dd40e0d45882655f43b17c6bccd88265ad2aa494e

Download Submit
C:\Program Files (x86)\Inbox Toolbar\uninstall.ini

Filesize
66B

MD5
b084e06a7f942ae74c984674b59ab286

SHA1
6e5316501f88e432d7144b176f18202072146677

SHA256
806847b184ad90a37e734caf5cddd9e9eff80099f24810312e666f49a060a83a

SHA512
ab3194d6522f6592a28c3e583fc4cf63f3875287efbd9dafcb68be90239982b76b398569121a0317942b39956c28d8e93dd2a1c1f2bf568a9c3c88cc3ef2d04a

Download Submit
C:\Users\Admin\AppData\LocalLow\Inbox Toolbar\config.ini

Filesize
30B

MD5
129a4ce81f9a7b3dc2d98e090a069f05

SHA1
a266de9a5f3fea40e7de85ddfde49f4b6c515c96

SHA256
9ec3cb3f9a5f238ab518e7b57bcad1ca765c429fb37be15057da7eb9170541f7

SHA512
3d15c7ddf93e944ed5ce634f35050f95989b1f1f35b4b8233e10658508f07953579c6dd62cced8efd22cf783c7e9565f39270e5bb46d2959a1312148af6414f2

Download Submit
C:\Users\Admin\AppData\LocalLow\Inbox Toolbar\config.ini

Filesize
89B

MD5
96339d98a30c58ee7785f4f3d87b695f

SHA1
4c16cc8ecac6a5eb9f6e9df5ec120e49bf36e493

SHA256
1002a24d46b6a7a6fd8a1c007e18bcd8c3126d7b61143cc995d1c05262f349ed

SHA512
0f4a0cd146092218ca32eac7427173ab2aaaf52c22b5c1c6fcfda21e9b76ae1c3984da132e3a2363bba9de125c920740a908b7f8865f147898e7249ba63b737b

Download Submit
C:\Users\Admin\AppData\LocalLow\Inbox Toolbar\config.ini

Filesize
119B

MD5
8ed0f33758e83f41443df65ffc614f9c

SHA1
f865889a4bd5da514bcc7a689a9785268451e29e

SHA256
f27e521eddd77cdf261cbec81d0db38b64e7358fc94fd87327543e888433275b

SHA512
e9585968b0651e1ef042578fe19ab73e24c413732d34c5ebe3bd9a7fbf99394c7ae4767151ba25be1b03b258f09bc2913d56220a5489578c4470b847d1e48058

Download Submit
C:\Users\Admin\AppData\LocalLow\Inbox Toolbar\config.ini

Filesize
172B

MD5
5dd7ede7ea96df45e50cadee0a8b6f78

SHA1
0be3aaaa041d2da0066b4cf90bb8757b40c2a571

SHA256
bed375f3b180f38d04de72fa3054a98c85cac1964a025552c0cd5aa9eb81f54c

SHA512
cb244f4a90663ae813cc8305609d05fed8decba572494ba94eee2b5bbb99cefd5b650746b4a4100df10418173cd411e34ec78d14a152148b333a3ab7441fa29e

Download Submit
C:\Users\Admin\AppData\LocalLow\Inbox Toolbar\config.ini

Filesize
209B

MD5
9cd143abbd63ae415aac37dd9962a8e6

SHA1
4b394c4e5faafb2314ebbdbbdabbfd34f55b5688

SHA256
d0736f5b71ac911547d9dcf328882bd45145dbd2af776e53f1a06ff49adb9bf7

SHA512
65b39deca6bc79f3d2857b5ebe88af3371fdf7d2522af60e9ba0a1fd34c29809853c9477c395ada2fb554b114284f6fe0709a48a0fcdf8b053458cd10a59422a

Download Submit
C:\Users\Admin\AppData\LocalLow\Inbox Toolbar\config.ini

Filesize
241B

MD5
f91f31583d0a23228aacd24c8f0b8aec

SHA1
45cf3e0000e890c2ca5319ea291c35a63d60eba7

SHA256
b2abce43fcfefb445cec4e85c3006788e86b3856bdc5c91cd18d9f66a4cfd079

SHA512
98f6eb1315521b77a33f5832ca0949e86e8df912a825ac3b2d35e71e05e086663c0174c4805f6b510a7589e853e6eb2edacfee2597015b1cf00aece5e477bf9c

Download Submit
C:\Users\Admin\AppData\LocalLow\Inbox Toolbar\translate.ini

Filesize
93KB

MD5
6aa650efb4605f4bb39bdcfd8a2198ba

SHA1
da12240ffb9984e3f3d8e93a859bc8d768a242a4

SHA256
8729058fc0a109bfaf82d84abdc954805cd46ed499ff235d5181ff3facdaf2cf

SHA512
6893a2f796546c859c1a9ab2a8c1960f2606fe779a07bbe3cf3c0ebdb9579defa87c3b1d4dbb7e4934839a0cd5062255fb6d019bee11cf57e09b0cf350ce2819

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751

Filesize
717B

MD5
822467b728b7a66b081c91795373789a

SHA1
d8f2f02e1eef62485a9feffd59ce837511749865

SHA256
af2343382b88335eea72251ad84949e244ff54b6995063e24459a7216e9576b9

SHA512
bacea07d92c32078ca6a0161549b4e18edab745dd44947e5f181d28cc24468e07769d6835816cdfb944fd3d0099bde5e21b48f4966824c5c16c1801712303eb6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
471B

MD5
db7c83e09ebc4317f2bf2df7f66b8513

SHA1
29d58ef43f72ce7cf79ce6109d038a6c9b4873f0

SHA256
1ae4c8aa37bf433bc5b3b45e017c95bf843c7dbbe348c78c7ab6f3cad0fda4b8

SHA512
6eb46ae0c3e091ba13b1c0e3fb6de568882940df7968d0e1297568ea5356a4691f2a869c7c9ac9e9642bcc2e4e1388d00b15c663276143e8cb5015ab89c27867

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\832765B953AB3CF6C7F02DD7AAAC952E

Filesize
504B

MD5
8336d10842495d3006ef576ef017125a

SHA1
3cfceb3bc7a261f7b02ebe50f558bf4b40851ef8

SHA256
7861cb4d8433fe2884e2f7c08d7a2e2d1819d785a77aa20d7d7bcdeb058f6b0f

SHA512
ab6d5987cf1fe53b403bff775b168eb3eb5b7ab0719dea04fc57043274eb8a1b2513d11b48f60ca9b72ac8de71b5b6fe8edc17fa7293fb652a15e13ccb53a2f3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B624848E7D0C04204BF0E664FB37FBEA

Filesize
504B

MD5
53e4c765a72d4470b65a0a6045fec024

SHA1
f37af6a8616b1d81e56a7874552fbe7a885ea88e

SHA256
9213f5800edcf705e1809c7ddf05ecf13d01037b066d3b5e003c1f5ae0230171

SHA512
decced1fcfac40e21f2d77c7a85e91bb6b45fd97693fb7cfddd6f3fe1325c7c051de74314fd4f8fbef41096ddc7da3850196aa211d26a53b2cdff30dcd3d2821

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751

Filesize
192B

MD5
a044c115041794e14632c0c32c60bb50

SHA1
3021ceff3d0c6f2b52e9640e29e48a57d4c11b64

SHA256
585d978c71e0f47ee7145172e4c548f12951b08c7b225955c0ae3e16cd19de84

SHA512
8013f77eb0f7703bdca2d18168301bf60a05a2e8d80e3c6e42d2ba88b5adf3154cd493b371534fbfddf9eec33baa2a0c5625c00a429106d5d784a9ef57ac4918

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
404B

MD5
f81b96da5545aa83a4f48939d68e2059

SHA1
0975b35d949634b25982b7afb06ee5b77c43b5cb

SHA256
dc914b1a753783dc1a872706afe6c7578217fd038fa3de6cd4ff189c0e1df55f

SHA512
7adcf7f9fcc78af5e5600398edce31155e7bb5d6ace618c2ecfe7208d3347e5efd15cb8e112ae08d2cdbf6c1a3b06f647622d85cbb311e6ca6e8169da77d3b2e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\832765B953AB3CF6C7F02DD7AAAC952E

Filesize
546B

MD5
94b8e702c7d767ff39a438078d7085ab

SHA1
eb30ef0d6926a10faf3352e1bd952eec8711f110

SHA256
12b3d5b2a3cb54d35e5b6d91cda43daeef6df76ef2e0feeeac31f9e3c9e6a10a

SHA512
1bd78036da0b170694ee68540a1f87f5203dce4fea4dd5dd1ca539f267c09fce690c1e0c98ae9f324a683c88f0b4a4474ad81fdb9000d5bb8d876de80a7dd045

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B624848E7D0C04204BF0E664FB37FBEA

Filesize
550B

MD5
c9bb84048c69d1dc46d53a3668de0853

SHA1
cffeca3b02b07fc482953609ef52753ba8a4a7cb

SHA256
188bd0020425901014f1f6951cdc6a25fb350927fd0b61e31f007713fb2689ba

SHA512
08aaf595784020b2fd8800db56aa6484e8d49635b80609925df23f9b0d36d308251df695c7f952c65fabd930d082c07af004bf69142e912f2fb93f95de386511

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\verBD21.tmp

Filesize
15KB

MD5
1a545d0052b581fbb2ab4c52133846bc

SHA1
62f3266a9b9925cd6d98658b92adec673cbe3dd3

SHA256
557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1

SHA512
bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\s7fx7pr\imagestore.dat

Filesize
15KB

MD5
b97db078a657c9e96e08de48783a2d41

SHA1
f2840d22b539dcfb15d0e4f55f3cc1db55653a88

SHA256
2d86cdbd699519713197202723943a52a5899b30e094e8fb6e8b0928bc720d5e

SHA512
d124c14b89525208f6d0e614394de799e1ba1841c0615bdbc5dceb0b2c3154106fdb16a2bb52f6520dbc2973cb6fefb461d671576c055e8e155e991aeb151813

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\7TBBQW6D\favicon[1].ico

Filesize
14KB

MD5
de4c71e881f03193bb0884185b51bbdf

SHA1
8f51bb36b81298f9fb57824716539520553b77fe

SHA256
1f8e952702b912ccb4326c9bfd76f4cb49459787a2955924798792c20ed45580

SHA512
cf91b32ff05ce6fab615d727c6a1e25c9f4f08d51af5cadbba74650921333b0f0f3a0444a36c4c4ae77abd3ea54c846c8248af7cc0256c06ca4aabac457eced0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\FGWUB7UN\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-8E04N.tmp\AGupdate.exe

Filesize
873KB

MD5
a3ccbbb0735800b89931b73ccb69f9b1

SHA1
53c70f80017eff22ad88a53fdb3ffc518354af59

SHA256
97d0684ab1ecb2f89a3c8e53dc383aede506a1f9367aa283c0b9992a19854d43

SHA512
e4461a7cf5e8b8e655a2985be672af25e44276b018b7b532a665f26c1a44032bbada7e5a071a78827020c3f18d9d5c79bd0f59fe97876b1eb4279ec4094f3704

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-8E04N.tmp\DownLib.dll

Filesize
183KB

MD5
db25dfdd4c1f2b65c68a230881072695

SHA1
94cd6a3438041f0e61b0a1bea7b66461854efe69

SHA256
1b66aaf1e7e3c493dd96af3b7442ea60072f6e93ba45281eacd31a14ca7e7e73

SHA512
db69e4ab2218856e5184d9094e7e39705b83e3efdc15225067205c8faf6e5836145364f1d509192defa3b48864e72b9f8c0f2dc53a7adb2b86c655318b7afc2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-8E04N.tmp\setupcfg.ini

Filesize
85B

MD5
a6b61555593b8bbffe830a5886cffa9c

SHA1
0d25251000418b6d7984804e2548aa63c38b4114

SHA256
ef852e5af8ea1479848dc76fcd01e429ae8dbba04f840a3989af3a0b49c184d2

SHA512
104bb334170c592be3c212fda887f34bfb62e0526f1714dab737077affa2896b60d1d8944895f3de863f6af6661efcba0239a2ae3fac5bee8e49eb307583113c

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-S0FLE.tmp\16e11b36262eb534ee829e2de2848e72_JaffaCakes118.tmp

Filesize
1.2MB

MD5
e7106fbf42fbc6d5b08a18ada4f781b4

SHA1
36d4a629f79d772c0b0df8bd2ae2ea09108d239d

SHA256
64e1f1fa7d91920b17bc7bc679a4cd8d87ff5b104318b6921bb6bf6a19055635

SHA512
adf876296a952aadeb4f25211c0939bf5a278809b5d3007ad7e26c5d4975e7684d242c1b3de796efd474a47cb7ecdb80f9047935924a1108bf0e4d7c973d1845

Download Submit
memory/100-132-0x0000000004750000-0x0000000004857000-memory.dmp

Filesize
1.0MB

Download
memory/100-7-0x0000000000400000-0x0000000000536000-memory.dmp

Filesize
1.2MB

Download
memory/100-64-0x0000000003C10000-0x0000000003C47000-memory.dmp

Filesize
220KB

Download
memory/100-63-0x0000000000400000-0x0000000000536000-memory.dmp

Filesize
1.2MB

Download
memory/100-165-0x0000000000400000-0x0000000000536000-memory.dmp

Filesize
1.2MB

Download
memory/100-23-0x0000000003C10000-0x0000000003C47000-memory.dmp

Filesize
220KB

Download
memory/100-150-0x0000000000400000-0x0000000000536000-memory.dmp

Filesize
1.2MB

Download
memory/100-152-0x0000000004750000-0x0000000004857000-memory.dmp

Filesize
1.0MB

Download
memory/100-376-0x0000000000400000-0x0000000000536000-memory.dmp

Filesize
1.2MB

Download
memory/100-428-0x0000000000400000-0x0000000000536000-memory.dmp

Filesize
1.2MB

Download
memory/100-406-0x0000000004750000-0x0000000004857000-memory.dmp

Filesize
1.0MB

Download
memory/100-404-0x0000000000400000-0x0000000000536000-memory.dmp

Filesize
1.2MB

Download
memory/764-513-0x0000000000400000-0x0000000000660000-memory.dmp

Filesize
2.4MB

Download
memory/764-379-0x0000000000400000-0x0000000000660000-memory.dmp

Filesize
2.4MB

Download
memory/876-402-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download
memory/1064-128-0x0000000001F10000-0x000000000209E000-memory.dmp

Filesize
1.6MB

Download
memory/3424-391-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download
memory/3636-123-0x0000000000400000-0x0000000000660000-memory.dmp

Filesize
2.4MB

Download
memory/3716-430-0x0000000000400000-0x0000000000660000-memory.dmp

Filesize
2.4MB

Download
memory/3904-429-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3904-1-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3904-2-0x0000000000401000-0x000000000040D000-memory.dmp

Filesize
48KB

Download
memory/3904-62-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4672-304-0x0000000000400000-0x0000000000660000-memory.dmp

Filesize
2.4MB

Download
memory/4828-418-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download
memory/5116-93-0x0000000000400000-0x0000000000660000-memory.dmp

Filesize
2.4MB

Download