ed36b3855ab7486128ff5dc60c2910851194b52dc5ea0bfceaa6166bba8e7a75

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
14/10/2024, 12:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4257973cc7c45876cf04e8b4cc8164f8_JaffaCakes118.exe
Size

2.3MB
MD5

4257973cc7c45876cf04e8b4cc8164f8
SHA1

590f584afd3c6157f6d3e8330322bddb3fa929c3
SHA256

ed36b3855ab7486128ff5dc60c2910851194b52dc5ea0bfceaa6166bba8e7a75
SHA512

03c9af6a3b538c6fa01a6393ef779f81aa3cf249f6b7457604479e9a7f70a33cb5761008bf303c1ee875cb2cccf4446523a7313e6a5b87df1dad4d9d899c320b
SSDEEP

49152:Q/vv5B9qm6C31fkNZ8EPAGCcI18q+TBeUq0ebA5rOYiZn4:QnvVR3JkLhYc08XdfebSivZn4

Score

7^/10

adware discovery persistence privilege_escalation stealer

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	Inbox.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 5 IoCs

pid	Process
408	4257973cc7c45876cf04e8b4cc8164f8_JaffaCakes118.tmp
1396	Inbox.exe
4568	Inbox.exe
3796	Inbox.exe
4544	Inbox.exe

Loads dropped DLL 7 IoCs

pid	Process
408	4257973cc7c45876cf04e8b4cc8164f8_JaffaCakes118.tmp
408	4257973cc7c45876cf04e8b4cc8164f8_JaffaCakes118.tmp
4008	regsvr32.exe
4008	regsvr32.exe
1868	regsvr32.exe
408	4257973cc7c45876cf04e8b4cc8164f8_JaffaCakes118.tmp
408	4257973cc7c45876cf04e8b4cc8164f8_JaffaCakes118.tmp

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\InboxToolbar = "\"C:\\Program Files (x86)\\Inbox Toolbar\\Inbox.exe\" /STARTUP"	Inbox.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Installs/modifies Browser Helper Object 2 TTPs 6 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{D3D233D5-9F6D-436C-B6C7-E63F77503B30}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D3D233D5-9F6D-436C-B6C7-E63F77503B30}\	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D3D233D5-9F6D-436C-B6C7-E63F77503B30}\NoExplorer = "1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{D3D233D5-9F6D-436C-B6C7-E63F77503B30}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D3D233D5-9F6D-436C-B6C7-E63F77503B30}\	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D3D233D5-9F6D-436C-B6C7-E63F77503B30}\NoExplorer = "1"	regsvr32.exe

Drops file in Program Files directory 27 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Inbox Toolbar\is-KANP2.tmp	4257973cc7c45876cf04e8b4cc8164f8_JaffaCakes118.tmp
File created	C:\Program Files (x86)\Inbox Toolbar\Buttons\is-OO9CL.tmp	4257973cc7c45876cf04e8b4cc8164f8_JaffaCakes118.tmp
File opened for modification	C:\Program Files (x86)\Inbox Toolbar\setupcfg.ini	4257973cc7c45876cf04e8b4cc8164f8_JaffaCakes118.tmp
File created	C:\Program Files (x86)\Inbox Toolbar\unins000.dat	4257973cc7c45876cf04e8b4cc8164f8_JaffaCakes118.tmp
File created	C:\Program Files (x86)\Inbox Toolbar\is-SM82F.tmp	4257973cc7c45876cf04e8b4cc8164f8_JaffaCakes118.tmp
File created	C:\Program Files (x86)\Inbox Toolbar\Buttons\is-T3JA8.tmp	4257973cc7c45876cf04e8b4cc8164f8_JaffaCakes118.tmp
File created	C:\Program Files (x86)\Inbox Toolbar\is-74057.tmp	4257973cc7c45876cf04e8b4cc8164f8_JaffaCakes118.tmp
File created	C:\Program Files (x86)\Inbox Toolbar\Buttons\is-8P9HP.tmp	4257973cc7c45876cf04e8b4cc8164f8_JaffaCakes118.tmp
File created	C:\Program Files (x86)\Inbox Toolbar\setupcfg.ini	4257973cc7c45876cf04e8b4cc8164f8_JaffaCakes118.tmp
File created	C:\Program Files (x86)\Inbox Toolbar\Buttons\is-E13AL.tmp	4257973cc7c45876cf04e8b4cc8164f8_JaffaCakes118.tmp
File opened for modification	C:\Program Files (x86)\Inbox Toolbar\Buttons\news_newspapers_gb.xml	Inbox.exe
File opened for modification	C:\Program Files (x86)\Inbox Toolbar\Buttons\news_rss_gb.xml	Inbox.exe
File opened for modification	C:\Program Files (x86)\Inbox Toolbar\Buttons\news_weather_plugin.xml	Inbox.exe
File opened for modification	C:\Program Files (x86)\Inbox Toolbar\Buttons\red_green.xml	Inbox.exe
File opened for modification	C:\Program Files (x86)\Inbox Toolbar\unins000.dat	4257973cc7c45876cf04e8b4cc8164f8_JaffaCakes118.tmp
File opened for modification	C:\Program Files (x86)\Inbox Toolbar\Buttons\news_tvnews_gb.xml	Inbox.exe
File opened for modification	C:\Program Files (x86)\Inbox Toolbar\uninstall.ini	Inbox.exe
File created	C:\Program Files (x86)\Inbox Toolbar\is-5K14N.tmp	4257973cc7c45876cf04e8b4cc8164f8_JaffaCakes118.tmp
File opened for modification	C:\Program Files (x86)\Inbox Toolbar\Buttons\news_newser_panel.xml	Inbox.exe
File opened for modification	C:\Program Files (x86)\Inbox Toolbar\uninstall.ini	4257973cc7c45876cf04e8b4cc8164f8_JaffaCakes118.tmp
File created	C:\Program Files (x86)\Inbox Toolbar\Buttons\is-R2F6V.tmp	4257973cc7c45876cf04e8b4cc8164f8_JaffaCakes118.tmp
File created	C:\Program Files (x86)\Inbox Toolbar\unins000.msg	4257973cc7c45876cf04e8b4cc8164f8_JaffaCakes118.tmp
File created	C:\Program Files (x86)\Inbox Toolbar\is-2A5KQ.tmp	4257973cc7c45876cf04e8b4cc8164f8_JaffaCakes118.tmp
File created	C:\Program Files (x86)\Inbox Toolbar\Buttons\is-GE7C2.tmp	4257973cc7c45876cf04e8b4cc8164f8_JaffaCakes118.tmp
File created	C:\Program Files (x86)\Inbox Toolbar\Buttons\is-8H74P.tmp	4257973cc7c45876cf04e8b4cc8164f8_JaffaCakes118.tmp
File opened for modification	C:\Program Files (x86)\Inbox Toolbar\Buttons\news_search.xml	Inbox.exe
File opened for modification	C:\Program Files (x86)\Inbox Toolbar\Inbox.ini	Inbox.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Inbox.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Inbox.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4257973cc7c45876cf04e8b4cc8164f8_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4257973cc7c45876cf04e8b4cc8164f8_JaffaCakes118.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Inbox.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Inbox.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe

Modifies Internet Explorer settings 1 TTPs 40 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\IEWatsonEnabled = "0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\Policy = "3"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\AppPath = "C:\\Program Files (x86)\\Inbox Toolbar"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{612AD33D-9824-4E87-8396-92374E91C4BB}	Inbox.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{612AD33D-9824-4E87-8396-92374E91C4BB}\Policy = "3"	Inbox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\AppPath = "C:\\Program Files (x86)\\Inbox Toolbar"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\Policy = "3"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{612AD33D-9824-4E87-8396-92374E91C4BB}\Policy = "3"	Inbox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{612AD33D-9824-4E87-8396-92374E91C4BB}\AppPath = "C:\\Program Files (x86)\\Inbox Toolbar"	Inbox.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\Policy = "3"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{612AD33D-9824-4E87-8396-92374E91C4BB}\AppName = "Inbox.exe"	Inbox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\AppName = "Inbox.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\AppName = "Inbox64.dll"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\Policy = "3"	regsvr32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{D7E97865-918F-41E4-9CD0-25AB1C574CE8} = 00	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{C04B7D22-5AEC-4561-8F49-27F6269208F6}\SuggestionsURL_JSON = "http://www.inbox.com/s.aspx?q={searchTerms}"	Inbox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{612AD33D-9824-4E87-8396-92374E91C4BB}\AppPath = "C:\\Program Files (x86)\\Inbox Toolbar"	Inbox.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Main	regsvr32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{C04B7D22-5AEC-4561-8F49-27F6269208F6}\ShowSearchSuggestions = "1"	Inbox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{C04B7D22-5AEC-4561-8F49-27F6269208F6}\FaviconURLFallback = "http://www2.inbox.com/favicon.ico"	Inbox.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Internet Explorer\Main	Inbox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\AppName = "Inbox.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\AppPath = "C:\\Program Files (x86)\\Inbox Toolbar"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\AppName = "Inbox64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{C04B7D22-5AEC-4561-8F49-27F6269208F6}\DisplayName = "Inbox Search"	Inbox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{612AD33D-9824-4E87-8396-92374E91C4BB}\AppName = "Inbox.exe"	Inbox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{612AD33D-9824-4E87-8396-92374E91C4BB}	Inbox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Toolbar	regsvr32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Toolbar\{D7E97865-918F-41E4-9CD0-25AB1C574CE8} = 00	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\IEWatsonEnabled = "0"	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{C04B7D22-5AEC-4561-8F49-27F6269208F6}\URL = "http://www2.inbox.com/search/dispatcher.aspx?tp=bs&qkw={searchTerms}&tbid=80135&iwk=846&lng=en"	Inbox.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Main	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\AppPath = "C:\\Program Files (x86)\\Inbox Toolbar"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Internet Explorer\SearchScopes\{C04B7D22-5AEC-4561-8F49-27F6269208F6}	Inbox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{C04B7D22-5AEC-4561-8F49-27F6269208F6}\FaviconPath = "C:\\Users\\Admin\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services\\search_{C04B7D22-5AEC-4561-8F49-27F6269208F6}.ico"	Inbox.exe

Modifies Internet Explorer start page 1 TTPs 1 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.inbox.com/homepage.aspx?tbid=80135&iwk=846&lng=en"	Inbox.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Inbox.IBX404	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{37540F19-DD4C-478B-B2DF-C19281BCAF27}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{042DA63B-0933-403D-9395-B49307691690}\InprocServer32\ = "C:\\PROGRA~2\\INBOXT~1\\Inbox64.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8FAE973C-3FE3-44BF-81F0-ADB0D42CE851}\TypeLib	Inbox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Inbox.JSServer\Clsid\ = "{042DA63B-0933-403D-9395-B49307691690}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{042DA63B-0933-403D-9395-B49307691690}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Inbox.Toolbar	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{37540F19-DD4C-478B-B2DF-C19281BCAF27}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{612AD33D-9824-4E87-8396-92374E91C4BB}\ProgID\ = "Inbox.AppServer"	Inbox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{37540F19-DD4C-478B-B2DF-C19281BCAF27}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\inbox\CLSID = "{37540F19-DD4C-478B-B2DF-C19281BCAF27}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{042DA63B-0933-403D-9395-B49307691690}\ = "Inbox Toolbar"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{37540F19-DD4C-478B-B2DF-C19281BCAF27}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D3D233D5-9F6D-436C-B6C7-E63F77503B30}\InProcServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{37540F19-DD4C-478B-B2DF-C19281BCAF27}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{28C3737A-32D1-492D-B76B-8D75EBBFB887}\TypeLib\ = "{615E8AA1-6BB8-4A3D-A1CC-373194DB612C}"	Inbox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CBEF8724-D080-4737-88DA-111EEC6651AA}\1.0\0\win32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CE057E0D-2D7E-4DFF-A890-07BA69B8C762}\TypeLib\ = "{CBEF8724-D080-4737-88DA-111EEC6651AA}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{042DA63B-0933-403D-9395-B49307691690}\Implemented Categories\	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{042DA63B-0933-403D-9395-B49307691690}\Version	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{28C3737A-32D1-492D-B76B-8D75EBBFB887}\TypeLib\Version = "1.0"	Inbox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CBEF8724-D080-4737-88DA-111EEC6651AA}\1.0\0\win32\ = "C:\\Program Files (x86)\\Inbox Toolbar\\Inbox.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CE057E0D-2D7E-4DFF-A890-07BA69B8C762}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Inbox.JSServer\	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8FAE973C-3FE3-44BF-81F0-ADB0D42CE851}\ProxyStubClsid32	Inbox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{CE057E0D-2D7E-4DFF-A890-07BA69B8C762}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D3D233D5-9F6D-436C-B6C7-E63F77503B30}\	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{042DA63B-0933-403D-9395-B49307691690}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D3D233D5-9F6D-436C-B6C7-E63F77503B30}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\Implemented Categories\	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CBEF8724-D080-4737-88DA-111EEC6651AA}\1.0\HELPDIR	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{042DA63B-0933-403D-9395-B49307691690}\ProgID\ = "Inbox.JSServer"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D3D233D5-9F6D-436C-B6C7-E63F77503B30}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{042DA63B-0933-403D-9395-B49307691690}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{042DA63B-0933-403D-9395-B49307691690}\Version\ = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{37540F19-DD4C-478B-B2DF-C19281BCAF27}\InprocServer32\ = "C:\\PROGRA~2\\INBOXT~1\\Inbox64.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{28C3737A-32D1-492D-B76B-8D75EBBFB887}\TypeLib	Inbox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{CE057E0D-2D7E-4DFF-A890-07BA69B8C762}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D3D233D5-9F6D-436C-B6C7-E63F77503B30}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D3D233D5-9F6D-436C-B6C7-E63F77503B30}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{37540F19-DD4C-478B-B2DF-C19281BCAF27}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{37540F19-DD4C-478B-B2DF-C19281BCAF27}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{042DA63B-0933-403D-9395-B49307691690}\ = "Inbox Toolbar"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{042DA63B-0933-403D-9395-B49307691690}\InProcServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{612AD33D-9824-4E87-8396-92374E91C4BB}\	Inbox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\InProcServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{28C3737A-32D1-492D-B76B-8D75EBBFB887}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	Inbox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{CE057E0D-2D7E-4DFF-A890-07BA69B8C762}\ = "IJSServer"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Inbox.Toolbar\Clsid	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{CE057E0D-2D7E-4DFF-A890-07BA69B8C762}\TypeLib\ = "{CBEF8724-D080-4737-88DA-111EEC6651AA}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{042DA63B-0933-403D-9395-B49307691690}\InprocServer32\ = "C:\\Program Files (x86)\\Inbox Toolbar\\Inbox64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D3D233D5-9F6D-436C-B6C7-E63F77503B30}\	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{CE057E0D-2D7E-4DFF-A890-07BA69B8C762}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D3D233D5-9F6D-436C-B6C7-E63F77503B30}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{28C3737A-32D1-492D-B76B-8D75EBBFB887}	Inbox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{28C3737A-32D1-492D-B76B-8D75EBBFB887}\TypeLib\ = "{615E8AA1-6BB8-4A3D-A1CC-373194DB612C}"	Inbox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8FAE973C-3FE3-44BF-81F0-ADB0D42CE851}\TypeLib\ = "{615E8AA1-6BB8-4A3D-A1CC-373194DB612C}"	Inbox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8FAE973C-3FE3-44BF-81F0-ADB0D42CE851}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	Inbox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{612AD33D-9824-4E87-8396-92374E91C4BB}	Inbox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{042DA63B-0933-403D-9395-B49307691690}\Version	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D3D233D5-9F6D-436C-B6C7-E63F77503B30}\Implemented Categories	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{042DA63B-0933-403D-9395-B49307691690}\TypeLib\ = "{CBEF8724-D080-4737-88DA-111EEC6651AA}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{042DA63B-0933-403D-9395-B49307691690}\Implemented Categories	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Inbox.IBX404\	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
408	4257973cc7c45876cf04e8b4cc8164f8_JaffaCakes118.tmp
408	4257973cc7c45876cf04e8b4cc8164f8_JaffaCakes118.tmp
408	4257973cc7c45876cf04e8b4cc8164f8_JaffaCakes118.tmp
408	4257973cc7c45876cf04e8b4cc8164f8_JaffaCakes118.tmp
408	4257973cc7c45876cf04e8b4cc8164f8_JaffaCakes118.tmp
408	4257973cc7c45876cf04e8b4cc8164f8_JaffaCakes118.tmp
408	4257973cc7c45876cf04e8b4cc8164f8_JaffaCakes118.tmp
408	4257973cc7c45876cf04e8b4cc8164f8_JaffaCakes118.tmp

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
408	4257973cc7c45876cf04e8b4cc8164f8_JaffaCakes118.tmp
4544	Inbox.exe
4544	Inbox.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
4544	Inbox.exe
4544	Inbox.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 3180 wrote to memory of 408	3180	4257973cc7c45876cf04e8b4cc8164f8_JaffaCakes118.exe	85
PID 3180 wrote to memory of 408	3180	4257973cc7c45876cf04e8b4cc8164f8_JaffaCakes118.exe	85
PID 3180 wrote to memory of 408	3180	4257973cc7c45876cf04e8b4cc8164f8_JaffaCakes118.exe	85
PID 408 wrote to memory of 1396	408	4257973cc7c45876cf04e8b4cc8164f8_JaffaCakes118.tmp	87
PID 408 wrote to memory of 1396	408	4257973cc7c45876cf04e8b4cc8164f8_JaffaCakes118.tmp	87
PID 408 wrote to memory of 1396	408	4257973cc7c45876cf04e8b4cc8164f8_JaffaCakes118.tmp	87
PID 408 wrote to memory of 4568	408	4257973cc7c45876cf04e8b4cc8164f8_JaffaCakes118.tmp	88
PID 408 wrote to memory of 4568	408	4257973cc7c45876cf04e8b4cc8164f8_JaffaCakes118.tmp	88
PID 408 wrote to memory of 4568	408	4257973cc7c45876cf04e8b4cc8164f8_JaffaCakes118.tmp	88
PID 408 wrote to memory of 4008	408	4257973cc7c45876cf04e8b4cc8164f8_JaffaCakes118.tmp	90
PID 408 wrote to memory of 4008	408	4257973cc7c45876cf04e8b4cc8164f8_JaffaCakes118.tmp	90
PID 408 wrote to memory of 4008	408	4257973cc7c45876cf04e8b4cc8164f8_JaffaCakes118.tmp	90
PID 408 wrote to memory of 1868	408	4257973cc7c45876cf04e8b4cc8164f8_JaffaCakes118.tmp	91
PID 408 wrote to memory of 1868	408	4257973cc7c45876cf04e8b4cc8164f8_JaffaCakes118.tmp	91
PID 408 wrote to memory of 3796	408	4257973cc7c45876cf04e8b4cc8164f8_JaffaCakes118.tmp	95
PID 408 wrote to memory of 3796	408	4257973cc7c45876cf04e8b4cc8164f8_JaffaCakes118.tmp	95
PID 408 wrote to memory of 3796	408	4257973cc7c45876cf04e8b4cc8164f8_JaffaCakes118.tmp	95
PID 3796 wrote to memory of 4544	3796	Inbox.exe	96
PID 3796 wrote to memory of 4544	3796	Inbox.exe	96
PID 3796 wrote to memory of 4544	3796	Inbox.exe	96

C:\Users\Admin\AppData\Local\Temp\4257973cc7c45876cf04e8b4cc8164f8_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\4257973cc7c45876cf04e8b4cc8164f8_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3180
- C:\Users\Admin\AppData\Local\Temp\is-D21DR.tmp\4257973cc7c45876cf04e8b4cc8164f8_JaffaCakes118.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-D21DR.tmp\4257973cc7c45876cf04e8b4cc8164f8_JaffaCakes118.tmp" /SL5="$700F6,1738955,70144,C:\Users\Admin\AppData\Local\Temp\4257973cc7c45876cf04e8b4cc8164f8_JaffaCakes118.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:408
- - C:\Program Files (x86)\Inbox Toolbar\Inbox.exe
    "C:\Program Files (x86)\Inbox Toolbar\Inbox.exe" /regserver
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Modifies registry class
    PID:1396
- - C:\Program Files (x86)\Inbox Toolbar\Inbox.exe
    "C:\Program Files (x86)\Inbox Toolbar\Inbox.exe" /install
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    PID:4568
- - C:\Windows\SysWOW64\regsvr32.exe
    "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\Inbox Toolbar\Inbox.dll"
    3⤵
    - Loads dropped DLL
    - Installs/modifies Browser Helper Object
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Modifies registry class
    PID:4008
- - C:\Windows\system32\regsvr32.exe
    "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\Inbox Toolbar\Inbox64.dll"
    3⤵
    - Loads dropped DLL
    - Installs/modifies Browser Helper Object
    - Modifies Internet Explorer settings
    - Modifies registry class
    PID:1868
- - C:\Program Files (x86)\Inbox Toolbar\Inbox.exe
    "C:\Program Files (x86)\Inbox Toolbar\Inbox.exe" /afterinstall
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Modifies Internet Explorer start page
    - Suspicious use of WriteProcessMemory
    PID:3796
  - - C:\Program Files (x86)\Inbox Toolbar\Inbox.exe
      "C:\Program Files (x86)\Inbox Toolbar\Inbox.exe" /TRAY 0
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:4544

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Browser Extensions

T1176

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Inbox Toolbar\Buttons\news_newser_panel.xml

Filesize
4KB

MD5
20d15d2e884398c73fdeaf95274360ce

SHA1
b6d38be8a680c8aa11143e4ba1a02beff3ba68de

SHA256
f83d863d362f83f763929837d46aaf13fcf29d77cc648a6a970b0f8fdc57500a

SHA512
329b79936d5c03e56012f0478c2060efc83bf26d283cb9f871b4627b8064ce420bccd75c3917c99d9441baf7e12ea1c5172c1ad530c904cd281324ae2236450d

Download Submit
C:\Program Files (x86)\Inbox Toolbar\Buttons\news_newspapers_gb.xml

Filesize
5KB

MD5
293f59fac1d1e894e5e0900733f9ff04

SHA1
bc81022fc0e04e64ec7676b41d4d2d5a915d4672

SHA256
7a805dbc92c5bdc199a6e2d863d39eb50efd398af79efa4c6f7a8135c6c70a0a

SHA512
db19d7c80de0cbf2e311956e254e06b17e313183df039cf4e69383ff853a5babcafa8cf44cb5eee818654f8a37cb7f79f32a8bb83524be0877d1baed697bda4a

Download Submit
C:\Program Files (x86)\Inbox Toolbar\Buttons\news_rss_gb.xml

Filesize
4KB

MD5
8244b5376ed96bcdf123c4436cc7bdb1

SHA1
4e61e9f18baa915afe8c5c927e8338c3628d144c

SHA256
5f42bd140b8b0197bf738da16b5f092a73cebaffeda04c1988581adc74283abb

SHA512
651118edb94eee302944a3ae4fdb1949453896d4bd3751c4822da8e2c2785fff22d6ea59c63e860f4209dcf35d94845a3d12d01b03e7e341bf0b15da78cb7905

Download Submit
C:\Program Files (x86)\Inbox Toolbar\Buttons\news_search.xml

Filesize
4KB

MD5
bdb2ac871a1b7841a6d55d6aacfd34e8

SHA1
a8ea30fd72451fd1bf589a1d742559cb66e45fda

SHA256
72ebfa533c7ed0fa951341492d69a343450147254ebca25ffa0335cb3e6fcb71

SHA512
040a6dbf1bfeabf8c2db9fbe7d2e76d1c1a9b367b8cd50ba09edc8c618034a83b8b4ef8f5a58778f02f9114c8001103926bb9415556a54576ea6a1726570e84b

Download Submit
C:\Program Files (x86)\Inbox Toolbar\Buttons\news_tvnews_gb.xml

Filesize
5KB

MD5
8a6f93869eecabdae7213d4dd7ac85d8

SHA1
2bf838a898e234b598253b80f97ea38d47941059

SHA256
c08fc50976f9b779ea955f15f8b878d74cce1d0514935aa3189c9940db05fb90

SHA512
379efc30f379a8e6e58a370b026d2736795fcd67e8f12b8a2ca1e9c276ded73bf4585958e3abb6223be8c6fad74e9cfb09de427dc0494f38a31b9e704e14cb52

Download Submit
C:\Program Files (x86)\Inbox Toolbar\Buttons\news_weather_plugin.xml

Filesize
4KB

MD5
ca2c270c4ec6e4704336b4cd48273701

SHA1
cf7ad0b7f3607cf279883dff44615dcdd76c3917

SHA256
527ae189196a5d4fb23e31f1425860a50a443880c832eab6595820e062ae30a3

SHA512
913c521f99b2cdb7a9af5c3b48f41773b1225797af15e1279df975ff9279b9f23f8a71694afa3768f2b5dbeba29fe64b3810b2d11199fc7a3b92849650aa380c

Download Submit
C:\Program Files (x86)\Inbox Toolbar\Buttons\red_green.xml

Filesize
53KB

MD5
6dab2e4b1c8a80abf484f8c6f0025e4c

SHA1
39b5ee7d2663c6bd0bd5fd67b1f0f77c84f71804

SHA256
821610b71456ce7b4f8133e85430929402bbc171f2df4b21f14679fd90f6588e

SHA512
70128c3d436c565e8559d44bf4110b92cfe080c94616e914c6c6f457fe6e44ecc7844331ac4549138ce4316a7c37faa892eafabb14f41fef1c3558c11d8c55e2

Download Submit
C:\Program Files (x86)\Inbox Toolbar\Inbox.dll

Filesize
1.0MB

MD5
86a31966bf0fd274595b05fe9221f843

SHA1
29cf7233b1c7c0a84469ab9d9e35113165500d9b

SHA256
b4efe370bcc1066d91206deab2bd58371fae93af5f17996be8ffc18a43945cd2

SHA512
dbc0c48974421f4b78967a2ffea108123dbf804ff079c969e25cc13a12b28d27d18ca71dd061da880c359b11b7b09c107a8f320330703cb8fd1c7cfc7ad7ef9d

Download Submit
C:\Program Files (x86)\Inbox Toolbar\Inbox.exe

Filesize
1.3MB

MD5
c438e168e66b77ead302b933149ad4bf

SHA1
5788999969d0da6cd4589f2651981d750923dfd1

SHA256
738e45013c262f87a0d2e24968977bc6bdbf465764371b7779753b4f883416b2

SHA512
f762b02b6aabf69932ccdf207fa8c964ad7506bfad3e5134a51cd09d56dc31058f2377a602c93624f51bf4169e1b775bda27d253d2fe32de575bc223a2c3e50e

Download Submit
C:\Program Files (x86)\Inbox Toolbar\Inbox.ini

Filesize
2KB

MD5
b81deda927c04da1559f5a2af297bc9c

SHA1
692cf50d87e330a5a056012d5dd551342280eaf8

SHA256
859fb8cd52cdbbf069291a0e3f2e0638430acd609ad314d06b72fd544129e79d

SHA512
f4fe880aa87312264118198ecbe4cfc0b75091099cd82bff64f960196916fdc9d908a75c1f2d7784d8dddb4a041bb7ffe01ebc87ee7e0436090b296de3f6f709

Download Submit
C:\Program Files (x86)\Inbox Toolbar\Inbox.ini

Filesize
2KB

MD5
517235fb04de12218e3bc6ae53721d19

SHA1
cc3b52827e2e2f28523fbf9dc777744e9798dd63

SHA256
1b05b12b4b7cf5e290cc62f4ad9d715c94c1fab82021c6a759b9ff82eebbc676

SHA512
e9f048fd150ae5d3d7c2b1a65c1826f0d8a8a331bfc97011a3d688bf115f23baa6f6605de9fce66eccd85b68c78594a028ca1d255f7437de674027374bef3a54

Download Submit
C:\Program Files (x86)\Inbox Toolbar\Inbox64.dll

Filesize
1.5MB

MD5
1a7df8b41680d7998a322727653c83c9

SHA1
e521cd19e03e5abc9e06af305719fe909ef6e2ad

SHA256
c4a6a1bd3175dd00d4d89f33a7a39bf6db731b8c653de5cb9fa05321e6e5127e

SHA512
3d3610876074ab8b1ebc046789f0f7bb2c567bf2bb57380c40366fed3d79b834c898a7139a7a3d355c15917a6b3d32dd0cf0c60caff586ec9c22c48f89b4ee2a

Download Submit
C:\Program Files (x86)\Inbox Toolbar\unins000.exe

Filesize
1.2MB

MD5
199c177a4f48b1e7d67c7e5cf57fb194

SHA1
797201b6ff6be6c88ca43822339f55b649b3bcf4

SHA256
5a95bd04712c7e541dcf81f693d771b1e6f644eb652e395612a6e98821709180

SHA512
c7f1962d0d541adcb4647486d0c7ca197ca721bc0a200c13908e402c02a89b757efd27bd90a58494af8b8d4bb46272528ac7c61a46de1fcdd6dd8ac65bfcafb0

Download Submit
C:\Program Files (x86)\Inbox Toolbar\uninstall.ini

Filesize
50B

MD5
f9321b74661c06ad990a711d6d527e2d

SHA1
96d5439e9d39dd4f379ffb7c8240e8da59e6c79c

SHA256
8a23e7dc3ec1648d98a1041dbec9e20c10e74f10edfb2527ea89ea32dc5f5fa5

SHA512
c1f96e30f6d7b1ce5ac631740a42fcf1277ab8658ab145eb671130477f638b881700eb8db96e447e84365bb57491f5bf38a34f0475acc742ca84615047ec27f0

Download Submit
C:\Users\Admin\AppData\LocalLow\Inbox Toolbar\config.ini

Filesize
28B

MD5
4cbb2d42272915fdd5f76a98a75caf87

SHA1
9b1340f72de55a9d7839a9cc59e405d4373027da

SHA256
48e7fe515ee79b9bc2fb39c8c32d8604877cb77d2909d0bb6e7db8a4b81a6230

SHA512
e91bf0e5f69f5ff56c8cf1b8487f3ca9eae97aadcba54998d2543c11068e393e415511bd7c16cc259053a68d40460b240633cee0b8ce6ee3f3f4075758dfed2a

Download Submit
C:\Users\Admin\AppData\LocalLow\Inbox Toolbar\config.ini

Filesize
68B

MD5
629ba37109ba956f6ef9788b13b93a6d

SHA1
ae1e5d4d1515af9f8076c6df09887e9f7155a3ee

SHA256
26a6f21c3ed92f12d0d0f62d1cbef7aa8904af940a897c29a9c1551eed656d29

SHA512
bf7a686c9dffd8a01072f8c6b2afc73be20297a44c35ffea67a70c24d0eec6a99b8b62067ebdc4575aadce896b4e7bc0616ea80e7954a545a3f27a780aa7971d

Download Submit
C:\Users\Admin\AppData\LocalLow\Inbox Toolbar\config.ini

Filesize
97B

MD5
97e7129bf04d4557f07cbf9168732f4d

SHA1
ccfa6a2318a73e57ae0abc54e6f2423778bc44c8

SHA256
b352a84ff49f2decdfc26b3920d97cd3a3a15313605fc9ebbc30f762720896ec

SHA512
21cbd585ed274399d00c4b33df2b8261d0d715dbff7174aabdbf385a2262bf7dfb2897a55568c569f8845871b0fde1fdbdf40f595a0fad4193c07152dd2d77fb

Download Submit
C:\Users\Admin\AppData\LocalLow\Inbox Toolbar\config.ini

Filesize
152B

MD5
c7d44e377a3018a7582f92804824711b

SHA1
b20477be8fbe1b8ac1b791a02a22d71dcb372a4e

SHA256
40e232ec808615a96a6b5ab1a720a9b1de0b74999efe4cda90cffd549f26521f

SHA512
84b9ae743519ede85976df53b4ebbfb1c968899bc3b0735c447c0607b919bd92e4cdfa44106d83de933e698c703ad347989334be2e1baac1eded2062a2c7456a

Download Submit
C:\Users\Admin\AppData\LocalLow\Inbox Toolbar\translate.ini

Filesize
89KB

MD5
6b72fbdc939dffb3c9d268d521459f91

SHA1
948023c34ddd35bab4b83d80cabf6b7fb06eb5f2

SHA256
9b1c3b8a08541289d360526f37a4647a59fa40f474d2288ea6a5c3a947364fff

SHA512
f8948e0cc24361f361886a4f9467b8316ed093e0def78df860ed221e345a69a8cae785f57d08cfd3ac54741ea9dbde97f035eb88aa8d35b5529c32cf50b1d8e3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751

Filesize
717B

MD5
822467b728b7a66b081c91795373789a

SHA1
d8f2f02e1eef62485a9feffd59ce837511749865

SHA256
af2343382b88335eea72251ad84949e244ff54b6995063e24459a7216e9576b9

SHA512
bacea07d92c32078ca6a0161549b4e18edab745dd44947e5f181d28cc24468e07769d6835816cdfb944fd3d0099bde5e21b48f4966824c5c16c1801712303eb6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B624848E7D0C04204BF0E664FB37FBEA

Filesize
504B

MD5
e49cbf003fd1bf3261a452e0903698c5

SHA1
824d5990e3b2fd35890a7fd79aef2ddf2971c3d3

SHA256
a66382fa0de352ba46c0005a7c92fde4c6d094007746feea72bdeb2a890680a5

SHA512
e0af28d72b4152780ca083c7e6f2c386de9f18a8ae42577dad4122a84983c5c1e2a9c2b0c9f54083ed0443f0573ba8f50969c777d728673cfd8a80ce89a0df37

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EF5A8FFDB77E427DAA4FCC1F3D18CADC

Filesize
504B

MD5
dc0ab89449cff351485e312be53fa652

SHA1
dbbde9a2b016b77ca960063fb418fceae2f2dc9c

SHA256
a4996874afe954e2ea432a16f0922ee814d18b6785605b2c01f868df1bc5a4aa

SHA512
0f764b6071e7dc7ab95cbc6cec45b5445768bbdaf269a9ba9dafd340921cdbcacf10d2cf852b085544d800faad462bcf227cbb0e71a482f539b033cf8fcc9624

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751

Filesize
192B

MD5
2e9c7144dea842af62d11c7007979cb0

SHA1
709fe45a326bee1f98f75f46e297fae3ac3d08a0

SHA256
0ac386f3554e3e275ffdd1396d5a6dd286bb5981b1828aa76bac2cf8c80621cc

SHA512
c35ea52cc4dacd214c0d78158ae88dbaac34f11d52399b56c3428ef406ff57b37ee6e5c011a39025f112cb8390298dd40c4998c07ddb5a7c0b8e0ee82da38abe

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B624848E7D0C04204BF0E664FB37FBEA

Filesize
550B

MD5
d84802895027d570671ae91fa4d6d47e

SHA1
3028219a124a5e32a5062a4aa50e801b59e94b30

SHA256
48cb9848b182560852014f5a09b6216200584fee0ce1f712bab9ac4993edc4ad

SHA512
68babfc9b3762878bfa8f92eaf1d65f300b46dd47a1ada2195e4bd4f6415dd16747132a93edc93d9ee791ca7f613a26daad51b1858c841eca43c3c47e5831634

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EF5A8FFDB77E427DAA4FCC1F3D18CADC

Filesize
550B

MD5
8c3e2302d9f248b171998914cdb7da24

SHA1
f1096dfc767e7a83176099ea610db718268ca390

SHA256
dd06cf196add8cf4b1bbe508ee48d526e8b089d3da72fd392f6faaf0f81a5700

SHA512
9311aa6741e4e46584cf4096376d2330747e81c8b41040c05a54aa7d31bf4cbec9cacc835b841681e9d3d03aced30bf1754da1bfdf0d57eed1c917c8be04c1b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-D21DR.tmp\4257973cc7c45876cf04e8b4cc8164f8_JaffaCakes118.tmp

Filesize
1.2MB

MD5
e7106fbf42fbc6d5b08a18ada4f781b4

SHA1
36d4a629f79d772c0b0df8bd2ae2ea09108d239d

SHA256
64e1f1fa7d91920b17bc7bc679a4cd8d87ff5b104318b6921bb6bf6a19055635

SHA512
adf876296a952aadeb4f25211c0939bf5a278809b5d3007ad7e26c5d4975e7684d242c1b3de796efd474a47cb7ecdb80f9047935924a1108bf0e4d7c973d1845

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-RD0NG.tmp\DownLib.dll

Filesize
183KB

MD5
db25dfdd4c1f2b65c68a230881072695

SHA1
94cd6a3438041f0e61b0a1bea7b66461854efe69

SHA256
1b66aaf1e7e3c493dd96af3b7442ea60072f6e93ba45281eacd31a14ca7e7e73

SHA512
db69e4ab2218856e5184d9094e7e39705b83e3efdc15225067205c8faf6e5836145364f1d509192defa3b48864e72b9f8c0f2dc53a7adb2b86c655318b7afc2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-RD0NG.tmp\setupcfg.ini

Filesize
44B

MD5
39adf9e4379e462c4047945efdc0b5cd

SHA1
bcc32902fd2b3599ff3a4c2fcf0ff6b21d2e3c72

SHA256
7812234560b6844a1236530aec8239bb761bfee1bfd81fca3d860da23e79222a

SHA512
2d1345b39d52de2e717ba27abced7c40c9b5520250a5151dffd7b4be61e53fb7556f5b4a225e6122397042eb2897860425a41848a0c494d61103c5fcd245f9e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-RD0NG.tmp\tbr_dots.bmp

Filesize
164B

MD5
adc799ec79eeaef366ea4dddf099c3ae

SHA1
556c915615a34a2499604b7b732ab304b20fdd4e

SHA256
7e7f18c73560f9c020abe1ab1f22705083281e2ea16ab0030fc927901b5b5d1e

SHA512
76962a17cc26d3f9886828be4e43373ac530165e1c627272ed7c0bc731133e97608e55d2e31f44592aad0d0974352155f41a0718aa0666ec128406b1050c1d6c

Download Submit
memory/408-397-0x0000000003C00000-0x0000000003C37000-memory.dmp

Filesize
220KB

Download
memory/408-367-0x0000000000400000-0x0000000000536000-memory.dmp

Filesize
1.2MB

Download
memory/408-428-0x0000000000400000-0x0000000000536000-memory.dmp

Filesize
1.2MB

Download
memory/408-129-0x0000000000400000-0x0000000000536000-memory.dmp

Filesize
1.2MB

Download
memory/408-246-0x0000000000400000-0x0000000000536000-memory.dmp

Filesize
1.2MB

Download
memory/408-20-0x0000000003C00000-0x0000000003C37000-memory.dmp

Filesize
220KB

Download
memory/408-233-0x00000000048F0000-0x00000000049FB000-memory.dmp

Filesize
1.0MB

Download
memory/408-424-0x0000000003C00000-0x0000000003C37000-memory.dmp

Filesize
220KB

Download
memory/408-7-0x0000000000400000-0x0000000000536000-memory.dmp

Filesize
1.2MB

Download
memory/408-231-0x0000000000400000-0x0000000000536000-memory.dmp

Filesize
1.2MB

Download
memory/408-213-0x00000000048F0000-0x00000000049FB000-memory.dmp

Filesize
1.0MB

Download
memory/408-423-0x0000000000400000-0x0000000000536000-memory.dmp

Filesize
1.2MB

Download
memory/408-418-0x0000000000400000-0x0000000000536000-memory.dmp

Filesize
1.2MB

Download
memory/408-419-0x0000000003C00000-0x0000000003C37000-memory.dmp

Filesize
220KB

Download
memory/408-411-0x0000000000400000-0x0000000000536000-memory.dmp

Filesize
1.2MB

Download
memory/408-130-0x0000000003C00000-0x0000000003C37000-memory.dmp

Filesize
220KB

Download
memory/408-406-0x0000000000400000-0x0000000000536000-memory.dmp

Filesize
1.2MB

Download
memory/408-388-0x0000000000400000-0x0000000000536000-memory.dmp

Filesize
1.2MB

Download
memory/408-396-0x0000000000400000-0x0000000000536000-memory.dmp

Filesize
1.2MB

Download
memory/408-398-0x00000000048F0000-0x00000000049FB000-memory.dmp

Filesize
1.0MB

Download
memory/408-401-0x0000000000400000-0x0000000000536000-memory.dmp

Filesize
1.2MB

Download
memory/1396-165-0x0000000000400000-0x000000000055A000-memory.dmp

Filesize
1.4MB

Download
memory/3180-2-0x0000000000401000-0x000000000040D000-memory.dmp

Filesize
48KB

Download
memory/3180-0-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3180-128-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3796-322-0x0000000000400000-0x000000000055A000-memory.dmp

Filesize
1.4MB

Download
memory/4008-207-0x0000000000590000-0x000000000069B000-memory.dmp

Filesize
1.0MB

Download
memory/4544-370-0x0000000000400000-0x000000000055A000-memory.dmp

Filesize
1.4MB

Download
memory/4568-204-0x0000000000400000-0x000000000055A000-memory.dmp

Filesize
1.4MB

Download