f0b620d651aa9b1c3dbde204a7252a46be3cec9d60c30bb2b88613ad3822c020

Analysis

max time kernel
149s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
09/10/2024, 09:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2f12607afc83356146f649cfd14bc8a8_JaffaCakes118.exe
Size

2.3MB
MD5

2f12607afc83356146f649cfd14bc8a8
SHA1

9ca0739604ae2e25f0a19ff3631ff093fe9945f3
SHA256

f0b620d651aa9b1c3dbde204a7252a46be3cec9d60c30bb2b88613ad3822c020
SHA512

27fae2473f8d906f5da53e9d81e82116a6b0605adeb7db59bcfdce5459113d298ce97d9566e53a1c5f3a23ef7eb70115060c0e60d59994ca49aaef2754d10d0f
SSDEEP

49152:Iu26FYYHawTokhyUT7aVa3+gws2GsMI9K2upHJcQrtnGQRoEebA5rOYiZn7:L2+HNj6V4T7IMRp9JGgoEebSivZn7

Score

7^/10

adware discovery persistence privilege_escalation stealer

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	Inbox.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 5 IoCs

pid	Process
1032	2f12607afc83356146f649cfd14bc8a8_JaffaCakes118.tmp
1980	Inbox.exe
4884	Inbox.exe
3132	Inbox.exe
3056	Inbox.exe

Loads dropped DLL 7 IoCs

pid	Process
1032	2f12607afc83356146f649cfd14bc8a8_JaffaCakes118.tmp
1032	2f12607afc83356146f649cfd14bc8a8_JaffaCakes118.tmp
2272	regsvr32.exe
1960	regsvr32.exe
1960	regsvr32.exe
1032	2f12607afc83356146f649cfd14bc8a8_JaffaCakes118.tmp
1032	2f12607afc83356146f649cfd14bc8a8_JaffaCakes118.tmp

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\InboxToolbar = "\"C:\\Program Files (x86)\\Inbox Toolbar\\Inbox.exe\" /STARTUP"	Inbox.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Installs/modifies Browser Helper Object 2 TTPs 6 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D3D233D5-9F6D-436C-B6C7-E63F77503B30}\	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D3D233D5-9F6D-436C-B6C7-E63F77503B30}\NoExplorer = "1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{D3D233D5-9F6D-436C-B6C7-E63F77503B30}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D3D233D5-9F6D-436C-B6C7-E63F77503B30}\	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D3D233D5-9F6D-436C-B6C7-E63F77503B30}\NoExplorer = "1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{D3D233D5-9F6D-436C-B6C7-E63F77503B30}	regsvr32.exe

Drops file in Program Files directory 27 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Inbox Toolbar\Buttons\is-L4HVU.tmp	2f12607afc83356146f649cfd14bc8a8_JaffaCakes118.tmp
File created	C:\Program Files (x86)\Inbox Toolbar\Buttons\is-HJHLE.tmp	2f12607afc83356146f649cfd14bc8a8_JaffaCakes118.tmp
File opened for modification	C:\Program Files (x86)\Inbox Toolbar\uninstall.ini	Inbox.exe
File created	C:\Program Files (x86)\Inbox Toolbar\unins000.dat	2f12607afc83356146f649cfd14bc8a8_JaffaCakes118.tmp
File created	C:\Program Files (x86)\Inbox Toolbar\is-F3Q3C.tmp	2f12607afc83356146f649cfd14bc8a8_JaffaCakes118.tmp
File created	C:\Program Files (x86)\Inbox Toolbar\is-OI40S.tmp	2f12607afc83356146f649cfd14bc8a8_JaffaCakes118.tmp
File created	C:\Program Files (x86)\Inbox Toolbar\is-5DTIA.tmp	2f12607afc83356146f649cfd14bc8a8_JaffaCakes118.tmp
File opened for modification	C:\Program Files (x86)\Inbox Toolbar\Inbox.ini	Inbox.exe
File created	C:\Program Files (x86)\Inbox Toolbar\is-V9T81.tmp	2f12607afc83356146f649cfd14bc8a8_JaffaCakes118.tmp
File opened for modification	C:\Program Files (x86)\Inbox Toolbar\setupcfg.ini	2f12607afc83356146f649cfd14bc8a8_JaffaCakes118.tmp
File opened for modification	C:\Program Files (x86)\Inbox Toolbar\Buttons\social_myspace.xml	Inbox.exe
File created	C:\Program Files (x86)\Inbox Toolbar\is-0HM18.tmp	2f12607afc83356146f649cfd14bc8a8_JaffaCakes118.tmp
File created	C:\Program Files (x86)\Inbox Toolbar\Buttons\is-8K79M.tmp	2f12607afc83356146f649cfd14bc8a8_JaffaCakes118.tmp
File created	C:\Program Files (x86)\Inbox Toolbar\Buttons\is-9VB05.tmp	2f12607afc83356146f649cfd14bc8a8_JaffaCakes118.tmp
File created	C:\Program Files (x86)\Inbox Toolbar\Buttons\is-411P9.tmp	2f12607afc83356146f649cfd14bc8a8_JaffaCakes118.tmp
File opened for modification	C:\Program Files (x86)\Inbox Toolbar\Buttons\BTN_2287.xml	Inbox.exe
File opened for modification	C:\Program Files (x86)\Inbox Toolbar\Buttons\social_facebook_panel.xml	Inbox.exe
File created	C:\Program Files (x86)\Inbox Toolbar\Buttons\is-45OHU.tmp	2f12607afc83356146f649cfd14bc8a8_JaffaCakes118.tmp
File opened for modification	C:\Program Files (x86)\Inbox Toolbar\Buttons\black_brown.xml	Inbox.exe
File opened for modification	C:\Program Files (x86)\Inbox Toolbar\unins000.dat	2f12607afc83356146f649cfd14bc8a8_JaffaCakes118.tmp
File opened for modification	C:\Program Files (x86)\Inbox Toolbar\Buttons\general_youtube2.xml	Inbox.exe
File opened for modification	C:\Program Files (x86)\Inbox Toolbar\Buttons\pinterest_button.xml	Inbox.exe
File opened for modification	C:\Program Files (x86)\Inbox Toolbar\Buttons\social_twitter.xml	Inbox.exe
File opened for modification	C:\Program Files (x86)\Inbox Toolbar\uninstall.ini	2f12607afc83356146f649cfd14bc8a8_JaffaCakes118.tmp
File created	C:\Program Files (x86)\Inbox Toolbar\Buttons\is-O3EO4.tmp	2f12607afc83356146f649cfd14bc8a8_JaffaCakes118.tmp
File created	C:\Program Files (x86)\Inbox Toolbar\unins000.msg	2f12607afc83356146f649cfd14bc8a8_JaffaCakes118.tmp
File created	C:\Program Files (x86)\Inbox Toolbar\setupcfg.ini	2f12607afc83356146f649cfd14bc8a8_JaffaCakes118.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2f12607afc83356146f649cfd14bc8a8_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2f12607afc83356146f649cfd14bc8a8_JaffaCakes118.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Inbox.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Inbox.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Inbox.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Inbox.exe

Modifies Internet Explorer settings 1 TTPs 40 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\AppName = "Inbox.dll"	regsvr32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Toolbar\{D7E97865-918F-41E4-9CD0-25AB1C574CE8} = 00	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\AppName = "Inbox64.dll"	regsvr32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{D7E97865-918F-41E4-9CD0-25AB1C574CE8} = 00	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{612AD33D-9824-4E87-8396-92374E91C4BB}\AppPath = "C:\\Program Files (x86)\\Inbox Toolbar"	Inbox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\AppName = "Inbox64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{C04B7D22-5AEC-4561-8F49-27F6269208F6}\URL = "http://www2.inbox.com/search/dispatcher.aspx?tp=bs&qkw={searchTerms}&tbid=82361&iwk=846&lng=en"	Inbox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{C04B7D22-5AEC-4561-8F49-27F6269208F6}\FaviconPath = "C:\\Users\\Admin\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services\\search_{C04B7D22-5AEC-4561-8F49-27F6269208F6}.ico"	Inbox.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Main	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\Policy = "3"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{C04B7D22-5AEC-4561-8F49-27F6269208F6}\DisplayName = "Inbox Search"	Inbox.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Internet Explorer\Main	Inbox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{612AD33D-9824-4E87-8396-92374E91C4BB}	Inbox.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\Policy = "3"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Internet Explorer\SearchScopes\{C04B7D22-5AEC-4561-8F49-27F6269208F6}	Inbox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{C04B7D22-5AEC-4561-8F49-27F6269208F6}\ShowSearchSuggestions = "1"	Inbox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{612AD33D-9824-4E87-8396-92374E91C4BB}\AppName = "Inbox.exe"	Inbox.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Main	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\IEWatsonEnabled = "0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{C04B7D22-5AEC-4561-8F49-27F6269208F6}\SuggestionsURL_JSON = "http://www.inbox.com/s.aspx?q={searchTerms}"	Inbox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{C04B7D22-5AEC-4561-8F49-27F6269208F6}\FaviconURLFallback = "http://www2.inbox.com/favicon.ico"	Inbox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{612AD33D-9824-4E87-8396-92374E91C4BB}	Inbox.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{612AD33D-9824-4E87-8396-92374E91C4BB}\Policy = "3"	Inbox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{612AD33D-9824-4E87-8396-92374E91C4BB}\AppName = "Inbox.exe"	Inbox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\AppName = "Inbox.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\AppPath = "C:\\Program Files (x86)\\Inbox Toolbar"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{612AD33D-9824-4E87-8396-92374E91C4BB}\AppPath = "C:\\Program Files (x86)\\Inbox Toolbar"	Inbox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Toolbar	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\AppPath = "C:\\Program Files (x86)\\Inbox Toolbar"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\AppPath = "C:\\Program Files (x86)\\Inbox Toolbar"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{612AD33D-9824-4E87-8396-92374E91C4BB}\Policy = "3"	Inbox.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\IEWatsonEnabled = "0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\AppPath = "C:\\Program Files (x86)\\Inbox Toolbar"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\Policy = "3"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\Policy = "3"	regsvr32.exe

Modifies Internet Explorer start page 1 TTPs 1 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.inbox.com/homepage.aspx?tbid=82361&iwk=846&lng=en"	Inbox.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8FAE973C-3FE3-44BF-81F0-ADB0D42CE851}\TypeLib	Inbox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{042DA63B-0933-403D-9395-B49307691690}\Version\ = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Inbox.Toolbar\Clsid	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\ProgID\ = "Inbox.Toolbar"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{28C3737A-32D1-492D-B76B-8D75EBBFB887}	Inbox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{042DA63B-0933-403D-9395-B49307691690}\InProcServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CBEF8724-D080-4737-88DA-111EEC6651AA}\1.0\0\win32\ = "C:\\Program Files (x86)\\Inbox Toolbar\\Inbox.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\InprocServer32\ = "C:\\Program Files (x86)\\Inbox Toolbar\\Inbox64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{612AD33D-9824-4E87-8396-92374E91C4BB}\Version\ = "1.0"	Inbox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{612AD33D-9824-4E87-8396-92374E91C4BB}	Inbox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8FAE973C-3FE3-44BF-81F0-ADB0D42CE851}\ = "IAppServer2"	Inbox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{042DA63B-0933-403D-9395-B49307691690}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{37540F19-DD4C-478B-B2DF-C19281BCAF27}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{37540F19-DD4C-478B-B2DF-C19281BCAF27}\	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{28C3737A-32D1-492D-B76B-8D75EBBFB887}	Inbox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{28C3737A-32D1-492D-B76B-8D75EBBFB887}\TypeLib	Inbox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CE057E0D-2D7E-4DFF-A890-07BA69B8C762}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{615E8AA1-6BB8-4A3D-A1CC-373194DB612C}\1.0\HELPDIR	Inbox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{612AD33D-9824-4E87-8396-92374E91C4BB}\	Inbox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CE057E0D-2D7E-4DFF-A890-07BA69B8C762}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8FAE973C-3FE3-44BF-81F0-ADB0D42CE851}	Inbox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Inbox.Toolbar\Clsid\ = "{D7E97865-918F-41E4-9CD0-25AB1C574CE8}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D3D233D5-9F6D-436C-B6C7-E63F77503B30}\InprocServer32\ = "C:\\Program Files (x86)\\Inbox Toolbar\\Inbox.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{37540F19-DD4C-478B-B2DF-C19281BCAF27}\	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\inbox	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{37540F19-DD4C-478B-B2DF-C19281BCAF27}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CBEF8724-D080-4737-88DA-111EEC6651AA}\1.0\HELPDIR	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\inbox\ = "inbox"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{615E8AA1-6BB8-4A3D-A1CC-373194DB612C}\1.0	Inbox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{612AD33D-9824-4E87-8396-92374E91C4BB}\LocalServer32	Inbox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CBEF8724-D080-4737-88DA-111EEC6651AA}\1.0\FLAGS	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{28C3737A-32D1-492D-B76B-8D75EBBFB887}\TypeLib\ = "{615E8AA1-6BB8-4A3D-A1CC-373194DB612C}"	Inbox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{CE057E0D-2D7E-4DFF-A890-07BA69B8C762}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{042DA63B-0933-403D-9395-B49307691690}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Inbox.IBX404\	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8FAE973C-3FE3-44BF-81F0-ADB0D42CE851}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	Inbox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{042DA63B-0933-403D-9395-B49307691690}\Version	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Inbox.JSServer	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{37540F19-DD4C-478B-B2DF-C19281BCAF27}\InProcServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\InProcServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{37540F19-DD4C-478B-B2DF-C19281BCAF27}\ProgID\ = "Inbox.IBX404"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{37540F19-DD4C-478B-B2DF-C19281BCAF27}\InprocServer32\ = "C:\\PROGRA~2\\INBOXT~1\\Inbox64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CBEF8724-D080-4737-88DA-111EEC6651AA}\1.0\FLAGS\ = "0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{042DA63B-0933-403D-9395-B49307691690}\Implemented Categories	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\Implemented Categories	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{CE057E0D-2D7E-4DFF-A890-07BA69B8C762}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{042DA63B-0933-403D-9395-B49307691690}\InprocServer32\ = "C:\\Program Files (x86)\\Inbox Toolbar\\Inbox.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{042DA63B-0933-403D-9395-B49307691690}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\InProcServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\inbox\CLSID = "{37540F19-DD4C-478B-B2DF-C19281BCAF27}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Inbox.JSServer\Clsid\ = "{042DA63B-0933-403D-9395-B49307691690}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{612AD33D-9824-4E87-8396-92374E91C4BB}\LocalServer32\ = "C:\\PROGRA~2\\INBOXT~1\\Inbox.exe"	Inbox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CE057E0D-2D7E-4DFF-A890-07BA69B8C762}\ = "IJSServer"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{CE057E0D-2D7E-4DFF-A890-07BA69B8C762}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{CE057E0D-2D7E-4DFF-A890-07BA69B8C762}\TypeLib\ = "{CBEF8724-D080-4737-88DA-111EEC6651AA}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\InprocServer32\ = "C:\\Program Files (x86)\\Inbox Toolbar\\Inbox.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}\	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{28C3737A-32D1-492D-B76B-8D75EBBFB887}\TypeLib\Version = "1.0"	Inbox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{042DA63B-0933-403D-9395-B49307691690}\ProgID\ = "Inbox.JSServer"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{042DA63B-0933-403D-9395-B49307691690}\ = "Inbox Toolbar"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{042DA63B-0933-403D-9395-B49307691690}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}\	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
1032	2f12607afc83356146f649cfd14bc8a8_JaffaCakes118.tmp
1032	2f12607afc83356146f649cfd14bc8a8_JaffaCakes118.tmp
1032	2f12607afc83356146f649cfd14bc8a8_JaffaCakes118.tmp
1032	2f12607afc83356146f649cfd14bc8a8_JaffaCakes118.tmp
1032	2f12607afc83356146f649cfd14bc8a8_JaffaCakes118.tmp
1032	2f12607afc83356146f649cfd14bc8a8_JaffaCakes118.tmp
1032	2f12607afc83356146f649cfd14bc8a8_JaffaCakes118.tmp
1032	2f12607afc83356146f649cfd14bc8a8_JaffaCakes118.tmp

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
1032	2f12607afc83356146f649cfd14bc8a8_JaffaCakes118.tmp
3056	Inbox.exe
3056	Inbox.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
3056	Inbox.exe
3056	Inbox.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1052 wrote to memory of 1032	1052	2f12607afc83356146f649cfd14bc8a8_JaffaCakes118.exe	84
PID 1052 wrote to memory of 1032	1052	2f12607afc83356146f649cfd14bc8a8_JaffaCakes118.exe	84
PID 1052 wrote to memory of 1032	1052	2f12607afc83356146f649cfd14bc8a8_JaffaCakes118.exe	84
PID 1032 wrote to memory of 1980	1032	2f12607afc83356146f649cfd14bc8a8_JaffaCakes118.tmp	87
PID 1032 wrote to memory of 1980	1032	2f12607afc83356146f649cfd14bc8a8_JaffaCakes118.tmp	87
PID 1032 wrote to memory of 1980	1032	2f12607afc83356146f649cfd14bc8a8_JaffaCakes118.tmp	87
PID 1032 wrote to memory of 4884	1032	2f12607afc83356146f649cfd14bc8a8_JaffaCakes118.tmp	88
PID 1032 wrote to memory of 4884	1032	2f12607afc83356146f649cfd14bc8a8_JaffaCakes118.tmp	88
PID 1032 wrote to memory of 4884	1032	2f12607afc83356146f649cfd14bc8a8_JaffaCakes118.tmp	88
PID 1032 wrote to memory of 2272	1032	2f12607afc83356146f649cfd14bc8a8_JaffaCakes118.tmp	90
PID 1032 wrote to memory of 2272	1032	2f12607afc83356146f649cfd14bc8a8_JaffaCakes118.tmp	90
PID 1032 wrote to memory of 2272	1032	2f12607afc83356146f649cfd14bc8a8_JaffaCakes118.tmp	90
PID 1032 wrote to memory of 1960	1032	2f12607afc83356146f649cfd14bc8a8_JaffaCakes118.tmp	91
PID 1032 wrote to memory of 1960	1032	2f12607afc83356146f649cfd14bc8a8_JaffaCakes118.tmp	91
PID 1032 wrote to memory of 3132	1032	2f12607afc83356146f649cfd14bc8a8_JaffaCakes118.tmp	96
PID 1032 wrote to memory of 3132	1032	2f12607afc83356146f649cfd14bc8a8_JaffaCakes118.tmp	96
PID 1032 wrote to memory of 3132	1032	2f12607afc83356146f649cfd14bc8a8_JaffaCakes118.tmp	96
PID 3132 wrote to memory of 3056	3132	Inbox.exe	97
PID 3132 wrote to memory of 3056	3132	Inbox.exe	97
PID 3132 wrote to memory of 3056	3132	Inbox.exe	97

C:\Users\Admin\AppData\Local\Temp\2f12607afc83356146f649cfd14bc8a8_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2f12607afc83356146f649cfd14bc8a8_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1052
- C:\Users\Admin\AppData\Local\Temp\is-AEF2K.tmp\2f12607afc83356146f649cfd14bc8a8_JaffaCakes118.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-AEF2K.tmp\2f12607afc83356146f649cfd14bc8a8_JaffaCakes118.tmp" /SL5="$801E2,1737902,70144,C:\Users\Admin\AppData\Local\Temp\2f12607afc83356146f649cfd14bc8a8_JaffaCakes118.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:1032
- - C:\Program Files (x86)\Inbox Toolbar\Inbox.exe
    "C:\Program Files (x86)\Inbox Toolbar\Inbox.exe" /regserver
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Modifies registry class
    PID:1980
- - C:\Program Files (x86)\Inbox Toolbar\Inbox.exe
    "C:\Program Files (x86)\Inbox Toolbar\Inbox.exe" /install
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    PID:4884
- - C:\Windows\SysWOW64\regsvr32.exe
    "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\Inbox Toolbar\Inbox.dll"
    3⤵
    - Loads dropped DLL
    - Installs/modifies Browser Helper Object
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Modifies registry class
    PID:2272
- - C:\Windows\system32\regsvr32.exe
    "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\Inbox Toolbar\Inbox64.dll"
    3⤵
    - Loads dropped DLL
    - Installs/modifies Browser Helper Object
    - Modifies Internet Explorer settings
    - Modifies registry class
    PID:1960
- - C:\Program Files (x86)\Inbox Toolbar\Inbox.exe
    "C:\Program Files (x86)\Inbox Toolbar\Inbox.exe" /afterinstall
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Modifies Internet Explorer start page
    - Suspicious use of WriteProcessMemory
    PID:3132
  - - C:\Program Files (x86)\Inbox Toolbar\Inbox.exe
      "C:\Program Files (x86)\Inbox Toolbar\Inbox.exe" /TRAY 0
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:3056

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Browser Extensions

T1176

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Inbox Toolbar\Buttons\BTN_2287.xml

Filesize
5KB

MD5
be1e4827a19ef48648563a9e98b6f188

SHA1
80afc7ad0008a5de7b9731546447589afd5066fd

SHA256
7bbc09b928b2391000a935287b140f5d240206f7b0bda3c3917dbe825a938406

SHA512
ffb55e001edd82cbb3568e8a78afc90a9848efa9d79f4490d9cf707581399c8e4a60048f0c883a5c27944e26588d4f31f944724ca5cd307c3a3473afa03c0fc9

Download Submit
C:\Program Files (x86)\Inbox Toolbar\Buttons\black_brown.xml

Filesize
50KB

MD5
9db9a8baf643a3512feb2f1014782c72

SHA1
04538d23239e716694e5ea17f7bb9132aa0e3939

SHA256
82f18d65fae1ab1f78afabc7d44cf3725b4a65c93d21d40d776ef69762310f41

SHA512
612d7348882a6d0f1ddc86228556bee42e555143ee9ca78000a52d01e764078c80d205796eb9de39e903a35a84b12abf69e4bf4bfb4976396ab1109c34812a36

Download Submit
C:\Program Files (x86)\Inbox Toolbar\Buttons\general_youtube2.xml

Filesize
5KB

MD5
9d25e413b26edd6157f92e120941a856

SHA1
97bfd31d3282cc568e74f8f8b86a3b59f32d36e9

SHA256
694696a703a7e7e27d4da7d7350c6d2eb1cdf3d4494ce523290d94e322436c08

SHA512
481416e4de97faa516d2f3f6a34f2a5a6a9c11f12365e07c712799a9f5e549fc05d1a54a0d46e72eb7c1a1525540bbe8f1e851cf8ef486808e43d77673bae056

Download Submit
C:\Program Files (x86)\Inbox Toolbar\Buttons\pinterest_button.xml

Filesize
5KB

MD5
5edb9f1e0f48304c7e7ac837a54a12d4

SHA1
3380c2b399018cec277fb5111cb2b8dec5868815

SHA256
ad88c981ad1cfad58e72b60dfb9d4357c1337e3b32e81d80c665d3e3a9d60405

SHA512
15c4ab8e80458e5684d2ca9e41f518cbeb48cf8d783e9b75ac0925098f52f4ccec4833f0f8513c40d5330804629b57bc970edcedbcaee168efc8c6a04b585397

Download Submit
C:\Program Files (x86)\Inbox Toolbar\Buttons\social_facebook_panel.xml

Filesize
4KB

MD5
bc28784f4872f3d8a38c058825ecdfd2

SHA1
96f0a1631f4cc51fc71faf3bca0dc27ca971ae23

SHA256
6ffb7375b67cacff0a5c4a83bde7b958fb039f2f87344ea4b2a455828f651c10

SHA512
6585a1055336a4406261d03e4f5239e0cc3a793394f56bd67b26c702de2eaf9bb252be52105f64ba3aad056f601b2e8ec7f811e4a35680489de9d51be7cecae0

Download Submit
C:\Program Files (x86)\Inbox Toolbar\Buttons\social_myspace.xml

Filesize
4KB

MD5
0ae22594aed7c3c0f6a2346a35070bcf

SHA1
4a52f1c230ce76a949aa33d473c504c430e28e42

SHA256
a148bafd6c429e6517c1e11156cc627aa4b4522915e9bf9503319639fe6784f6

SHA512
cc2a151839e7687acf48917d0b65235b0a32011e2342d6951436d84423355efc60ee6da3f83b1fcc29b2bc08cfbfe52d51227d98fda7d2af493652a3479ef90e

Download Submit
C:\Program Files (x86)\Inbox Toolbar\Buttons\social_twitter.xml

Filesize
7KB

MD5
a0670c3f05b5e4c2887c8fa619b8d265

SHA1
0c4f1d91cf9d72bf072ad96e24768147994c2a01

SHA256
690bc31e087aaa869edf7ac2ca8ecb16386464be67c257dcab8fd4d3b27703b8

SHA512
7317d3ca895d34afb88ef7f0a1a2e3f00c335901902bf2a4ad8397d7cb6914a27e5227d1ff63c9ffece1c28aa910813ba75525090fd0695a625baee4fe42d8c1

Download Submit
C:\Program Files (x86)\Inbox Toolbar\Inbox.dll

Filesize
1.0MB

MD5
5c9476a8dd88e998063cad755d08773b

SHA1
0c5bc8c95b89d1387516767f8baee232547aa01a

SHA256
c8b4b6787184a987c15dfbd05876c5bd10de311aecf0ec676b3e9723ffa38da2

SHA512
3756b6fb4fad4135391b8ff277e618270910914ef6c9437ab45c75b769fe8f8f9c09cb6b778d4eab457a2061c7cb8fdc8e6c124e021d39f454a63ce495fad80e

Download Submit
C:\Program Files (x86)\Inbox Toolbar\Inbox.exe

Filesize
1.3MB

MD5
079c19cc6eda45b0ac316b649024e65a

SHA1
962d3750a7c91b19406abe74bfc28b9f1fbf3534

SHA256
04c86ea774eb13964972ea33ce58cf8a5e6ec1a673332f506b2f070d6c6ca4b0

SHA512
ba0fe67704fe5dd06b2c1c645c8fbd3e756883e80f04466926433064e733741fb4289f27f79c96c8c30e2397224ab8cee306836f86c76f5fac23c4cf1b98b0c2

Download Submit
C:\Program Files (x86)\Inbox Toolbar\Inbox.ini

Filesize
2KB

MD5
d41e340d6aecc63f275a2083f4f7672e

SHA1
9c36eadcb1daf21a220e0b980f5f03aa60ed5a52

SHA256
30914795633b9eadf69ab0244c344c58e9236c406b490673d850ce0cf8f55e0d

SHA512
62b8faad3d4f192a3ee7797a6477ceea9c0c6e7752aa7bcd53dfc9430d9080c8660fbbb5ba7272e5a258b05d42591f8e5fded882a247fbadb88d3016d55e002f

Download Submit
C:\Program Files (x86)\Inbox Toolbar\Inbox.ini

Filesize
2KB

MD5
5ce4f8875b8f4ffe6f2ab757253fbfd2

SHA1
e47623b3634cdaa4f69694cf720a4099267881b8

SHA256
638a1000de70a7a95457c315ac03b7c7076a392a141604a89e2b4621ae049591

SHA512
42d86c5c8b879ed6a11370b38800348c4755f7fd6441b01e1a9a3915567d573bfa35ef339df9c7896860e645e1e8b94b99e73a380858fdcf07bc4b9fd30322e1

Download Submit
C:\Program Files (x86)\Inbox Toolbar\Inbox64.dll

Filesize
1.5MB

MD5
eb251f95bc360011a82971390a90ef37

SHA1
51a4ef0f8fb78bd9c60c6f9521eca54a1615f5b7

SHA256
c45aa0cebd159797e58d05777773f7f4de26128386a5c9363eed75877ca04822

SHA512
7331c9264e559aedb9a7f209ab872d5f044e7cc5def5950ce414efee62c26b2224bc8725f0a4bc3f900833ef60654ab4e8b3a6528881238fdbe4b2c78945f8a2

Download Submit
C:\Program Files (x86)\Inbox Toolbar\unins000.exe

Filesize
1.2MB

MD5
626ad431c15bb4c4f835422265a04118

SHA1
ba2c430700d0a6b73d537dc348e6fb5f6f508f8f

SHA256
0e657a55e277781d1e1d1bc9159e3e2eac792256fcd1798e8748df14bc3c26d8

SHA512
7ebd4d23c7dd6fd2505c512b384a960b1e4a82bdfe8d39378773d6c87fd55f7731aa4ad10d84db6b17786f551e7029919eaf15f5e11a01f5ea41d0db63458fe2

Download Submit
C:\Program Files (x86)\Inbox Toolbar\uninstall.ini

Filesize
52B

MD5
84b25f3c870d44a561c6d554aca385ed

SHA1
5c371702a38d5e2c55ce1d7e5786a79449049ffd

SHA256
0a2afa87d19d4c805758903230938781dd7aa15d63013c342d4ca5ed41916687

SHA512
3306dbc5b456bd8b1a6f6ccea90bb6314601b1a1dc026577cb0ab3461561a88f523efb8e90cb0ee17d2fd983966d3b100ff5c9e8de72b30df62ffa0e43350b6b

Download Submit
C:\Users\Admin\AppData\LocalLow\Inbox Toolbar\config.ini

Filesize
30B

MD5
6e154bd2aab28f37a3bbe8ef394802e6

SHA1
6efea9c0fdc55c2345369441ef19c32e182e7ce5

SHA256
b581ae9e6dd4f3dcf66fad7afbba62279d195b5af63a997abb342761a5acd2d0

SHA512
b2b8b962a63cc21b55440c38960c22f9e1c76e377244a63c737a5ac4c15d3ded143f3ebaffed74707291c4526ed9a80f9a9e5ef351b50b4f4bb08b81e92669f4

Download Submit
C:\Users\Admin\AppData\LocalLow\Inbox Toolbar\config.ini

Filesize
70B

MD5
6d1114852117bbd33547ef2b4413d13c

SHA1
a27c3507b713dea0fa66d8c0c175c88dd598e90e

SHA256
96fd13d97c09cd84f097cffd823f41d9a36b2ba2ea45370428c65d56871513a0

SHA512
25fefd5f5ecb71c953af533eb855df7a193373fe28bba351c366e78a8343aa1cd3de40a00fc57a2843a756b039aecea26335d1d75773cb0ac4939398ab0d4f8c

Download Submit
C:\Users\Admin\AppData\LocalLow\Inbox Toolbar\config.ini

Filesize
99B

MD5
58b0a159c9492c589bbe878b8315f27c

SHA1
741bb375b35dd5336b1d7ce6ed937c9987d4a354

SHA256
26300dbd3586e50e3c15103d5a4d9a6fea0c3bef3ccd176e77d900267aeac723

SHA512
494dc9e4f6d8e9ef538145004a6b7d25af17617056bbce01f264828bcb14db44fd1a821d8bc294799a6c39492085d00405a3a1a55d04aa80165432ff4ebe3b20

Download Submit
C:\Users\Admin\AppData\LocalLow\Inbox Toolbar\config.ini

Filesize
112B

MD5
b01841effa983a1be97ae7aa35a74a6e

SHA1
763433f3540f35176ff1278e631bce2e043aced6

SHA256
2ac120a5558fc270426061b862ce09c2e218744104cb515ad5a3d1cc42885d81

SHA512
e9ca1eb427574616deac7ad6c172dce98964a64a2abe3d981c8029c5655688422fd6eaa0e70e9b5c353ee1c2db322ce81a5f09122401525b2545ec3ee4b8d5d3

Download Submit
C:\Users\Admin\AppData\LocalLow\Inbox Toolbar\config.ini

Filesize
153B

MD5
79ec3dff2e7f8625ccfd696d86c118e7

SHA1
c52a65433863366f512407bb65bb421bbd8f1875

SHA256
2590a6117e0a62e97cdbfde7d3cc077ed0528c3ac0a57262766fe35e064d9369

SHA512
e0a0759ebe8635e8833ec42327690061c91d9cda8d18cd600d8181c9efe7610e9132742baa4ad46f2df5304d7e43f6a9419c434581d533a6fee9758a6c025463

Download Submit
C:\Users\Admin\AppData\LocalLow\Inbox Toolbar\translate.ini

Filesize
89KB

MD5
6b72fbdc939dffb3c9d268d521459f91

SHA1
948023c34ddd35bab4b83d80cabf6b7fb06eb5f2

SHA256
9b1c3b8a08541289d360526f37a4647a59fa40f474d2288ea6a5c3a947364fff

SHA512
f8948e0cc24361f361886a4f9467b8316ed093e0def78df860ed221e345a69a8cae785f57d08cfd3ac54741ea9dbde97f035eb88aa8d35b5529c32cf50b1d8e3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751

Filesize
717B

MD5
822467b728b7a66b081c91795373789a

SHA1
d8f2f02e1eef62485a9feffd59ce837511749865

SHA256
af2343382b88335eea72251ad84949e244ff54b6995063e24459a7216e9576b9

SHA512
bacea07d92c32078ca6a0161549b4e18edab745dd44947e5f181d28cc24468e07769d6835816cdfb944fd3d0099bde5e21b48f4966824c5c16c1801712303eb6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\4EBB0BB1994A5FEA68A685E8E6F35B7A

Filesize
504B

MD5
6ec13a719fad6a767e366c9981c5528e

SHA1
fe76a1348f33f49b16636794858f46f6ef06af52

SHA256
81b68d2b37178b53d7104aefa149cd836f918e16898a2046185c722c290f9354

SHA512
6b56890b396dccb663c835d6ed285ee9adaa2f3db0305a45ec35dbce7d04e9807d0f783dd564409d1583c83dcf7ff77f0d0beb1463761dc893d4aaf875a3af66

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B624848E7D0C04204BF0E664FB37FBEA

Filesize
504B

MD5
94d1528dcb284f7d3df45c67a071c804

SHA1
034ec837cdf4a448311e4498073297012aa41b6e

SHA256
432d799e5ddb5165639062f61ca25a1fe71e2be90b8e1362310e0c45c2fe63e3

SHA512
2062430e0259460643b393dc3b50794312b348136a5a005624c5b1a8d0874d30a58dd1c3f29b426f3c332c6b09192dbb2568a25e35c73a9bebbaacd3fe554976

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751

Filesize
192B

MD5
37e2a76eb11b2dc09d0a5bfb391d3b56

SHA1
877b48377a0885a1f00b7d39e744d633494ec18d

SHA256
68e461992e816219a27e2f6719095a9c3b1b30c12a5f8fbf9b96701f4c59bcbf

SHA512
10c4febfa8793b022b0048afa44c718ef118e5b9844e717148c15723c01f367149a3869569f05e51a00af1fe666bc499b9fda73ee9c830b20e38139a42daf62d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\4EBB0BB1994A5FEA68A685E8E6F35B7A

Filesize
546B

MD5
969c78f2f3cfd0b7c3538e5f259a32e6

SHA1
0b47522a363bc65e9a32516038bd80a9b58640e6

SHA256
2b9a0a8652d4f494e72c9eff7600c3bf9033ce786d492f47238faa619866ca11

SHA512
b9fc8a76f81928f2291d3d921c86991ec3f586ed7cb956cccd68db98bb614962008cf8ce2872db65b521f218dca6fb4de4378a4680cfa02ff03321394ef8dd17

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B624848E7D0C04204BF0E664FB37FBEA

Filesize
550B

MD5
d9c3d295b93a40bdf0053795d0440a9d

SHA1
bade00b872f9a38ca2978545c98857a574651d68

SHA256
ca7ab28ce59906cd40994ec963766790ede61b33ba72af8c521ccf5c6d4a0d75

SHA512
c4f7a9cf11ed3872d22532d7aedfcb10a9dca061ff246d2cdeb83c5eaca65e959dbccb9390222129d88be6663ec66843808ad0ea75a95bc8a721dce77dcc908d

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-AEF2K.tmp\2f12607afc83356146f649cfd14bc8a8_JaffaCakes118.tmp

Filesize
1.2MB

MD5
e7106fbf42fbc6d5b08a18ada4f781b4

SHA1
36d4a629f79d772c0b0df8bd2ae2ea09108d239d

SHA256
64e1f1fa7d91920b17bc7bc679a4cd8d87ff5b104318b6921bb6bf6a19055635

SHA512
adf876296a952aadeb4f25211c0939bf5a278809b5d3007ad7e26c5d4975e7684d242c1b3de796efd474a47cb7ecdb80f9047935924a1108bf0e4d7c973d1845

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-N4K57.tmp\DownLib.dll

Filesize
183KB

MD5
db25dfdd4c1f2b65c68a230881072695

SHA1
94cd6a3438041f0e61b0a1bea7b66461854efe69

SHA256
1b66aaf1e7e3c493dd96af3b7442ea60072f6e93ba45281eacd31a14ca7e7e73

SHA512
db69e4ab2218856e5184d9094e7e39705b83e3efdc15225067205c8faf6e5836145364f1d509192defa3b48864e72b9f8c0f2dc53a7adb2b86c655318b7afc2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-N4K57.tmp\setupcfg.ini

Filesize
44B

MD5
cda7c83a5eb697eb4c7a347e86ec4ac4

SHA1
baabc0527401b93af2fa4137439ba98470f79f1e

SHA256
f9c813a7932c6749176809d735e6974be2fefea730bd1c9e66f2e4e683cfafef

SHA512
ef450d355d5f39dd40352da5784d43c441267d972fa47d596fad3d7099a54174efaca970a51894ac319fa7985c622ee3b4057415fcf7c0fa61e5cc473cf6482c

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-N4K57.tmp\tbr_dots.bmp

Filesize
164B

MD5
adc799ec79eeaef366ea4dddf099c3ae

SHA1
556c915615a34a2499604b7b732ab304b20fdd4e

SHA256
7e7f18c73560f9c020abe1ab1f22705083281e2ea16ab0030fc927901b5b5d1e

SHA512
76962a17cc26d3f9886828be4e43373ac530165e1c627272ed7c0bc731133e97608e55d2e31f44592aad0d0974352155f41a0718aa0666ec128406b1050c1d6c

Download Submit
memory/1032-392-0x0000000003C00000-0x0000000003C37000-memory.dmp

Filesize
220KB

Download
memory/1032-423-0x0000000000400000-0x0000000000536000-memory.dmp

Filesize
1.2MB

Download
memory/1032-131-0x0000000000400000-0x0000000000536000-memory.dmp

Filesize
1.2MB

Download
memory/1032-130-0x0000000003C00000-0x0000000003C37000-memory.dmp

Filesize
220KB

Download
memory/1032-247-0x0000000000400000-0x0000000000536000-memory.dmp

Filesize
1.2MB

Download
memory/1032-20-0x0000000003C00000-0x0000000003C37000-memory.dmp

Filesize
220KB

Download
memory/1032-7-0x0000000000400000-0x0000000000536000-memory.dmp

Filesize
1.2MB

Download
memory/1032-413-0x0000000000400000-0x0000000000536000-memory.dmp

Filesize
1.2MB

Download
memory/1032-234-0x0000000004960000-0x0000000004A6B000-memory.dmp

Filesize
1.0MB

Download
memory/1032-232-0x0000000000400000-0x0000000000536000-memory.dmp

Filesize
1.2MB

Download
memory/1032-214-0x0000000004960000-0x0000000004A6B000-memory.dmp

Filesize
1.0MB

Download
memory/1032-414-0x0000000003C00000-0x0000000003C37000-memory.dmp

Filesize
220KB

Download
memory/1032-418-0x0000000000400000-0x0000000000536000-memory.dmp

Filesize
1.2MB

Download
memory/1032-401-0x0000000000400000-0x0000000000536000-memory.dmp

Filesize
1.2MB

Download
memory/1032-391-0x0000000000400000-0x0000000000536000-memory.dmp

Filesize
1.2MB

Download
memory/1032-362-0x0000000000400000-0x0000000000536000-memory.dmp

Filesize
1.2MB

Download
memory/1032-406-0x0000000000400000-0x0000000000536000-memory.dmp

Filesize
1.2MB

Download
memory/1032-383-0x0000000000400000-0x0000000000536000-memory.dmp

Filesize
1.2MB

Download
memory/1032-396-0x0000000000400000-0x0000000000536000-memory.dmp

Filesize
1.2MB

Download
memory/1032-393-0x0000000004960000-0x0000000004A6B000-memory.dmp

Filesize
1.0MB

Download
memory/1052-0-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1052-2-0x0000000000401000-0x000000000040D000-memory.dmp

Filesize
48KB

Download
memory/1052-128-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1960-210-0x00000000020B0000-0x0000000002241000-memory.dmp

Filesize
1.6MB

Download
memory/1980-166-0x0000000000400000-0x000000000055A000-memory.dmp

Filesize
1.4MB

Download
memory/3056-365-0x0000000000400000-0x000000000055A000-memory.dmp

Filesize
1.4MB

Download
memory/3132-319-0x0000000000400000-0x000000000055A000-memory.dmp

Filesize
1.4MB

Download
memory/4884-205-0x0000000000400000-0x000000000055A000-memory.dmp

Filesize
1.4MB

Download