e67880d34ceffd7ab0e9028428dbd8431525c9ca03efbd54971b1f23e3af0807

Analysis

max time kernel
144s
max time network
135s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
11/10/2024, 22:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

37135ac9980c76161cb0726319b6967b_JaffaCakes118.exe
Size

2.4MB
MD5

37135ac9980c76161cb0726319b6967b
SHA1

a87324b9d3918e90638d7563bbb83bcc507ec4f9
SHA256

e67880d34ceffd7ab0e9028428dbd8431525c9ca03efbd54971b1f23e3af0807
SHA512

4419e99996a0cfb733ea7fd7c26609de31c4e92e25dc29b1327c80d614120f1d4d31838a4b0f66e88becb0390180e94da4889a44cdfd4f22ff2d57c2a0af39b5
SSDEEP

49152:3l1SW/Z9qQAoe1NZ6xCi4B7ySm+vmSIOQzeMR7zZHFRYptebA5rOYiZnr:iKgo6NZ64i4oSfSKy1H/uebSivZnr

Score

8^/10

adware discovery persistence privilege_escalation stealer

Malware Config

Signatures

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\DRIVERS\tbrdrv.sys	RUNDLL32.EXE
File opened for modification	C:\Windows\system32\DRIVERS\SET7C03.tmp	RUNDLL32.EXE
File created	C:\Windows\system32\DRIVERS\SET7C03.tmp	RUNDLL32.EXE

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 8 IoCs

pid	Process
2888	37135ac9980c76161cb0726319b6967b_JaffaCakes118.tmp
2704	Inbox.exe
356	Inbox.exe
2092	Inbox.exe
2392	Inbox.exe
2932	AGupdate.exe
1268	AGupdate.exe
2212	Inbox.exe

Loads dropped DLL 20 IoCs

pid	Process
2760	37135ac9980c76161cb0726319b6967b_JaffaCakes118.exe
2888	37135ac9980c76161cb0726319b6967b_JaffaCakes118.tmp
2888	37135ac9980c76161cb0726319b6967b_JaffaCakes118.tmp
2888	37135ac9980c76161cb0726319b6967b_JaffaCakes118.tmp
2888	37135ac9980c76161cb0726319b6967b_JaffaCakes118.tmp
356	Inbox.exe
356	Inbox.exe
2984	regsvr32.exe
2120	regsvr32.exe
2888	37135ac9980c76161cb0726319b6967b_JaffaCakes118.tmp
2092	Inbox.exe
2092	Inbox.exe
2092	Inbox.exe
2092	Inbox.exe
2392	Inbox.exe
2392	Inbox.exe
2392	Inbox.exe
2392	Inbox.exe
2888	37135ac9980c76161cb0726319b6967b_JaffaCakes118.tmp
2888	37135ac9980c76161cb0726319b6967b_JaffaCakes118.tmp

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\GrpConv = "grpconv -o"	RUNDLL32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\InboxToolbar = "\"C:\\Program Files (x86)\\Inbox Toolbar\\Inbox.exe\" /STARTUP"	Inbox.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Installs/modifies Browser Helper Object 2 TTPs 6 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{D3D233D5-9F6D-436C-B6C7-E63F77503B30}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D3D233D5-9F6D-436C-B6C7-E63F77503B30}\	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D3D233D5-9F6D-436C-B6C7-E63F77503B30}\NoExplorer = "1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{D3D233D5-9F6D-436C-B6C7-E63F77503B30}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{D3D233D5-9F6D-436C-B6C7-E63F77503B30}\	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{D3D233D5-9F6D-436C-B6C7-E63F77503B30}\NoExplorer = "1"	regsvr32.exe

Drops file in Program Files directory 29 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Inbox Toolbar\is-G6B29.tmp	37135ac9980c76161cb0726319b6967b_JaffaCakes118.tmp
File created	C:\Program Files (x86)\Inbox Toolbar\is-KGK7Q.tmp	37135ac9980c76161cb0726319b6967b_JaffaCakes118.tmp
File created	C:\Program Files (x86)\Inbox Toolbar\Buttons\is-AC05F.tmp	37135ac9980c76161cb0726319b6967b_JaffaCakes118.tmp
File created	C:\Program Files (x86)\Inbox Toolbar\Buttons\is-QTI5R.tmp	37135ac9980c76161cb0726319b6967b_JaffaCakes118.tmp
File opened for modification	C:\Program Files (x86)\Inbox Toolbar\Buttons\blue_green.xml	Inbox.exe
File opened for modification	C:\Program Files (x86)\Inbox Toolbar\Buttons\reference_translator_br.xml	Inbox.exe
File created	C:\Program Files (x86)\Inbox Toolbar\Buttons\is-N6VIN.tmp	37135ac9980c76161cb0726319b6967b_JaffaCakes118.tmp
File created	C:\Program Files (x86)\Inbox Toolbar\is-HQ5F2.tmp	37135ac9980c76161cb0726319b6967b_JaffaCakes118.tmp
File created	C:\Program Files (x86)\Inbox Toolbar\Buttons\is-0CU6J.tmp	37135ac9980c76161cb0726319b6967b_JaffaCakes118.tmp
File created	C:\Program Files (x86)\Inbox Toolbar\setupcfg.ini	37135ac9980c76161cb0726319b6967b_JaffaCakes118.tmp
File opened for modification	C:\Program Files (x86)\Inbox Toolbar\Buttons\reference_history_br.xml	Inbox.exe
File opened for modification	C:\Program Files (x86)\Inbox Toolbar\uninstall.ini	Inbox.exe
File created	C:\Program Files (x86)\Inbox Toolbar\is-742LE.tmp	37135ac9980c76161cb0726319b6967b_JaffaCakes118.tmp
File opened for modification	C:\Program Files (x86)\Inbox Toolbar\Buttons\reference_encyclopedia_br.xml	Inbox.exe
File opened for modification	C:\Program Files (x86)\Inbox Toolbar\uninstall.ini	37135ac9980c76161cb0726319b6967b_JaffaCakes118.tmp
File opened for modification	C:\Program Files (x86)\Inbox Toolbar\Driver\tbrdrv.cat	Inbox.exe
File opened for modification	C:\Program Files (x86)\Inbox Toolbar\Driver\tbrdrv.inf	Inbox.exe
File created	C:\Program Files (x86)\Inbox Toolbar\Buttons\is-LC4UF.tmp	37135ac9980c76161cb0726319b6967b_JaffaCakes118.tmp
File created	C:\Program Files (x86)\Inbox Toolbar\unins000.msg	37135ac9980c76161cb0726319b6967b_JaffaCakes118.tmp
File opened for modification	C:\Program Files (x86)\Inbox Toolbar\unins000.dat	37135ac9980c76161cb0726319b6967b_JaffaCakes118.tmp
File opened for modification	C:\Program Files (x86)\Inbox Toolbar\Buttons\reference_search_br.xml	Inbox.exe
File created	C:\Program Files (x86)\Inbox Toolbar\is-QK9TQ.tmp	37135ac9980c76161cb0726319b6967b_JaffaCakes118.tmp
File created	C:\Program Files (x86)\Inbox Toolbar\Buttons\is-EM5PR.tmp	37135ac9980c76161cb0726319b6967b_JaffaCakes118.tmp
File opened for modification	C:\Program Files (x86)\Inbox Toolbar\Inbox.ini	Inbox.exe
File opened for modification	C:\Program Files (x86)\Inbox Toolbar\Driver\tbrdrv.sys	Inbox.exe
File created	C:\Program Files (x86)\Inbox Toolbar\unins000.dat	37135ac9980c76161cb0726319b6967b_JaffaCakes118.tmp
File opened for modification	C:\Program Files (x86)\Inbox Toolbar\setupcfg.ini	37135ac9980c76161cb0726319b6967b_JaffaCakes118.tmp
File opened for modification	C:\Program Files (x86)\Inbox Toolbar\Buttons\reference_dictionary_br.xml	Inbox.exe
File created	C:\Program Files (x86)\Inbox Toolbar\Driver\driver.cab	Inbox.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\INF\setupapi.app.log	RUNDLL32.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Inbox.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AGupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AGupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Inbox.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	37135ac9980c76161cb0726319b6967b_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	37135ac9980c76161cb0726319b6967b_JaffaCakes118.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Inbox.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Inbox.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Inbox.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	runonce.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	runonce.exe

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\SearchScopes\{C04B7D22-5AEC-4561-8F49-27F6269208F6}\FaviconURLFallback = "http://www2.inbox.com/favicon.ico"	Inbox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\SearchScopes\{C04B7D22-5AEC-4561-8F49-27F6269208F6}\SuggestionsURL_JSON = "http://www.inbox.com/s.aspx?q={searchTerms}"	Inbox.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{612AD33D-9824-4E87-8396-92374E91C4BB}	Inbox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{612AD33D-9824-4E87-8396-92374E91C4BB}\AppPath = "C:\\Program Files (x86)\\Inbox Toolbar"	Inbox.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Approved Extensions	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e78a69453f00554b9c7935775bae7b9600000000020000000000106600000001000020000000ce398f23ee365fa9acca00e861787c6527faf437a60e0ef56679bb6a0517a587000000000e80000000020000200000005861c4ccb83cd703645f7d77cd9bd738f33127ba46eef36d139cfcc6c7ec6931f001000052698a07210b5c2d0bbd0ade8243f21b66f1a374639ba773e4f71252ad6df78d29d2efb6940503ab4e22005a0681f842d17fa63c46af1dee789aa0ff9bca05166912a30f256ae065a8cb99c3e9ead32a4a266c8220f241a5c8ff9f4d1d426edb1b9d5b15361d40f60128de35c1a57819a3e3b641bfda0d75a986db0e12b4ae0c65e85d9010f0be9cecfc21ee5d906330437d9be3c58214b5d5132f019599459f2fd296eff8812b420855c70b48c44f5f53ce6bafb0fa3d64fe46371e62262f5ee178b1de0b9ef15a2392d6e3197d86a752d996ad61a979849dbed938d09d609e29d012f5247a5b4432c2429cc741058d54650f0f57e45c596f8a4e5d62704a7114f42262fe1035c4b974c24b48efd2994bb6e32d063ad0237e6f47ac8cb596ae1d7257a53427a2922c8ab2641fcc49bda5a7773a1351f123e26e8f2fa147a9e7b57fb92c190ca72e317904cb535a232d942e557321756b10e3fe8348a9bcd6db745d917ec4edf45a0df7d41f7e9cf0fe50c4dd71d05c504faa73984f4dbba0d9b0ff635945a923459c65d43f0aff04c62dca78ef8831264811c6f7f7318c64cc06a8d1f8681e43806e3840b459045d54c9978b17ae076f2fb7a98f25283f27b610c627d75ddb1508b6edd0dcc72396dbb415c5252c1172c0f6fb4a073b372634738bfb3c04ae6c11eceda076bf14bbe940000000687056336046c72dabbe1fc9966427ed9a67f851b9a2a9cc8d5c25506b294d44201c73306e38f4abc044e162d755c65a178f291d51496f132b14d4757d7b61ec	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{612AD33D-9824-4E87-8396-92374E91C4BB}\AppName = "Inbox.exe"	Inbox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\SearchScopes\{C04B7D22-5AEC-4561-8F49-27F6269208F6}	Inbox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\SearchScopes\{C04B7D22-5AEC-4561-8F49-27F6269208F6}\ShowSearchSuggestions = "1"	Inbox.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{612AD33D-9824-4E87-8396-92374E91C4BB}\Policy = "3"	Inbox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}	regsvr32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\Secondary Start Pages = 68007400740070003a002f002f007700770077002e0069006e0062006f0078002e0063006f006d002f0068006f006d00650070006100670065002e0061007300700078003f0074006200690064003d00380030003300380039002600690077006b003d0038003400360026006c006e0067003d0065006e0000000000	Inbox.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\Policy = "3"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\AppName = "Inbox64.dll"	regsvr32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{D7E97865-918F-41E4-9CD0-25AB1C574CE8} = 00	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Approved Extensions	regsvr32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Approved Extensions\{D7E97865-918F-41E4-9CD0-25AB1C574CE8} = 51667a6c4c1d3b357564fbcdb1c28a0a87df64eb1a1d00fd	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\AppPath = "C:\\Program Files (x86)\\Inbox Toolbar"	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\SearchScopes\DefaultScope = "{C04B7D22-5AEC-4561-8F49-27F6269208F6}"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\SearchScopes\{C04B7D22-5AEC-4561-8F49-27F6269208F6}\ShowSearchSuggestions = "1"	Inbox.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{612AD33D-9824-4E87-8396-92374E91C4BB}\Policy = "3"	Inbox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\AppPath = "C:\\Program Files (x86)\\Inbox Toolbar"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\AppName = "Inbox64.dll"	regsvr32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\User Preferences\2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81 = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e78a69453f00554b9c7935775bae7b96000000000200000000001066000000010000200000005a5814f5e797d9feeb4dceb45b875eb859aa82049bee9b28bc7b9dfc503cac87000000000e800000000200002000000017e5826e9ba7048e5d75798073f54c44a9622997d4fcf4d8911274c3584b77201000000078f5294eede5b5824900dc4c00af6b69400000007f5364f7292f327d42a0d99b1ad8ff64ebc74a8afb7a160414b922dc23c7932aca999c2f64a92327696a9846c6a93cd11e0b5abe310684e181f00764781e3f80	iexplore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar	regsvr32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Approved Extensions\{D3D233D5-9F6D-436C-B6C7-E63F77503B30} = 51667a6c4c1d3b35c52fc0c953cc0208adc8a77f711a7725	regsvr32.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Main	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\IEWatsonEnabled = "0"	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\SearchScopes\{C04B7D22-5AEC-4561-8F49-27F6269208F6}\URL = "http://www2.inbox.com/search/dispatcher.aspx?tp=bs&qkw={searchTerms}&tbid=80389&iwk=846&lng=en"	Inbox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	Inbox.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\Policy = "3"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\AppName = "Inbox.dll"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\User Preferences\88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977 = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e78a69453f00554b9c7935775bae7b9600000000020000000000106600000001000020000000b91ebec38dbe98837ed8bab18327fb5b33c144e9c84a1e01434b0a161a4a72ca000000000e8000000002000020000000926cacbb3d0fc10a3562ff55e423fd35e9198bb91fd9762bec8b841818916b3e50000000988e2b1f11cf8a659485dbfb2a497033db071a4cdd3d66780db0eb6747ad54834cf8f2adeab668c0fc389234cdfaa4089a86fd7a7ca28b5911831a9505c0658baf65ae337b97e7145f53114c7a5b3432400000000fd6741c652b27280168fa00395a1d7f624477dc4ae16ae2242f60ba9de6e9ea1380ef2c4766a6dc92cdca01e64536ea84957313f2347c1d7ee9efe468c9dfff	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\Policy = "3"	regsvr32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar\{D7E97865-918F-41E4-9CD0-25AB1C574CE8} = 00	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\SearchScopes\	Inbox.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{612AD33D-9824-4E87-8396-92374E91C4BB}	Inbox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\SearchScopes\DefaultScope = "{C04B7D22-5AEC-4561-8F49-27F6269208F6}"	Inbox.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{ABE5B851-881E-11EF-ACA8-72B5DC1A84E6} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe

Modifies Internet Explorer start page 1 TTPs 1 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.inbox.com/homepage.aspx?tbid=80389&iwk=846&lng=en"	Inbox.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{28C3737A-32D1-492D-B76B-8D75EBBFB887}\TypeLib\ = "{615E8AA1-6BB8-4A3D-A1CC-373194DB612C}"	Inbox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C7C55C60-F5B5-40A3-A2E9-EC00E1FE08F3}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C7C55C60-F5B5-40A3-A2E9-EC00E1FE08F3}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{042DA63B-0933-403D-9395-B49307691690}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Inbox.IBX404\Clsid	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{615E8AA1-6BB8-4A3D-A1CC-373194DB612C}\1.0\HELPDIR	Inbox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\inbox	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C7C55C60-F5B5-40A3-A2E9-EC00E1FE08F3}\ = "Inbox Toolbar"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Inbox.IBX404\Clsid\ = "{37540F19-DD4C-478B-B2DF-C19281BCAF27}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CBEF8724-D080-4737-88DA-111EEC6651AA}\1.0\ = "Inbox"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CE057E0D-2D7E-4DFF-A890-07BA69B8C762}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C7C55C60-F5B5-40A3-A2E9-EC00E1FE08F3}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C7C55C60-F5B5-40A3-A2E9-EC00E1FE08F3}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}\	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}\	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{042DA63B-0933-403D-9395-B49307691690}\InprocServer32\ = "C:\\PROGRA~2\\INBOXT~1\\Inbox.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{042DA63B-0933-403D-9395-B49307691690}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{042DA63B-0933-403D-9395-B49307691690}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D3D233D5-9F6D-436C-B6C7-E63F77503B30}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{37540F19-DD4C-478B-B2DF-C19281BCAF27}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{615E8AA1-6BB8-4A3D-A1CC-373194DB612C}	Inbox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C7C55C60-F5B5-40A3-A2E9-EC00E1FE08F3}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}\	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{042DA63B-0933-403D-9395-B49307691690}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\ProgID\ = "Inbox.Toolbar"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8FAE973C-3FE3-44BF-81F0-ADB0D42CE851}\TypeLib	Inbox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0E56FAFA-1B09-480E-B653-4B23918DC58A}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{042DA63B-0933-403D-9395-B49307691690}\InprocServer32\ = "C:\\Program Files (x86)\\Inbox Toolbar\\Inbox.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Inbox.AppServer\	Inbox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Inbox.JSServer2\	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Inbox.JSServer\Clsid\ = "{042DA63B-0933-403D-9395-B49307691690}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{042DA63B-0933-403D-9395-B49307691690}\Version	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Inbox.Toolbar\Clsid	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C7C55C60-F5B5-40A3-A2E9-EC00E1FE08F3}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{042DA63B-0933-403D-9395-B49307691690}\Implemented Categories	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{37540F19-DD4C-478B-B2DF-C19281BCAF27}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{37540F19-DD4C-478B-B2DF-C19281BCAF27}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0E56FAFA-1B09-480E-B653-4B23918DC58A}\TypeLib\ = "{CBEF8724-D080-4737-88DA-111EEC6651AA}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D3D233D5-9F6D-436C-B6C7-E63F77503B30}\InprocServer32\ = "C:\\PROGRA~2\\INBOXT~1\\Inbox.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\ProgID\ = "Inbox.Toolbar"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CE057E0D-2D7E-4DFF-A890-07BA69B8C762}\TypeLib\ = "{CBEF8724-D080-4737-88DA-111EEC6651AA}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0E56FAFA-1B09-480E-B653-4B23918DC58A}\ = "IJSServer2"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Inbox.Toolbar\Clsid\ = "{D7E97865-918F-41E4-9CD0-25AB1C574CE8}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\Implemented Categories	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{37540F19-DD4C-478B-B2DF-C19281BCAF27}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{042DA63B-0933-403D-9395-B49307691690}\InprocServer32\ = "C:\\PROGRA~2\\INBOXT~1\\Inbox64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\inbox\ = "inbox"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C7C55C60-F5B5-40A3-A2E9-EC00E1FE08F3}\InprocServer32\ = "C:\\Program Files (x86)\\Inbox Toolbar\\Inbox.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{042DA63B-0933-403D-9395-B49307691690}\ProgID\ = "Inbox.JSServer"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{042DA63B-0933-403D-9395-B49307691690}\Version\ = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{37540F19-DD4C-478B-B2DF-C19281BCAF27}\InprocServer32\ = "C:\\Program Files (x86)\\Inbox Toolbar\\Inbox64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CBEF8724-D080-4737-88DA-111EEC6651AA}\1.0\FLAGS\ = "0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D3D233D5-9F6D-436C-B6C7-E63F77503B30}\Implemented Categories\	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Inbox.Toolbar\	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{612AD33D-9824-4E87-8396-92374E91C4BB}\Version\ = "1.0"	Inbox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Inbox.Toolbar\Clsid	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{042DA63B-0933-403D-9395-B49307691690}\Implemented Categories	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{042DA63B-0933-403D-9395-B49307691690}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0E56FAFA-1B09-480E-B653-4B23918DC58A}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{042DA63B-0933-403D-9395-B49307691690}\ = "Inbox Toolbar"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{042DA63B-0933-403D-9395-B49307691690}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{615E8AA1-6BB8-4A3D-A1CC-373194DB612C}\1.0\FLAGS\ = "0"	Inbox.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2888	37135ac9980c76161cb0726319b6967b_JaffaCakes118.tmp
2888	37135ac9980c76161cb0726319b6967b_JaffaCakes118.tmp
2888	37135ac9980c76161cb0726319b6967b_JaffaCakes118.tmp
2888	37135ac9980c76161cb0726319b6967b_JaffaCakes118.tmp

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
476	Process not Found

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeRestorePrivilege	2288	RUNDLL32.EXE
Token: SeRestorePrivilege	2288	RUNDLL32.EXE
Token: SeRestorePrivilege	2288	RUNDLL32.EXE
Token: SeRestorePrivilege	2288	RUNDLL32.EXE
Token: SeRestorePrivilege	2288	RUNDLL32.EXE
Token: SeRestorePrivilege	2288	RUNDLL32.EXE
Token: SeRestorePrivilege	2288	RUNDLL32.EXE

Suspicious use of FindShellTrayWindow 8 IoCs

pid	Process
2888	37135ac9980c76161cb0726319b6967b_JaffaCakes118.tmp
2392	Inbox.exe
2888	37135ac9980c76161cb0726319b6967b_JaffaCakes118.tmp
2392	Inbox.exe
2392	Inbox.exe
2392	Inbox.exe
2392	Inbox.exe
2240	iexplore.exe

Suspicious use of SendNotifyMessage 4 IoCs

pid	Process
2392	Inbox.exe
2392	Inbox.exe
2392	Inbox.exe
2392	Inbox.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2240	iexplore.exe
2240	iexplore.exe
2464	IEXPLORE.EXE
2464	IEXPLORE.EXE
2464	IEXPLORE.EXE
2464	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2760 wrote to memory of 2888	2760	37135ac9980c76161cb0726319b6967b_JaffaCakes118.exe	30
PID 2760 wrote to memory of 2888	2760	37135ac9980c76161cb0726319b6967b_JaffaCakes118.exe	30
PID 2760 wrote to memory of 2888	2760	37135ac9980c76161cb0726319b6967b_JaffaCakes118.exe	30
PID 2760 wrote to memory of 2888	2760	37135ac9980c76161cb0726319b6967b_JaffaCakes118.exe	30
PID 2760 wrote to memory of 2888	2760	37135ac9980c76161cb0726319b6967b_JaffaCakes118.exe	30
PID 2760 wrote to memory of 2888	2760	37135ac9980c76161cb0726319b6967b_JaffaCakes118.exe	30
PID 2760 wrote to memory of 2888	2760	37135ac9980c76161cb0726319b6967b_JaffaCakes118.exe	30
PID 2888 wrote to memory of 2704	2888	37135ac9980c76161cb0726319b6967b_JaffaCakes118.tmp	31
PID 2888 wrote to memory of 2704	2888	37135ac9980c76161cb0726319b6967b_JaffaCakes118.tmp	31
PID 2888 wrote to memory of 2704	2888	37135ac9980c76161cb0726319b6967b_JaffaCakes118.tmp	31
PID 2888 wrote to memory of 2704	2888	37135ac9980c76161cb0726319b6967b_JaffaCakes118.tmp	31
PID 2888 wrote to memory of 356	2888	37135ac9980c76161cb0726319b6967b_JaffaCakes118.tmp	32
PID 2888 wrote to memory of 356	2888	37135ac9980c76161cb0726319b6967b_JaffaCakes118.tmp	32
PID 2888 wrote to memory of 356	2888	37135ac9980c76161cb0726319b6967b_JaffaCakes118.tmp	32
PID 2888 wrote to memory of 356	2888	37135ac9980c76161cb0726319b6967b_JaffaCakes118.tmp	32
PID 2888 wrote to memory of 2984	2888	37135ac9980c76161cb0726319b6967b_JaffaCakes118.tmp	33
PID 2888 wrote to memory of 2984	2888	37135ac9980c76161cb0726319b6967b_JaffaCakes118.tmp	33
PID 2888 wrote to memory of 2984	2888	37135ac9980c76161cb0726319b6967b_JaffaCakes118.tmp	33
PID 2888 wrote to memory of 2984	2888	37135ac9980c76161cb0726319b6967b_JaffaCakes118.tmp	33
PID 2888 wrote to memory of 2984	2888	37135ac9980c76161cb0726319b6967b_JaffaCakes118.tmp	33
PID 2888 wrote to memory of 2984	2888	37135ac9980c76161cb0726319b6967b_JaffaCakes118.tmp	33
PID 2888 wrote to memory of 2984	2888	37135ac9980c76161cb0726319b6967b_JaffaCakes118.tmp	33
PID 2888 wrote to memory of 2120	2888	37135ac9980c76161cb0726319b6967b_JaffaCakes118.tmp	34
PID 2888 wrote to memory of 2120	2888	37135ac9980c76161cb0726319b6967b_JaffaCakes118.tmp	34
PID 2888 wrote to memory of 2120	2888	37135ac9980c76161cb0726319b6967b_JaffaCakes118.tmp	34
PID 2888 wrote to memory of 2120	2888	37135ac9980c76161cb0726319b6967b_JaffaCakes118.tmp	34
PID 2888 wrote to memory of 2120	2888	37135ac9980c76161cb0726319b6967b_JaffaCakes118.tmp	34
PID 2888 wrote to memory of 2120	2888	37135ac9980c76161cb0726319b6967b_JaffaCakes118.tmp	34
PID 2888 wrote to memory of 2120	2888	37135ac9980c76161cb0726319b6967b_JaffaCakes118.tmp	34
PID 2888 wrote to memory of 2092	2888	37135ac9980c76161cb0726319b6967b_JaffaCakes118.tmp	35
PID 2888 wrote to memory of 2092	2888	37135ac9980c76161cb0726319b6967b_JaffaCakes118.tmp	35
PID 2888 wrote to memory of 2092	2888	37135ac9980c76161cb0726319b6967b_JaffaCakes118.tmp	35
PID 2888 wrote to memory of 2092	2888	37135ac9980c76161cb0726319b6967b_JaffaCakes118.tmp	35
PID 2092 wrote to memory of 2288	2092	Inbox.exe	36
PID 2092 wrote to memory of 2288	2092	Inbox.exe	36
PID 2092 wrote to memory of 2288	2092	Inbox.exe	36
PID 2092 wrote to memory of 2288	2092	Inbox.exe	36
PID 2288 wrote to memory of 2072	2288	RUNDLL32.EXE	37
PID 2288 wrote to memory of 2072	2288	RUNDLL32.EXE	37
PID 2288 wrote to memory of 2072	2288	RUNDLL32.EXE	37
PID 2072 wrote to memory of 2076	2072	runonce.exe	38
PID 2072 wrote to memory of 2076	2072	runonce.exe	38
PID 2072 wrote to memory of 2076	2072	runonce.exe	38
PID 2092 wrote to memory of 2392	2092	Inbox.exe	40
PID 2092 wrote to memory of 2392	2092	Inbox.exe	40
PID 2092 wrote to memory of 2392	2092	Inbox.exe	40
PID 2092 wrote to memory of 2392	2092	Inbox.exe	40
PID 2888 wrote to memory of 2932	2888	37135ac9980c76161cb0726319b6967b_JaffaCakes118.tmp	42
PID 2888 wrote to memory of 2932	2888	37135ac9980c76161cb0726319b6967b_JaffaCakes118.tmp	42
PID 2888 wrote to memory of 2932	2888	37135ac9980c76161cb0726319b6967b_JaffaCakes118.tmp	42
PID 2888 wrote to memory of 2932	2888	37135ac9980c76161cb0726319b6967b_JaffaCakes118.tmp	42
PID 2888 wrote to memory of 2932	2888	37135ac9980c76161cb0726319b6967b_JaffaCakes118.tmp	42
PID 2888 wrote to memory of 2932	2888	37135ac9980c76161cb0726319b6967b_JaffaCakes118.tmp	42
PID 2888 wrote to memory of 2932	2888	37135ac9980c76161cb0726319b6967b_JaffaCakes118.tmp	42
PID 2888 wrote to memory of 1268	2888	37135ac9980c76161cb0726319b6967b_JaffaCakes118.tmp	43
PID 2888 wrote to memory of 1268	2888	37135ac9980c76161cb0726319b6967b_JaffaCakes118.tmp	43
PID 2888 wrote to memory of 1268	2888	37135ac9980c76161cb0726319b6967b_JaffaCakes118.tmp	43
PID 2888 wrote to memory of 1268	2888	37135ac9980c76161cb0726319b6967b_JaffaCakes118.tmp	43
PID 2888 wrote to memory of 1268	2888	37135ac9980c76161cb0726319b6967b_JaffaCakes118.tmp	43
PID 2888 wrote to memory of 1268	2888	37135ac9980c76161cb0726319b6967b_JaffaCakes118.tmp	43
PID 2888 wrote to memory of 1268	2888	37135ac9980c76161cb0726319b6967b_JaffaCakes118.tmp	43
PID 2888 wrote to memory of 2212	2888	37135ac9980c76161cb0726319b6967b_JaffaCakes118.tmp	44
PID 2888 wrote to memory of 2212	2888	37135ac9980c76161cb0726319b6967b_JaffaCakes118.tmp	44
PID 2888 wrote to memory of 2212	2888	37135ac9980c76161cb0726319b6967b_JaffaCakes118.tmp	44

C:\Users\Admin\AppData\Local\Temp\37135ac9980c76161cb0726319b6967b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\37135ac9980c76161cb0726319b6967b_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2760
- C:\Users\Admin\AppData\Local\Temp\is-9N0FG.tmp\37135ac9980c76161cb0726319b6967b_JaffaCakes118.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-9N0FG.tmp\37135ac9980c76161cb0726319b6967b_JaffaCakes118.tmp" /SL5="$70122,1824239,70144,C:\Users\Admin\AppData\Local\Temp\37135ac9980c76161cb0726319b6967b_JaffaCakes118.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2888
- - C:\Program Files (x86)\Inbox Toolbar\Inbox.exe
    "C:\Program Files (x86)\Inbox Toolbar\Inbox.exe" /regserver
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Modifies registry class
    PID:2704
- - C:\Program Files (x86)\Inbox Toolbar\Inbox.exe
    "C:\Program Files (x86)\Inbox Toolbar\Inbox.exe" /install
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    PID:356
- - C:\Windows\SysWOW64\regsvr32.exe
    "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\Inbox Toolbar\Inbox.dll"
    3⤵
    - Loads dropped DLL
    - Installs/modifies Browser Helper Object
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Modifies registry class
    PID:2984
- - C:\Windows\system32\regsvr32.exe
    "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\Inbox Toolbar\Inbox64.dll"
    3⤵
    - Loads dropped DLL
    - Installs/modifies Browser Helper Object
    - Modifies Internet Explorer settings
    - Modifies registry class
    PID:2120
- - C:\Program Files (x86)\Inbox Toolbar\Inbox.exe
    "C:\Program Files (x86)\Inbox Toolbar\Inbox.exe" /afterinstall
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Modifies Internet Explorer start page
    - Suspicious use of WriteProcessMemory
    PID:2092
  - - C:\Windows\system32\RUNDLL32.EXE
      "C:\Windows\sysnative\RUNDLL32.EXE" SETUPAPI.DLL,InstallHinfSection DefaultInstall 128 C:\PROGRA~2\INBOXT~1\Driver\tbrdrv.inf
      4⤵
      Drops file in Drivers directory
      Adds Run key to start application
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2288
    - - C:\Windows\system32\runonce.exe
        
        "C:\Windows\system32\runonce.exe" -r
        5⤵
        Checks processor information in registry
        Suspicious use of WriteProcessMemory
        
        PID:2072
      - C:\Windows\System32\grpconv.exe
        
        "C:\Windows\System32\grpconv.exe" -o
        6⤵
        
        PID:2076
  - - C:\Program Files (x86)\Inbox Toolbar\Inbox.exe
      "C:\Program Files (x86)\Inbox Toolbar\Inbox.exe" /TRAY 0
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:2392
- - C:\Users\Admin\AppData\Local\Temp\is-OI8PF.tmp\AGupdate.exe
    "C:\Users\Admin\AppData\Local\Temp\is-OI8PF.tmp\AGupdate.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2932
- - C:\Users\Admin\AppData\Local\Temp\is-OI8PF.tmp\AGupdate.exe
    "C:\Users\Admin\AppData\Local\Temp\is-OI8PF.tmp\AGupdate.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1268
- - C:\Program Files (x86)\Inbox Toolbar\Inbox.exe
    "C:\Program Files (x86)\Inbox Toolbar\Inbox.exe" /postinstall
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2212
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -noframemerging "http://toolbar.inbox.com/lp/inst.aspx?tname=Translators&c=4&tbid=80389&iwk=846&addons=1&addonlist=&afa=3&lng=en"
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      PID:2240
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2240 CREDAT:275457 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2464

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Browser Extensions

T1176

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Inbox Toolbar\Buttons\blue_green.xml

Filesize
52KB

MD5
73ae8ec141d41888f4f4efc96e3158aa

SHA1
ed00518da7d76b725af71e493026e1645f33a9f9

SHA256
3b18558a9b1f02bc5724b37c128389804f89a6aee5f9b9b484e94d0548057110

SHA512
95adef46aef2529a9f33050a88dde6a8217e88f4ae6246ffc2f9fbdf985bd1bef1b505561a8bf10ddef376ecb340e632994be127f5a7b36f60bc0b4642cd0108

Download Submit
C:\Program Files (x86)\Inbox Toolbar\Buttons\reference_dictionary_br.xml

Filesize
5KB

MD5
a68075fa8f8c2312da27ddcc6e70a9de

SHA1
d11fbfaaa9450991ec9e8b70ebb7051de4ba239d

SHA256
bef21899bffe2bcaa0df4fc33906139b04cb7a02c97dc46e7c71b76cc0ccb3f1

SHA512
1cccca0ccb85311a783fbb19b38a78b3efd164df8e05d38f3e45d2baf279435f9db41da9bd29cf672b586d1d1b5aa3e0ad721b13d9a0a52381cd63bfa7176320

Download Submit
C:\Program Files (x86)\Inbox Toolbar\Buttons\reference_encyclopedia_br.xml

Filesize
5KB

MD5
d48b7a2bf23cad2e3c86e5336c6f03fe

SHA1
d5b1d477851bffd24ee65e60166985c08bf960c2

SHA256
80ce55abf5a8f9c92e65279e456844bccba09141b7b0e22b8c51288766f8f854

SHA512
0cffe8464b6022c5d803b405dfcb21b21ccba5a93401c71875ba2dbd7ffd0e51e1c56afe32fe95bab243edf3a6bbdb166374bb75531ecd73f3c1f63f1f79b40b

Download Submit
C:\Program Files (x86)\Inbox Toolbar\Buttons\reference_history_br.xml

Filesize
4KB

MD5
255d2cd2ffbf0e0dcd5a7555d293ddc5

SHA1
b19d386ca76b35fba2597ca8baa962e5986440a2

SHA256
132e6e7c5b3b12bdecfbf82eced716d4a0342e2ff21727cd5190af3d159c74b6

SHA512
80c898b1b119fbbe9861a8a385f50dd74acdaef182ad7b39379c1273fc787306d7cf02107e303cc5dd0253b41a1d7d8140420025fd88be698bdbdbf24dbe2e65

Download Submit
C:\Program Files (x86)\Inbox Toolbar\Buttons\reference_search_br.xml

Filesize
4KB

MD5
0b68802d3253068df66f23dfe7b93e0a

SHA1
be2e8050748d75eb95a7bc8257982f81ee8a2b2b

SHA256
8b0707feece3adff817442357f5c5a6aab64a3d91de8362dfa0e95ab194330b2

SHA512
51ebff472aef81b9808c32d1bb1db3153d5e7d1fa46ab5bb36c75171fbda952d0acf36aea3daf4d80d671739e5a0fd94ca301004f0de434443116139af2f0943

Download Submit
C:\Program Files (x86)\Inbox Toolbar\Buttons\reference_translator_br.xml

Filesize
5KB

MD5
1c9297aa0ea4b67845686a49c8b486ef

SHA1
aa42a24a47ebecac0afeebdcfbd89a8e8b727e87

SHA256
b63d238162d4b21bf557a1c1597a4f948d27b5414b8a984c0aa5539648478dbe

SHA512
8c8ba090ddfdaf49268b34b7ddac9bbeacd699f521d2897f17539f2aa8e16927dfcdb2613c546d972b6da9c23a72edc153bc0c11c13dc577c09938752707c122

Download Submit
C:\Program Files (x86)\Inbox Toolbar\Driver\tbrdrv.cat

Filesize
7KB

MD5
dacf44f0b690f4c0053d31535fef87f2

SHA1
d2318c6c771a4adddd507c2fa6aa7d81ebc7aca6

SHA256
9175d7ad0f699049214a066e3b7672036a64354fbd88b002fb34f1d8c583d334

SHA512
60c7e1f3fa5c5515907b4e2702b0ffc1f32129fc92c75653ab7591745d78f7fa59b0a6c505b21cedb36151d4ca4a0fa1b90f09f8d267f7c9bd91a9605a87b7ce

Download Submit
C:\Program Files (x86)\Inbox Toolbar\Driver\tbrdrv.inf

Filesize
1KB

MD5
c84b4baaa44b8989b2e76b42c1ab5301

SHA1
36ee3212aec954e82fd73c914717c7ad32cfc367

SHA256
94ecff1e1ce8d5d5ef349769ee4236d230a7f58dfbd0a7d32ebf84c2b41fcec8

SHA512
230bab43937d5ec8600882b2ca6249b07fc580fea5b1c8817ede28fae6566bc78fb8f2088dc4dea0997e217c94659063dc3d2adff0405944b427d325ebe373a7

Download Submit
C:\Program Files (x86)\Inbox Toolbar\Driver\tbrdrv.sys

Filesize
35KB

MD5
e7c0aac166d688ab41dff2f17e420a3a

SHA1
00b70a50af14b497cebd100344fafbd3a564fd5b

SHA256
babb144ed6471079b6922914646a110f9fe5588ca3d94deeeda584c484e4ed26

SHA512
fe539d89e28204b1d09607e9f0450ae619ff71efdfccb4597641a27cb3234fce1a2061e273bd8490c9bf15d19871aa93c1bf98c909b6c252549c40915d62721e

Download Submit
C:\Program Files (x86)\Inbox Toolbar\Inbox.dll

Filesize
1014KB

MD5
d673907569a04e0b0475f3040cf566e2

SHA1
b592a76de20a34d4df1d2a00e8f77dcc85b411db

SHA256
4da6045ad6a2cc08bfd06f1b0b72609c4bbb3e07807eb3d2b4599cbe024165fe

SHA512
897b531b67f92498980d72a1764ef43384db7d3e8076927624eec4144eb625416f34a17fb5c759620e20820969951033e3d7eba45ae81bf9d6e917eaa6b05f27

Download Submit
C:\Program Files (x86)\Inbox Toolbar\Inbox.ini

Filesize
2KB

MD5
0ea75496d9716ba269f47b723c4dbea7

SHA1
157e6ac6d9d71b8431c43c06d0619916ed57b45a

SHA256
17b2dbc3d4e531b902792d93480c64e01a960e174ba88809c83627cef3e2cdda

SHA512
c9c90a275b372a6454e890893e70844879bd8a22c5873bf16a115e1fb1b951297f341b4b1791e477e12ac17ec8ba915396b36a1e0fc240d92c25d13fccf8983a

Download Submit
C:\Program Files (x86)\Inbox Toolbar\Inbox.ini

Filesize
2KB

MD5
cbf23a1a0eb1d5a4db96f0800c1b560e

SHA1
72ba79961741cc9e153402e940ab6f974bd7c469

SHA256
a6fb7be17ffca80e4492434fc6920264099036dff9486747e4e79d9c0f8df769

SHA512
c9e91e080672ec5cca69f81647d310d1187e095c6023579e40d667a4c4b0930b84e617ef58891a758e7bf46216190ec5443d54717a1a14f3318540983d97216d

Download Submit
C:\Program Files (x86)\Inbox Toolbar\Inbox64.dll

Filesize
1.5MB

MD5
2c9596e97c9e11b7a30a75aa464dc70e

SHA1
60effa4eac84edd2260b2af5edbd1743156da6d7

SHA256
ab314891b78efca4c154a13aa0f91a8d4c6fcdac8431d45ae56bd116456cb7e4

SHA512
7ffd01f425c25619243a21a2fb498035d11fa8096f20e837aeb548c5144d67af0b2fe5cefebf5a16f17698304162079be7ac793cbcbad0e0718e61b0f70c5445

Download Submit
C:\Program Files (x86)\Inbox Toolbar\uninstall.ini

Filesize
54B

MD5
1e821ff0a1935f790a2b16122d75cadf

SHA1
2a88fde78e21a9693f685cc2029a9b1f58b48ba4

SHA256
bfab0d25901e6a2b95aca3aab297b6a77fb2ec0ac9695cb7cea5649091633b50

SHA512
0b2c4013d9303085d5175fa1fcd1208541964d1438865007cd2bc361cf528665c40ed921367780e3588b849c237aab945a1f4f7fcc2c2f543ce314292fd38c27

Download Submit
C:\Users\Admin\AppData\LocalLow\Inbox Toolbar\config.ini

Filesize
29B

MD5
3ae883e8a3e0272e3b0844d35a05fd87

SHA1
45b5ad9ea39c60ee61d6ad5776b82975c27191c5

SHA256
c37f72f8519621289d97d31889959c508ecd8ee7a18dd04462fcce53b74719c1

SHA512
5dbcd8f6ed1891f9099723934f46955f90d9219dc07ba468ab1cd286f9b96154365f4ada2515639a8f0710b98fa01451d01e02482ba334905d9443782eb2ed0d

Download Submit
C:\Users\Admin\AppData\LocalLow\Inbox Toolbar\config.ini

Filesize
88B

MD5
ac83f8305fe5be53ca4dfb54b8648e88

SHA1
e7b568c11a8bf0d65c7da175c2e2538a233c6349

SHA256
94f264cb78388abdbeee9e3ba83ed40bf3b4beb4dbd03fc3c8ace7a95a14c993

SHA512
f4efaba6bb65dfe614e1fa1a0df7d780005907b5561f60b57f8d442710f2f5500bce31b501aa5b43f215bcd0365ebdedc7a91b6d4dc2b3fdbaeaac13833f3d3e

Download Submit
C:\Users\Admin\AppData\LocalLow\Inbox Toolbar\config.ini

Filesize
131B

MD5
31b367b8742c6b858da0ab319c1fd61d

SHA1
da480a1fa9a6e13224b46ccb169e236c4e3d5d0c

SHA256
279c704c2dbe258071d46c327d0eb2e7a0a138e0a9f80aaafae698033c5a8ce1

SHA512
2242b1baea36e371318404b5cf94a193649aa90e511069384a6120191c11c8b7308f127e0d04b62c1e02fe7de9dfe9b2dfdfcb66c8ccc1b1d10874ecd89eb207

Download Submit
C:\Users\Admin\AppData\LocalLow\Inbox Toolbar\config.ini

Filesize
131B

MD5
4925737970045deebe6f391f1fb9b4c5

SHA1
eb76a92f4db24542e55befc812b2b0e1ddd9323c

SHA256
39bf3bade1e62ce29f2af93534ecf8300698ef1cba06544aef65840b95399f2f

SHA512
b449e26c7d99631e20482ff8e7f884a42f0c883c0877bc57de109214a4b389dede2b0f0d204317c83e6ea47eaae85923849d2ebc2285e17ebd060be87baa7742

Download Submit
C:\Users\Admin\AppData\LocalLow\Inbox Toolbar\config.ini

Filesize
173B

MD5
c86dad9b93915cc0904fe8da0d016c22

SHA1
da69b14771316f848e6ea971637bd5e5ad4c9b55

SHA256
1bb163d97010a3d75d5809861cb01a58820e2053f29fb07796d9dec51023b480

SHA512
bbd52ba3e551d85a86bd22d2ca6ce9406e420951854d6c7a37bb5cbae63cf214b2664034f06dccf8d551af9b89a02bd1be1f06c32895af2a68fbc2687614ca89

Download Submit
C:\Users\Admin\AppData\LocalLow\Inbox Toolbar\config.ini

Filesize
210B

MD5
f9084b81ffbba712cc11636493677181

SHA1
0fdfe7790b2831c516c66f8eea7cdc95e67e8731

SHA256
b6feba375782403b4b36c1090149052c798616d261b0b9cb1cfbc573a48b25a1

SHA512
dffccdc4a7ba1404239bdf7a125ff0da9c5a8ebbc5de4b017378418919729a29f8ad079e1a34994468fb505d11fb2e3a7867f9e26f241816c3a3a466ad4028bd

Download Submit
C:\Users\Admin\AppData\LocalLow\Inbox Toolbar\config.ini

Filesize
255B

MD5
4d606900f79b200b42ab03c2e20e0267

SHA1
5df6da0cd59c7669cb4bbea9bdb48af115108bc5

SHA256
cb8a6b67843a031f85dfaff15c1d924cca2704f48ad11cb90c3ac97136c78c91

SHA512
793a8807cf59c6a24990d8c8bec7901379269cae757e7cb729400d12aaf4693775508ef21717048ad7f2100d0c4ef4e04d109de1fa0679ef8aad52a8098af981

Download Submit
C:\Users\Admin\AppData\LocalLow\Inbox Toolbar\config.ini

Filesize
266B

MD5
2c760cd0e32dc750f35a22000d4f9397

SHA1
18236627da9ae7f5644de60acb4982b7af52ec8e

SHA256
3c57f9f10cca6fa4891832cb0ba2246353dfbd733459c103073efd5219e059bc

SHA512
3a0f6b3d2c88c031dd881f18de7ac2c5634acc892830fc79c6ab24da0f898de3041de6b3ca2d02418d591344becb21cfafe91a595aba578e43e9aaac402e8a6f

Download Submit
C:\Users\Admin\AppData\LocalLow\Inbox Toolbar\config.ini

Filesize
274B

MD5
b36da76515ea5ffd56da203efc68385d

SHA1
fe852a6e06f90107c2fc877e2075792fb1fc408f

SHA256
ff227b430780a087ca929fce076961642e2e6057d3f4c0dca571d62ca898ba78

SHA512
6f8b0405a48e2ac3787314dea5ef0e68efc49264bab2f79db4689dca9452c90e5aec1fc7223274b16c6a715eaad0184e5632d0989e76bf50058bd718c3998c1b

Download Submit
C:\Users\Admin\AppData\LocalLow\Inbox Toolbar\translate.ini

Filesize
93KB

MD5
6aa650efb4605f4bb39bdcfd8a2198ba

SHA1
da12240ffb9984e3f3d8e93a859bc8d768a242a4

SHA256
8729058fc0a109bfaf82d84abdc954805cd46ed499ff235d5181ff3facdaf2cf

SHA512
6893a2f796546c859c1a9ab2a8c1960f2606fe779a07bbe3cf3c0ebdb9579defa87c3b1d4dbb7e4934839a0cd5062255fb6d019bee11cf57e09b0cf350ce2819

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3912b157b3979ea4bdf52af2242cf923

SHA1
3f25c43f52e442ee8d3124969fc07b7a66b9dda4

SHA256
7b4882ddcf06315394065fe83acfab80933e392cef341003d21457730c89a1fc

SHA512
b363648ed4205e793f284d35246c4dce2526619ce1a49270c9a55a5e7dc56d55b211e5536de205cd325a7e6673b9524e82e508f11093486a6eb97c7889bace6d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2fd12be3adf70dc1b5a3b16dd00d4dc7

SHA1
4cfcd655cef11da44fb7bac9f7f7936330d81426

SHA256
01dc068b76cd321a30d8812767174ba31d162e97f5f1339a9662f883a106b391

SHA512
6df6381bc50ab9c2e241d96b59a4f0f6b141b34c7418b5355d90d80f4676e447d8ea6b5feae361f954e34828ca7cc811b40aa0ef28e057bd945304c42e732671

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
884f086810ddac64991106c5fb85e694

SHA1
b0a5faf39aada04d194390240f3c524fa904c38f

SHA256
010c49efc661d7fe30f80230b82156a988745bce79ba1e5aac994ac503765ff6

SHA512
03ead2fbb2ca68204267be7cbea426174116cb8dacd033eae3ef3f2dc50a8dbbf9cc08a35660dc26badc5bd99ca50528dc39a2ce365f635aea7c6f7360b8fcd5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
35b9bd473b3b7bb3ba5fcaa131a339a8

SHA1
4996a711f0823ceafb2a38d269c18013179b9d30

SHA256
48b28e19ceadb8e629a1d5d63520cd28a6da1d5ac8fbb691b00320c1c98475cc

SHA512
538fc59d102cccac07707168da850de7c8875379eda1a627a037c16603214f25b276456f1174505129bfa4e162506c133b5ebf050794fd3cddac62c5199dc831

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b0e566619c30cc12b8cbd4eb74433bfd

SHA1
bf04ff8aaf0a27a56f4f806de0aa9fdfd711c698

SHA256
8d34e8ad309bfbbb2181b772b69ab9524fe1a6d27d02697e8ae2373500989313

SHA512
09176d14bbb51ce8463031576d078686b924e49e13c02bdd6e89e33ccc97aedbced235d1052dbad3bddae6c9c0ed02fe4a95b865a00fc6297f02b94990b3c6d6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
aed49bc439a0ab68c1ad25a0bc299ea1

SHA1
6571ff492d26f28c4763aa8f3735537c407ed49c

SHA256
d09ad87a13f3073b98f73818d5a2b8732282aa79e9c9f567e06e28a862a498e8

SHA512
754ccd897024596395659920523281aa48e977b5fc1e1d3a49163b3935f198b0df214af754222eca62dccfb51467ccea13198594c1662f4509558cb24ce0cef7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3c98a6af0e3f68f1c9f1088ecf7f051b

SHA1
5c50dff8fcaab082aa3fa9df07438e0ebacdc7cf

SHA256
7aa09db826bdce9f62a6117808cf0008097a02df54d5ed0a68e7fb68e0e52fd4

SHA512
6845fb70c18234169bc48cc5021c3ca9fbf7a07d9024020a699583fd514869875d5bfc7ee46903ec2ac200553353c3aeed717a1a809f3894f336848bd061dfd3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c6f0227868dbe64a8fae5cf4c13f524e

SHA1
fcb653d523848b37d54fe9875256477adc0cf583

SHA256
9eaaabab29fe8e126fba69ad597d6e9466e7d62321de587300fa5cb7346f6b18

SHA512
298264675c8014bf9920fca5b05eb76f55008d800d084ceff925013adad48e3dc61c536f6ea4a7cd730af6022b4ddbda165b2e5b0296e6bdd740a9cac6972204

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
05af93a1be0061df2e33e736a9875d39

SHA1
09602b185e4571d89066bb07a67d307819d66717

SHA256
3628b799ea807e83f78b10af6150b9f32c4a209c9d4a59ea3c859267c31fcf6d

SHA512
fd25ef064470dffc6a2c0984c0bda254790ee559a92487c0705c9ad80ffd082bc0e33047016bf30290925245363846e01fcbbf720cf70a7f97888bb7ab1f750f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e572ac86271c017e51771d925d66777c

SHA1
9943ebcf89b25d4b1cf9fe4ddd4ffc8318b870d6

SHA256
542d82c598a946cf0562f5fa2f89a061bc0f089c5c5f7331799cbe67d4435492

SHA512
4700f678e507e853ee57add833b8c9f3d4b944c518b85bf98e98b1d07c6726c7943e20e9262a23c09a61b986372e27d131dd72dba1afaafd7247eb3cd7b25e11

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabDA99.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarDB38.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-OI8PF.tmp\setupcfg.ini

Filesize
85B

MD5
2638f094d963afae19371945dc17f41e

SHA1
e45241c0dac7066dd8b4ee784ca0a0a42d7c6923

SHA256
30bbac9d686998429656bbc5dbff5da5bbdbf318934de6ecaa9d114a3dfcc941

SHA512
7acfb95da6033645e5b1c1330580740c584bcc4878547556a78bd16980fe430fda8f2c004487c494d5633fed3e23db03ae523d7c2bc332eed8a08a5c3bcbcb11

Download Submit
\Program Files (x86)\Inbox Toolbar\Inbox.exe

Filesize
2.3MB

MD5
b9a8c8345079aae42ecf0ad2177975f7

SHA1
2137855a12bd99604fe8fcd30e90c83ee245aa29

SHA256
cd40b98ef96ce492251eb58e30a3524f276b63998475c21599a3b7f1981405fc

SHA512
68408a3e91c8720ffe3fe3ac0767491b140e1fae902adee4e26a96dc3e5fd9ee3e0c293fc4fe2ed316414397a938b0602580dc422b5d43cc29b9ed655a7a5d57

Download Submit
\Program Files (x86)\Inbox Toolbar\unins000.exe

Filesize
1.2MB

MD5
3ae9703c8eb945c3559c6ddd38515503

SHA1
50c6ac0bcf326e51b8e173dbf111bbd74301a97c

SHA256
24de43663274da426020181911894c3f4831396def816e6627805e0956679bd5

SHA512
743678ebd23576537fb779c299526df6da91b1e6aca0725d3b9520e129d5d4ac6add5d98b0c7aeb48b10b9fa78d0312bece6b1120b9c3c7f792a3f96af5538d2

Download Submit
\Users\Admin\AppData\Local\Temp\is-9N0FG.tmp\37135ac9980c76161cb0726319b6967b_JaffaCakes118.tmp

Filesize
1.2MB

MD5
e7106fbf42fbc6d5b08a18ada4f781b4

SHA1
36d4a629f79d772c0b0df8bd2ae2ea09108d239d

SHA256
64e1f1fa7d91920b17bc7bc679a4cd8d87ff5b104318b6921bb6bf6a19055635

SHA512
adf876296a952aadeb4f25211c0939bf5a278809b5d3007ad7e26c5d4975e7684d242c1b3de796efd474a47cb7ecdb80f9047935924a1108bf0e4d7c973d1845

Download Submit
\Users\Admin\AppData\Local\Temp\is-OI8PF.tmp\AGupdate.exe

Filesize
873KB

MD5
a3ccbbb0735800b89931b73ccb69f9b1

SHA1
53c70f80017eff22ad88a53fdb3ffc518354af59

SHA256
97d0684ab1ecb2f89a3c8e53dc383aede506a1f9367aa283c0b9992a19854d43

SHA512
e4461a7cf5e8b8e655a2985be672af25e44276b018b7b532a665f26c1a44032bbada7e5a071a78827020c3f18d9d5c79bd0f59fe97876b1eb4279ec4094f3704

Download Submit
\Users\Admin\AppData\Local\Temp\is-OI8PF.tmp\DownLib.dll

Filesize
183KB

MD5
db25dfdd4c1f2b65c68a230881072695

SHA1
94cd6a3438041f0e61b0a1bea7b66461854efe69

SHA256
1b66aaf1e7e3c493dd96af3b7442ea60072f6e93ba45281eacd31a14ca7e7e73

SHA512
db69e4ab2218856e5184d9094e7e39705b83e3efdc15225067205c8faf6e5836145364f1d509192defa3b48864e72b9f8c0f2dc53a7adb2b86c655318b7afc2c

Download Submit
\Users\Admin\AppData\Local\Temp\is-OI8PF.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
memory/356-124-0x0000000000400000-0x0000000000660000-memory.dmp

Filesize
2.4MB

Download
memory/1268-414-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download
memory/2092-301-0x0000000000400000-0x0000000000660000-memory.dmp

Filesize
2.4MB

Download
memory/2120-133-0x0000000001E60000-0x0000000001FEE000-memory.dmp

Filesize
1.6MB

Download
memory/2212-430-0x0000000000400000-0x0000000000660000-memory.dmp

Filesize
2.4MB

Download
memory/2392-436-0x0000000000400000-0x0000000000660000-memory.dmp

Filesize
2.4MB

Download
memory/2392-407-0x0000000000400000-0x0000000000660000-memory.dmp

Filesize
2.4MB

Download
memory/2704-95-0x0000000000400000-0x0000000000660000-memory.dmp

Filesize
2.4MB

Download
memory/2760-2-0x0000000000401000-0x000000000040D000-memory.dmp

Filesize
48KB

Download
memory/2760-0-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2760-125-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2760-429-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2888-25-0x0000000001ED0000-0x0000000001F07000-memory.dmp

Filesize
220KB

Download
memory/2888-9-0x0000000000400000-0x0000000000536000-memory.dmp

Filesize
1.2MB

Download
memory/2888-406-0x0000000004220000-0x0000000004327000-memory.dmp

Filesize
1.0MB

Download
memory/2888-428-0x0000000000400000-0x0000000000536000-memory.dmp

Filesize
1.2MB

Download
memory/2888-136-0x0000000004220000-0x0000000004327000-memory.dmp

Filesize
1.0MB

Download
memory/2888-404-0x0000000000400000-0x0000000000536000-memory.dmp

Filesize
1.2MB

Download
memory/2888-128-0x0000000000400000-0x0000000000536000-memory.dmp

Filesize
1.2MB

Download
memory/2888-127-0x0000000001ED0000-0x0000000001F07000-memory.dmp

Filesize
220KB

Download
memory/2888-416-0x0000000000400000-0x0000000000536000-memory.dmp

Filesize
1.2MB

Download
memory/2932-389-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download
memory/2984-130-0x0000000001F10000-0x0000000002017000-memory.dmp

Filesize
1.0MB

Download