da2224f92edd04225d00c2616f9bc95760ec4689a553cdbeeea2bca2ae550958

Analysis

max time kernel
144s
max time network
135s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
14/10/2024, 16:18

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

4310d664e629499a4fbfa199076842e3_JaffaCakes118.exe
Size

2.5MB
MD5

4310d664e629499a4fbfa199076842e3
SHA1

bcbb89bcaa21715a012c09af3b500ff2e32bad00
SHA256

da2224f92edd04225d00c2616f9bc95760ec4689a553cdbeeea2bca2ae550958
SHA512

371fc466d670395e336dbd1a99aaff5a1075fe824d6e501955c1d76db8f8ef8558f29f64333fc9a048cf8ab24c39692c1d84d1eda8c00433dcdfaf0b769dca00
SSDEEP

49152:oaSDJLr+Be0SeBk2a5wL18ou9DjMYcOajZqOLBNwDaebA5rOYiZnO:otO0iaaB879Dj3cOodB+GebSivZnO

Score

8^/10

adware discovery persistence privilege_escalation stealer

Malware Config

Signatures

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\DRIVERS\SETD681.tmp	RUNDLL32.EXE
File created	C:\Windows\system32\DRIVERS\SETD681.tmp	RUNDLL32.EXE
File opened for modification	C:\Windows\system32\DRIVERS\tbrdrv.sys	RUNDLL32.EXE

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 8 IoCs

pid	Process
2556	4310d664e629499a4fbfa199076842e3_JaffaCakes118.tmp
2704	Inbox.exe
680	Inbox.exe
1696	Inbox.exe
2340	Inbox.exe
3040	AGupdate.exe
692	AGupdate.exe
1092	Inbox.exe

Loads dropped DLL 20 IoCs

pid	Process
2908	4310d664e629499a4fbfa199076842e3_JaffaCakes118.exe
2556	4310d664e629499a4fbfa199076842e3_JaffaCakes118.tmp
2556	4310d664e629499a4fbfa199076842e3_JaffaCakes118.tmp
2556	4310d664e629499a4fbfa199076842e3_JaffaCakes118.tmp
2556	4310d664e629499a4fbfa199076842e3_JaffaCakes118.tmp
680	Inbox.exe
680	Inbox.exe
2260	regsvr32.exe
316	regsvr32.exe
2556	4310d664e629499a4fbfa199076842e3_JaffaCakes118.tmp
1696	Inbox.exe
1696	Inbox.exe
1696	Inbox.exe
1696	Inbox.exe
2340	Inbox.exe
2340	Inbox.exe
2340	Inbox.exe
2340	Inbox.exe
2556	4310d664e629499a4fbfa199076842e3_JaffaCakes118.tmp
2556	4310d664e629499a4fbfa199076842e3_JaffaCakes118.tmp

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\InboxToolbar = "\"C:\\Program Files (x86)\\Inbox Toolbar\\Inbox.exe\" /STARTUP"	Inbox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\GrpConv = "grpconv -o"	RUNDLL32.EXE

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Installs/modifies Browser Helper Object 2 TTPs 6 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D3D233D5-9F6D-436C-B6C7-E63F77503B30}\	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D3D233D5-9F6D-436C-B6C7-E63F77503B30}\NoExplorer = "1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{D3D233D5-9F6D-436C-B6C7-E63F77503B30}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{D3D233D5-9F6D-436C-B6C7-E63F77503B30}\	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{D3D233D5-9F6D-436C-B6C7-E63F77503B30}\NoExplorer = "1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{D3D233D5-9F6D-436C-B6C7-E63F77503B30}	regsvr32.exe

Drops file in Program Files directory 25 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Inbox Toolbar\Buttons\is-OUQ36.tmp	4310d664e629499a4fbfa199076842e3_JaffaCakes118.tmp
File opened for modification	C:\Program Files (x86)\Inbox Toolbar\unins000.dat	4310d664e629499a4fbfa199076842e3_JaffaCakes118.tmp
File opened for modification	C:\Program Files (x86)\Inbox Toolbar\setupcfg.ini	4310d664e629499a4fbfa199076842e3_JaffaCakes118.tmp
File created	C:\Program Files (x86)\Inbox Toolbar\is-QQ3CO.tmp	4310d664e629499a4fbfa199076842e3_JaffaCakes118.tmp
File created	C:\Program Files (x86)\Inbox Toolbar\is-LT5CM.tmp	4310d664e629499a4fbfa199076842e3_JaffaCakes118.tmp
File created	C:\Program Files (x86)\Inbox Toolbar\is-F458I.tmp	4310d664e629499a4fbfa199076842e3_JaffaCakes118.tmp
File created	C:\Program Files (x86)\Inbox Toolbar\Buttons\is-2A2TF.tmp	4310d664e629499a4fbfa199076842e3_JaffaCakes118.tmp
File created	C:\Program Files (x86)\Inbox Toolbar\Buttons\is-K8LFI.tmp	4310d664e629499a4fbfa199076842e3_JaffaCakes118.tmp
File opened for modification	C:\Program Files (x86)\Inbox Toolbar\Buttons\games_portals_gb.xml	Inbox.exe
File opened for modification	C:\Program Files (x86)\Inbox Toolbar\Buttons\games_search.xml	Inbox.exe
File opened for modification	C:\Program Files (x86)\Inbox Toolbar\uninstall.ini	Inbox.exe
File created	C:\Program Files (x86)\Inbox Toolbar\unins000.msg	4310d664e629499a4fbfa199076842e3_JaffaCakes118.tmp
File opened for modification	C:\Program Files (x86)\Inbox Toolbar\Buttons\black_green.xml	Inbox.exe
File opened for modification	C:\Program Files (x86)\Inbox Toolbar\uninstall.ini	4310d664e629499a4fbfa199076842e3_JaffaCakes118.tmp
File opened for modification	C:\Program Files (x86)\Inbox Toolbar\Inbox.ini	Inbox.exe
File opened for modification	C:\Program Files (x86)\Inbox Toolbar\Driver\tbrdrv.sys	Inbox.exe
File created	C:\Program Files (x86)\Inbox Toolbar\unins000.dat	4310d664e629499a4fbfa199076842e3_JaffaCakes118.tmp
File created	C:\Program Files (x86)\Inbox Toolbar\is-S1Q17.tmp	4310d664e629499a4fbfa199076842e3_JaffaCakes118.tmp
File created	C:\Program Files (x86)\Inbox Toolbar\Buttons\is-S103M.tmp	4310d664e629499a4fbfa199076842e3_JaffaCakes118.tmp
File opened for modification	C:\Program Files (x86)\Inbox Toolbar\Driver\tbrdrv.inf	Inbox.exe
File created	C:\Program Files (x86)\Inbox Toolbar\is-TGKUN.tmp	4310d664e629499a4fbfa199076842e3_JaffaCakes118.tmp
File created	C:\Program Files (x86)\Inbox Toolbar\setupcfg.ini	4310d664e629499a4fbfa199076842e3_JaffaCakes118.tmp
File opened for modification	C:\Program Files (x86)\Inbox Toolbar\Buttons\games_online_gb.xml	Inbox.exe
File created	C:\Program Files (x86)\Inbox Toolbar\Driver\driver.cab	Inbox.exe
File opened for modification	C:\Program Files (x86)\Inbox Toolbar\Driver\tbrdrv.cat	Inbox.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\INF\setupapi.app.log	RUNDLL32.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Inbox.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Inbox.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AGupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Inbox.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4310d664e629499a4fbfa199076842e3_JaffaCakes118.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Inbox.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Inbox.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AGupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4310d664e629499a4fbfa199076842e3_JaffaCakes118.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	runonce.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	runonce.exe

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main\Secondary Start Pages = 68007400740070003a002f002f007700770077002e0069006e0062006f0078002e0063006f006d002f0068006f006d00650070006100670065002e0061007300700078003f0074006200690064003d00380030003100330039002600690077006b003d0038003400360026006c006e0067003d0065006e0000000000	Inbox.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\SearchScopes\{C04B7D22-5AEC-4561-8F49-27F6269208F6}	Inbox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\SearchScopes\{C04B7D22-5AEC-4561-8F49-27F6269208F6}\FaviconURLFallback = "http://www2.inbox.com/favicon.ico"	Inbox.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b070d1e0541edb01	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\AppName = "Inbox.dll"	regsvr32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPageShow = "1"	Inbox.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\User Preferences	Inbox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\SearchScopes\DefaultScope = "{C04B7D22-5AEC-4561-8F49-27F6269208F6}"	Inbox.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{612AD33D-9824-4E87-8396-92374E91C4BB}	Inbox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\SearchScopes\{C04B7D22-5AEC-4561-8F49-27F6269208F6}\ShowSearchSuggestions = "1"	Inbox.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\AppName = "Inbox64.dll"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Approved Extensions	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\AppPath = "C:\\Program Files (x86)\\Inbox Toolbar"	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\SearchScopes\{C04B7D22-5AEC-4561-8F49-27F6269208F6}\SuggestionsURL_JSON = "http://www.inbox.com/s.aspx?q={searchTerms}"	Inbox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\SearchScopes\{C04B7D22-5AEC-4561-8F49-27F6269208F6}\SuggestionsURL_JSON = "http://www.inbox.com/s.aspx?q={searchTerms}"	Inbox.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Approved Extensions	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\SearchScopes\{C04B7D22-5AEC-4561-8F49-27F6269208F6}\URL = "http://www2.inbox.com/search/dispatcher.aspx?tp=bs&qkw={searchTerms}&tbid=80139&iwk=846&lng=en"	Inbox.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\User Preferences	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000631e3f8952627f4e9ac94a5444e5d2680000000002000000000010660000000100002000000001cc4b9a884fd70f520a4dfa18039341295e9c8f11fc2e00113d96fe1dc3f0cf000000000e8000000002000020000000d0414429e1527e6e2e0862b74ce7b0f5c758134abecf8b108bff3c7c8029ca20f0010000f1ad6252136893c5dd19d06b97e28a2d36e16ddb2f4e7dbae2bd2fdf1ba4b59d075d931a5e849560a0b68a20d6a3fb1ca7d8395a944eb8e1536cff86c4e910668a9b72efe63f57057f75acb22dc6a0e90acc1a7eef3f7abf7d0bd797737d9b82f327fcc1640488190dcc5b9b8605b2821086139f03c9a6cc3b4c524ce148a43bdc5170bb35f4f689971cd7219699b30e57a1a98d40d592aa85c6bf42b8b9287d2070f347eebabe329b6c9fdcb9ae88086ccd10f64b86c88ee1e09a41c470e5f3d48f9f17b1582942d62ea22ab70edfb14fee6ea819eb00fc3813910a9648e790a7721ec8f0554681e56b9d6596045f6b947f11d7223ef937c35a68657ac10fd920b718243f11d8ef42c8d5e80176114f8448c7d552f6b89657a2da2b1b1d4054a16a9d7b610950322fe29cc872bfdd5d2d8b004f280706be91eca82e7756f3aca82ee30037f6a49ecccd74b7ee03724ca07d67a8dd2a0e7e0f32004181fe817c184acdc63d3fa404234d3ec9543c01ec94cfca48673f67111388f3868d6fc464e635e5dac3d197f7617cd46de91ad6eea6d376831474bde22a5bbfe93a18671555ef1d1a40087e1a716836786e4742ab54e12981259be928bbd6dfc3d0e58d4010bb4fc9870f3fc3925eddfc192a405cfec957fd4921c506a58a2527871ae6d42d2278908b614ce3d2858e5b424368fa4000000055061b268709e2c889065e9874cd534b39bd9f2280568636911ec65c7a92c89f86182e9e3d78c6dc275ba88f8343149e79c55da420df77b504aad6351e229cf3	iexplore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\AppPath = "C:\\Program Files (x86)\\Inbox Toolbar"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main	Inbox.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{0BFD22C1-8A48-11EF-A2BE-5E235017FF15} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\SearchScopes\DefaultScope = "{C04B7D22-5AEC-4561-8F49-27F6269208F6}"	iexplore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{612AD33D-9824-4E87-8396-92374E91C4BB}\Policy = "3"	Inbox.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{D7E97865-918F-41E4-9CD0-25AB1C574CE8} = 00	regsvr32.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Main	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\Policy = "3"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\SearchScopes\	Inbox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000631e3f8952627f4e9ac94a5444e5d268000000000200000000001066000000010000200000006721cf982d7d25a4875df23b2229dc198e82420532e6fb93fe6eab0453fec582000000000e8000000002000020000000a8e763b9a264f28e173a5ab49809204f596da7f762e216b71035433984423c1e20000000c96718cce6846875d04e8e9a64b01eceeb77e901cd682e5320d016a4542fc3d04000000054b6634fa7e752f3134bbfeb6a442c72c6f0e533bb2ea85adeee9aaf65fc957bde5fad27ae84c412003f7beca12f365cb6ef70afac61f55ea2d8762c3b82e031	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Approved Extensions\{D3D233D5-9F6D-436C-B6C7-E63F77503B30} = 51667a6c4c1d3b35c52cc5ca5ccb0308adcca57f76117a2a	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\Policy = "3"	regsvr32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Approved Extensions\{D3D233D5-9F6D-436C-B6C7-E63F77503B30} = 51667a6c4c1d3b35c52cc5ca5ccb0308adcca57f76117a2a	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{612AD33D-9824-4E87-8396-92374E91C4BB}\Policy = "3"	Inbox.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Main	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\IEWatsonEnabled = "0"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\	Inbox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\SearchScopes\{C04B7D22-5AEC-4561-8F49-27F6269208F6}\URL = "http://search2.inbox.com/search/dispatcher.aspx?tp=bs&qkw={searchTerms}&tbid=80139&iwk=846&lng=en&rt=1"	Inbox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\SearchScopes\{C04B7D22-5AEC-4561-8F49-27F6269208F6}\FaviconPath = "C:\\Users\\Admin\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services\\search_{C04B7D22-5AEC-4561-8F49-27F6269208F6}.ico"	Inbox.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Approved Extensions\{D7E97865-918F-41E4-9CD0-25AB1C574CE8} = 51667a6c4c1d3b357567fecebec58b0a87db66eb1d160df2	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\AppPath = "C:\\Program Files (x86)\\Inbox Toolbar"	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\SearchScopes\{C04B7D22-5AEC-4561-8F49-27F6269208F6}\FaviconPath = "C:\\Users\\Admin\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services\\search_{C04B7D22-5AEC-4561-8F49-27F6269208F6}.ico"	Inbox.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\User Preferences\88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977 = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000631e3f8952627f4e9ac94a5444e5d2680000000002000000000010660000000100002000000014f8bbdda111f4b94475f66a582e2afa3b30457b8aa0ca361162d9a2a54d9ddb000000000e80000000020000200000003f88e9af81c7ed913911044aab71a2425f5300ed03d48ad7ea22ad36c3d6ecb2500000003e3ad5f12566943f9aa5101926900ddba0008155bd981ce12d84f2b4014a84a219ba1275361415805836fa90c8983632d4d51af5446e0925b73afed66490f0b756783d502484159eb205df9c1e0093044000000070b78e5eb07c73650a3e0c419ff179543a6b782d6737786848b72d3bd92c39106dd3d3675cc5ea456aacf12bc1b596f843bef57ca8610d5a07f34679ed0c0b15	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{612AD33D-9824-4E87-8396-92374E91C4BB}\AppPath = "C:\\Program Files (x86)\\Inbox Toolbar"	Inbox.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\Policy = "3"	regsvr32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Approved Extensions\{D7E97865-918F-41E4-9CD0-25AB1C574CE8} = 51667a6c4c1d3b357567fecebec58b0a87db66eb1d160df2	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}	regsvr32.exe

Modifies Internet Explorer start page 1 TTPs 1 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.inbox.com/homepage.aspx?tbid=80139&iwk=846&lng=en"	Inbox.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Inbox.JSServer	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{CE057E0D-2D7E-4DFF-A890-07BA69B8C762}\ = "IJSServer"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C7C55C60-F5B5-40A3-A2E9-EC00E1FE08F3}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C7C55C60-F5B5-40A3-A2E9-EC00E1FE08F3}\Version\ = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\InProcServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C7C55C60-F5B5-40A3-A2E9-EC00E1FE08F3}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}\	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C7C55C60-F5B5-40A3-A2E9-EC00E1FE08F3}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{042DA63B-0933-403D-9395-B49307691690}\ProgID\ = "Inbox.JSServer"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{37540F19-DD4C-478B-B2DF-C19281BCAF27}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CBEF8724-D080-4737-88DA-111EEC6651AA}\1.0\0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Inbox.JSServer\Clsid	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{042DA63B-0933-403D-9395-B49307691690}\Version\ = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{042DA63B-0933-403D-9395-B49307691690}\TypeLib\ = "{CBEF8724-D080-4737-88DA-111EEC6651AA}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\inbox\ = "inbox"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{042DA63B-0933-403D-9395-B49307691690}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Inbox.JSServer\	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Inbox.IBX404\Clsid	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CE057E0D-2D7E-4DFF-A890-07BA69B8C762}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C7C55C60-F5B5-40A3-A2E9-EC00E1FE08F3}\	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\InprocServer32\ = "C:\\Program Files (x86)\\Inbox Toolbar\\Inbox64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Inbox.IBX404\	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8FAE973C-3FE3-44BF-81F0-ADB0D42CE851}	Inbox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C7C55C60-F5B5-40A3-A2E9-EC00E1FE08F3}\Version\ = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{042DA63B-0933-403D-9395-B49307691690}\Implemented Categories\	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{37540F19-DD4C-478B-B2DF-C19281BCAF27}\InProcServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\inbox\CLSID = "{37540F19-DD4C-478B-B2DF-C19281BCAF27}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{615E8AA1-6BB8-4A3D-A1CC-373194DB612C}\1.0	Inbox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CBEF8724-D080-4737-88DA-111EEC6651AA}\1.0\FLAGS\ = "0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{CE057E0D-2D7E-4DFF-A890-07BA69B8C762}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C7C55C60-F5B5-40A3-A2E9-EC00E1FE08F3}\ProgID\ = "Inbox.JSServer2"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Inbox.Toolbar\Clsid\ = "{D7E97865-918F-41E4-9CD0-25AB1C574CE8}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{615E8AA1-6BB8-4A3D-A1CC-373194DB612C}\1.0\HELPDIR	Inbox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{28C3737A-32D1-492D-B76B-8D75EBBFB887}\TypeLib	Inbox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{612AD33D-9824-4E87-8396-92374E91C4BB}\LocalServer32	Inbox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{28C3737A-32D1-492D-B76B-8D75EBBFB887}	Inbox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{CE057E0D-2D7E-4DFF-A890-07BA69B8C762}\TypeLib\ = "{CBEF8724-D080-4737-88DA-111EEC6651AA}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D3D233D5-9F6D-436C-B6C7-E63F77503B30}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{37540F19-DD4C-478B-B2DF-C19281BCAF27}\	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0E56FAFA-1B09-480E-B653-4B23918DC58A}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C7C55C60-F5B5-40A3-A2E9-EC00E1FE08F3}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Inbox.JSServer\	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Inbox.JSServer\Clsid\ = "{042DA63B-0933-403D-9395-B49307691690}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{042DA63B-0933-403D-9395-B49307691690}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D3D233D5-9F6D-436C-B6C7-E63F77503B30}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C7C55C60-F5B5-40A3-A2E9-EC00E1FE08F3}\Implemented Categories\	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{042DA63B-0933-403D-9395-B49307691690}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{042DA63B-0933-403D-9395-B49307691690}\InprocServer32\ = "C:\\Program Files (x86)\\Inbox Toolbar\\Inbox64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0E56FAFA-1B09-480E-B653-4B23918DC58A}\TypeLib\ = "{CBEF8724-D080-4737-88DA-111EEC6651AA}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0E56FAFA-1B09-480E-B653-4B23918DC58A}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0E56FAFA-1B09-480E-B653-4B23918DC58A}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0E56FAFA-1B09-480E-B653-4B23918DC58A}\TypeLib\ = "{CBEF8724-D080-4737-88DA-111EEC6651AA}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Inbox.JSServer2	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Inbox.IBX404\Clsid\ = "{37540F19-DD4C-478B-B2DF-C19281BCAF27}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Inbox.JSServer\Clsid	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{042DA63B-0933-403D-9395-B49307691690}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{28C3737A-32D1-492D-B76B-8D75EBBFB887}\ProxyStubClsid32	Inbox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8FAE973C-3FE3-44BF-81F0-ADB0D42CE851}\TypeLib	Inbox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{612AD33D-9824-4E87-8396-92374E91C4BB}\LocalServer32\ = "C:\\PROGRA~2\\INBOXT~1\\Inbox.exe"	Inbox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{37540F19-DD4C-478B-B2DF-C19281BCAF27}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{042DA63B-0933-403D-9395-B49307691690}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}\	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{37540F19-DD4C-478B-B2DF-C19281BCAF27}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C7C55C60-F5B5-40A3-A2E9-EC00E1FE08F3}\Version	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8FAE973C-3FE3-44BF-81F0-ADB0D42CE851}\TypeLib\ = "{615E8AA1-6BB8-4A3D-A1CC-373194DB612C}"	Inbox.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2556	4310d664e629499a4fbfa199076842e3_JaffaCakes118.tmp
2556	4310d664e629499a4fbfa199076842e3_JaffaCakes118.tmp
2556	4310d664e629499a4fbfa199076842e3_JaffaCakes118.tmp
2556	4310d664e629499a4fbfa199076842e3_JaffaCakes118.tmp

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
480	Process not Found

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeRestorePrivilege	2360	RUNDLL32.EXE
Token: SeRestorePrivilege	2360	RUNDLL32.EXE
Token: SeRestorePrivilege	2360	RUNDLL32.EXE
Token: SeRestorePrivilege	2360	RUNDLL32.EXE
Token: SeRestorePrivilege	2360	RUNDLL32.EXE
Token: SeRestorePrivilege	2360	RUNDLL32.EXE
Token: SeRestorePrivilege	2360	RUNDLL32.EXE

Suspicious use of FindShellTrayWindow 8 IoCs

pid	Process
2556	4310d664e629499a4fbfa199076842e3_JaffaCakes118.tmp
2340	Inbox.exe
2340	Inbox.exe
2556	4310d664e629499a4fbfa199076842e3_JaffaCakes118.tmp
2340	Inbox.exe
2340	Inbox.exe
2340	Inbox.exe
2072	iexplore.exe

Suspicious use of SendNotifyMessage 4 IoCs

pid	Process
2340	Inbox.exe
2340	Inbox.exe
2340	Inbox.exe
2340	Inbox.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2072	iexplore.exe
2072	iexplore.exe
924	IEXPLORE.EXE
924	IEXPLORE.EXE
924	IEXPLORE.EXE
924	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2908 wrote to memory of 2556	2908	4310d664e629499a4fbfa199076842e3_JaffaCakes118.exe	30
PID 2908 wrote to memory of 2556	2908	4310d664e629499a4fbfa199076842e3_JaffaCakes118.exe	30
PID 2908 wrote to memory of 2556	2908	4310d664e629499a4fbfa199076842e3_JaffaCakes118.exe	30
PID 2908 wrote to memory of 2556	2908	4310d664e629499a4fbfa199076842e3_JaffaCakes118.exe	30
PID 2908 wrote to memory of 2556	2908	4310d664e629499a4fbfa199076842e3_JaffaCakes118.exe	30
PID 2908 wrote to memory of 2556	2908	4310d664e629499a4fbfa199076842e3_JaffaCakes118.exe	30
PID 2908 wrote to memory of 2556	2908	4310d664e629499a4fbfa199076842e3_JaffaCakes118.exe	30
PID 2556 wrote to memory of 2704	2556	4310d664e629499a4fbfa199076842e3_JaffaCakes118.tmp	31
PID 2556 wrote to memory of 2704	2556	4310d664e629499a4fbfa199076842e3_JaffaCakes118.tmp	31
PID 2556 wrote to memory of 2704	2556	4310d664e629499a4fbfa199076842e3_JaffaCakes118.tmp	31
PID 2556 wrote to memory of 2704	2556	4310d664e629499a4fbfa199076842e3_JaffaCakes118.tmp	31
PID 2556 wrote to memory of 680	2556	4310d664e629499a4fbfa199076842e3_JaffaCakes118.tmp	32
PID 2556 wrote to memory of 680	2556	4310d664e629499a4fbfa199076842e3_JaffaCakes118.tmp	32
PID 2556 wrote to memory of 680	2556	4310d664e629499a4fbfa199076842e3_JaffaCakes118.tmp	32
PID 2556 wrote to memory of 680	2556	4310d664e629499a4fbfa199076842e3_JaffaCakes118.tmp	32
PID 2556 wrote to memory of 2260	2556	4310d664e629499a4fbfa199076842e3_JaffaCakes118.tmp	33
PID 2556 wrote to memory of 2260	2556	4310d664e629499a4fbfa199076842e3_JaffaCakes118.tmp	33
PID 2556 wrote to memory of 2260	2556	4310d664e629499a4fbfa199076842e3_JaffaCakes118.tmp	33
PID 2556 wrote to memory of 2260	2556	4310d664e629499a4fbfa199076842e3_JaffaCakes118.tmp	33
PID 2556 wrote to memory of 2260	2556	4310d664e629499a4fbfa199076842e3_JaffaCakes118.tmp	33
PID 2556 wrote to memory of 2260	2556	4310d664e629499a4fbfa199076842e3_JaffaCakes118.tmp	33
PID 2556 wrote to memory of 2260	2556	4310d664e629499a4fbfa199076842e3_JaffaCakes118.tmp	33
PID 2556 wrote to memory of 316	2556	4310d664e629499a4fbfa199076842e3_JaffaCakes118.tmp	34
PID 2556 wrote to memory of 316	2556	4310d664e629499a4fbfa199076842e3_JaffaCakes118.tmp	34
PID 2556 wrote to memory of 316	2556	4310d664e629499a4fbfa199076842e3_JaffaCakes118.tmp	34
PID 2556 wrote to memory of 316	2556	4310d664e629499a4fbfa199076842e3_JaffaCakes118.tmp	34
PID 2556 wrote to memory of 316	2556	4310d664e629499a4fbfa199076842e3_JaffaCakes118.tmp	34
PID 2556 wrote to memory of 316	2556	4310d664e629499a4fbfa199076842e3_JaffaCakes118.tmp	34
PID 2556 wrote to memory of 316	2556	4310d664e629499a4fbfa199076842e3_JaffaCakes118.tmp	34
PID 2556 wrote to memory of 1696	2556	4310d664e629499a4fbfa199076842e3_JaffaCakes118.tmp	35
PID 2556 wrote to memory of 1696	2556	4310d664e629499a4fbfa199076842e3_JaffaCakes118.tmp	35
PID 2556 wrote to memory of 1696	2556	4310d664e629499a4fbfa199076842e3_JaffaCakes118.tmp	35
PID 2556 wrote to memory of 1696	2556	4310d664e629499a4fbfa199076842e3_JaffaCakes118.tmp	35
PID 1696 wrote to memory of 2360	1696	Inbox.exe	36
PID 1696 wrote to memory of 2360	1696	Inbox.exe	36
PID 1696 wrote to memory of 2360	1696	Inbox.exe	36
PID 1696 wrote to memory of 2360	1696	Inbox.exe	36
PID 2360 wrote to memory of 2388	2360	RUNDLL32.EXE	37
PID 2360 wrote to memory of 2388	2360	RUNDLL32.EXE	37
PID 2360 wrote to memory of 2388	2360	RUNDLL32.EXE	37
PID 2388 wrote to memory of 908	2388	runonce.exe	38
PID 2388 wrote to memory of 908	2388	runonce.exe	38
PID 2388 wrote to memory of 908	2388	runonce.exe	38
PID 1696 wrote to memory of 2340	1696	Inbox.exe	40
PID 1696 wrote to memory of 2340	1696	Inbox.exe	40
PID 1696 wrote to memory of 2340	1696	Inbox.exe	40
PID 1696 wrote to memory of 2340	1696	Inbox.exe	40
PID 2556 wrote to memory of 3040	2556	4310d664e629499a4fbfa199076842e3_JaffaCakes118.tmp	42
PID 2556 wrote to memory of 3040	2556	4310d664e629499a4fbfa199076842e3_JaffaCakes118.tmp	42
PID 2556 wrote to memory of 3040	2556	4310d664e629499a4fbfa199076842e3_JaffaCakes118.tmp	42
PID 2556 wrote to memory of 3040	2556	4310d664e629499a4fbfa199076842e3_JaffaCakes118.tmp	42
PID 2556 wrote to memory of 3040	2556	4310d664e629499a4fbfa199076842e3_JaffaCakes118.tmp	42
PID 2556 wrote to memory of 3040	2556	4310d664e629499a4fbfa199076842e3_JaffaCakes118.tmp	42
PID 2556 wrote to memory of 3040	2556	4310d664e629499a4fbfa199076842e3_JaffaCakes118.tmp	42
PID 2556 wrote to memory of 692	2556	4310d664e629499a4fbfa199076842e3_JaffaCakes118.tmp	43
PID 2556 wrote to memory of 692	2556	4310d664e629499a4fbfa199076842e3_JaffaCakes118.tmp	43
PID 2556 wrote to memory of 692	2556	4310d664e629499a4fbfa199076842e3_JaffaCakes118.tmp	43
PID 2556 wrote to memory of 692	2556	4310d664e629499a4fbfa199076842e3_JaffaCakes118.tmp	43
PID 2556 wrote to memory of 692	2556	4310d664e629499a4fbfa199076842e3_JaffaCakes118.tmp	43
PID 2556 wrote to memory of 692	2556	4310d664e629499a4fbfa199076842e3_JaffaCakes118.tmp	43
PID 2556 wrote to memory of 692	2556	4310d664e629499a4fbfa199076842e3_JaffaCakes118.tmp	43
PID 2556 wrote to memory of 1092	2556	4310d664e629499a4fbfa199076842e3_JaffaCakes118.tmp	44
PID 2556 wrote to memory of 1092	2556	4310d664e629499a4fbfa199076842e3_JaffaCakes118.tmp	44
PID 2556 wrote to memory of 1092	2556	4310d664e629499a4fbfa199076842e3_JaffaCakes118.tmp	44

C:\Users\Admin\AppData\Local\Temp\4310d664e629499a4fbfa199076842e3_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\4310d664e629499a4fbfa199076842e3_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2908
- C:\Users\Admin\AppData\Local\Temp\is-4NSIB.tmp\4310d664e629499a4fbfa199076842e3_JaffaCakes118.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-4NSIB.tmp\4310d664e629499a4fbfa199076842e3_JaffaCakes118.tmp" /SL5="$301D0,1888839,70144,C:\Users\Admin\AppData\Local\Temp\4310d664e629499a4fbfa199076842e3_JaffaCakes118.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2556
- - C:\Program Files (x86)\Inbox Toolbar\Inbox.exe
    "C:\Program Files (x86)\Inbox Toolbar\Inbox.exe" /regserver
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Modifies registry class
    PID:2704
- - C:\Program Files (x86)\Inbox Toolbar\Inbox.exe
    "C:\Program Files (x86)\Inbox Toolbar\Inbox.exe" /install
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    PID:680
- - C:\Windows\SysWOW64\regsvr32.exe
    "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\Inbox Toolbar\Inbox.dll"
    3⤵
    - Loads dropped DLL
    - Installs/modifies Browser Helper Object
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Modifies registry class
    PID:2260
- - C:\Windows\system32\regsvr32.exe
    "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\Inbox Toolbar\Inbox64.dll"
    3⤵
    - Loads dropped DLL
    - Installs/modifies Browser Helper Object
    - Modifies Internet Explorer settings
    - Modifies registry class
    PID:316
- - C:\Program Files (x86)\Inbox Toolbar\Inbox.exe
    "C:\Program Files (x86)\Inbox Toolbar\Inbox.exe" /afterinstall
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Modifies Internet Explorer start page
    - Suspicious use of WriteProcessMemory
    PID:1696
  - - C:\Windows\system32\RUNDLL32.EXE
      "C:\Windows\sysnative\RUNDLL32.EXE" SETUPAPI.DLL,InstallHinfSection DefaultInstall 128 C:\PROGRA~2\INBOXT~1\Driver\tbrdrv.inf
      4⤵
      Drops file in Drivers directory
      Adds Run key to start application
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2360
    - - C:\Windows\system32\runonce.exe
        
        "C:\Windows\system32\runonce.exe" -r
        5⤵
        Checks processor information in registry
        Suspicious use of WriteProcessMemory
        
        PID:2388
      - C:\Windows\System32\grpconv.exe
        
        "C:\Windows\System32\grpconv.exe" -o
        6⤵
        
        PID:908
  - - C:\Program Files (x86)\Inbox Toolbar\Inbox.exe
      "C:\Program Files (x86)\Inbox Toolbar\Inbox.exe" /TRAY 0
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:2340
- - C:\Users\Admin\AppData\Local\Temp\is-EC4T6.tmp\AGupdate.exe
    "C:\Users\Admin\AppData\Local\Temp\is-EC4T6.tmp\AGupdate.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3040
- - C:\Users\Admin\AppData\Local\Temp\is-EC4T6.tmp\AGupdate.exe
    "C:\Users\Admin\AppData\Local\Temp\is-EC4T6.tmp\AGupdate.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:692
- - C:\Program Files (x86)\Inbox Toolbar\Inbox.exe
    "C:\Program Files (x86)\Inbox Toolbar\Inbox.exe" /postinstall
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1092
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -noframemerging "http://toolbar.inbox.com/lp/inst.aspx?tname=Games&c=4&tbid=80139&iwk=846&addons=1&addonlist=&afa=3&lng=en"
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      PID:2072
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2072 CREDAT:275457 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Browser Extensions

T1176

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Inbox Toolbar\Buttons\black_green.xml

Filesize
51KB

MD5
01116f926b28cb3442473d8b47a6dd8f

SHA1
5303b4976d13bc6f3ffa0e3c443a0d36ea55fff4

SHA256
01f5b90e46c63749261d30ab669b55b581ae0c41912b54b38f71c7dc2c454511

SHA512
df6debe9debe900ff5338aa9d8637a6c887b9905a1fc77b6e2a50d3f8067cfa806e9fceb3d8d2a57b5b859346267048bca60c5f19d2bd9092f9c08a2d2859271

Download Submit
C:\Program Files (x86)\Inbox Toolbar\Buttons\games_online_gb.xml

Filesize
4KB

MD5
04e1df757b9b5a6418d79d072db000ce

SHA1
f118b45fa1092a7d473886b05984580dfa5eb5b8

SHA256
20ddca93499bb0a82627577b4cac56b6bb4c0ccb2c10ad92d16bac8b09a96864

SHA512
380eeaa2bd01629c7128a0971d6855f30d4e99bb9347d465a670419d8684585b1f7d52c6ea6e30d12bd7b0101ea1c9399c7e4f1f781db35c225f97a5e0d8d871

Download Submit
C:\Program Files (x86)\Inbox Toolbar\Buttons\games_portals_gb.xml

Filesize
4KB

MD5
4b3274899a510ce0a0eaa6427bfd2869

SHA1
bbc6075fd32dbb95a254ceec0083f008113f7dc3

SHA256
1799d52866f0579798e7817e9168017bfd5a0a6e452af848e1dbe7311324c0f6

SHA512
4e9ebb12d5e6fa334bf7cb3dd4424036b3493958b9d6755fcaa5b61af9cc2898c588e6914b16298012b385cd0e890c024a607f120332c677f7b7d521952d4059

Download Submit
C:\Program Files (x86)\Inbox Toolbar\Buttons\games_search.xml

Filesize
3KB

MD5
ccd6e298e340f9adc0e7359e9e924441

SHA1
87a1a8110e60fe6e0322e253170fb07c64dfc97b

SHA256
81857ce2a92da97d87e489612c6b5a82fb37f2a5856a36b772764f7072452701

SHA512
2bd078aaf07ece5a21c7353bd1843f9be60615775f19d1f14e0551c688b63bd21ac8c158230669f719180a724d64de9665720ba593323b87a638e3163ace5d17

Download Submit
C:\Program Files (x86)\Inbox Toolbar\Driver\tbrdrv.cat

Filesize
7KB

MD5
dacf44f0b690f4c0053d31535fef87f2

SHA1
d2318c6c771a4adddd507c2fa6aa7d81ebc7aca6

SHA256
9175d7ad0f699049214a066e3b7672036a64354fbd88b002fb34f1d8c583d334

SHA512
60c7e1f3fa5c5515907b4e2702b0ffc1f32129fc92c75653ab7591745d78f7fa59b0a6c505b21cedb36151d4ca4a0fa1b90f09f8d267f7c9bd91a9605a87b7ce

Download Submit
C:\Program Files (x86)\Inbox Toolbar\Driver\tbrdrv.inf

Filesize
1KB

MD5
c84b4baaa44b8989b2e76b42c1ab5301

SHA1
36ee3212aec954e82fd73c914717c7ad32cfc367

SHA256
94ecff1e1ce8d5d5ef349769ee4236d230a7f58dfbd0a7d32ebf84c2b41fcec8

SHA512
230bab43937d5ec8600882b2ca6249b07fc580fea5b1c8817ede28fae6566bc78fb8f2088dc4dea0997e217c94659063dc3d2adff0405944b427d325ebe373a7

Download Submit
C:\Program Files (x86)\Inbox Toolbar\Driver\tbrdrv.sys

Filesize
35KB

MD5
e7c0aac166d688ab41dff2f17e420a3a

SHA1
00b70a50af14b497cebd100344fafbd3a564fd5b

SHA256
babb144ed6471079b6922914646a110f9fe5588ca3d94deeeda584c484e4ed26

SHA512
fe539d89e28204b1d09607e9f0450ae619ff71efdfccb4597641a27cb3234fce1a2061e273bd8490c9bf15d19871aa93c1bf98c909b6c252549c40915d62721e

Download Submit
C:\Program Files (x86)\Inbox Toolbar\Inbox.dll

Filesize
1014KB

MD5
cef98a42f1f86652b0ca1c31fdc2e288

SHA1
39d597dffab6d36bc47f21fe20f2eedba864a5ba

SHA256
39490eab802f21e6d00ef5eef0e1532b69a64dbed537c39f6c6129c14b6406bb

SHA512
498fe3191d3d9852c5d7ccd960847f24dc41af43cd2d4d05569b11a2b2f0b5b1c74d66ce520b58a7a6759bbc729d11dccfe5d0a1e6c5b2422ddd083adffae5e6

Download Submit
C:\Program Files (x86)\Inbox Toolbar\Inbox.ini

Filesize
2KB

MD5
7e2839c0e98367690b3af21d6408aa17

SHA1
99d41f4b0c57b5e6ef1efa2350038e10d4188035

SHA256
8cec384377ada9c4f9bfa6d03b8e6a2ed0dc650cad45b82594e11338458271ba

SHA512
d637ad72dd205f47ba4a163a88eb503dfb24f03a4f0b0c01aef8c29dc49942679eb5db47a1c63ed042f1f1fecd06d8ca6121972f33360cce5b956c0fc530286a

Download Submit
C:\Program Files (x86)\Inbox Toolbar\Inbox.ini

Filesize
2KB

MD5
565371d1e7f731b426c5e36e61d9f003

SHA1
c7752a54f5ad38002ed6452c19570adc833f9e89

SHA256
ac43b254a21613bce70efc92a047cec6c5b9d5c4d6a2ab231ca5fd3b3665520e

SHA512
f498bfb9dc3016cf8be350b837d668441e0a4fd0611c1f28dff72f87d305ebbbf5656a8521245b7d388cff8a19d57ba1eb747f50d140beaab6a1902f66af0e92

Download Submit
C:\Program Files (x86)\Inbox Toolbar\Inbox64.dll

Filesize
1.5MB

MD5
5c2c888c50585ade35e03fa261e6c7a3

SHA1
228f8b2423945596d44892fff79cee851e725d89

SHA256
b88171732c2054dbc64a1649430646eeaf7b5d63c491e515a66736aacbb7aba9

SHA512
af463a375586f7a07f29c5855146be05ad74bd18fc90d46c653bc6911761b911472ab5bd7eab75a7bd8b9533704118d2d756368c74ccca7b88c4de294e8ee3d1

Download Submit
C:\Program Files (x86)\Inbox Toolbar\uninstall.ini

Filesize
51B

MD5
5cfece4d6b6cb11ab8873514f6b8558e

SHA1
0ea00aeadc1ead04b07bc2b6b045d4f46695fef5

SHA256
ee1745199faa9908c7f87fcfdcbb5e625af6d80c30799a4615196adfa50a244e

SHA512
1d99834ab647d5f7fc03ecac7ec4648367744b1a58dbfa5a510f370a6d187056ebfd49e0696ef0810573701d4ffcefff0fc0dfd330f079b52c0b5761ff6f7fa8

Download Submit
C:\Users\Admin\AppData\LocalLow\Inbox Toolbar\config.ini

Filesize
30B

MD5
129a4ce81f9a7b3dc2d98e090a069f05

SHA1
a266de9a5f3fea40e7de85ddfde49f4b6c515c96

SHA256
9ec3cb3f9a5f238ab518e7b57bcad1ca765c429fb37be15057da7eb9170541f7

SHA512
3d15c7ddf93e944ed5ce634f35050f95989b1f1f35b4b8233e10658508f07953579c6dd62cced8efd22cf783c7e9565f39270e5bb46d2959a1312148af6414f2

Download Submit
C:\Users\Admin\AppData\LocalLow\Inbox Toolbar\config.ini

Filesize
119B

MD5
4cac12bd9b7e89bee207df7fa117610a

SHA1
d05b8e03f446c117508902ae6de3c0afa5562618

SHA256
ef04c98f7ab58ea2e79251038cb6353bd0f03acb4da1dc18995722464846a884

SHA512
9fa0632cd19578f58cbe8d2f02816badff2d56e05f7a7368e56321a29a6c50e2f2c756313c61545d2232b4a18fc8e9a514d68fbcf047d04e93507d634800efca

Download Submit
C:\Users\Admin\AppData\LocalLow\Inbox Toolbar\config.ini

Filesize
132B

MD5
462a77d2e953cae9903df4e4fe13ea90

SHA1
e69004a7659f1dc8038fe6db50f2a6fcb89b1a02

SHA256
48e524ddcb7f919a1d70ce703d1d515231be824bbe2124112c00244cd0e5fa51

SHA512
bab2300687ba9ed83d37fdc133642f2de580171f107478e1e6d8492f7ecbb64a748c6cfd581e860a020d49b0bd4780f4d90d84d93d1266ea9525b3322339abc4

Download Submit
C:\Users\Admin\AppData\LocalLow\Inbox Toolbar\config.ini

Filesize
173B

MD5
e8b28452fca99f35c2e638b5dbbf25c0

SHA1
063f8596e1621d2e729851d3f5eeed97222d8db8

SHA256
f6d758f921ec3af2b4d6d869b99fa6b99733548ac0e8969b9dab0a2fba202701

SHA512
168adb9275aac9dd9d9bc47a1e7556cd3ccd77d5fe0ed064d6e0538d3afceaaadd2539264cea99cf06670fe3ac168092290308e843cb51d56796adc39cc4aac0

Download Submit
C:\Users\Admin\AppData\LocalLow\Inbox Toolbar\config.ini

Filesize
210B

MD5
f70c47ed0d0d96efaa0ee16598f12618

SHA1
57873d74470864d36ef164573c587ba97868520e

SHA256
6f25ea9b046d76825ec52554b94dd5977d1483e1264a3b44b2cec637d3162606

SHA512
23af289df70941b68b5640361cbcaf375df60ac663da731420118fb99ca0a9188aa4500f88c59fb94967a6b667e036d981610f9ee98871dc8c7359ba80d6801f

Download Submit
C:\Users\Admin\AppData\LocalLow\Inbox Toolbar\config.ini

Filesize
254B

MD5
8f16d396b6d58aed5e1f4829df435e5e

SHA1
8db66e937cc0fbc36b9667a03902431272df4f3c

SHA256
82ceec90c236a06e2fbf764879d52f14b260e553ca2f6e09bac9ec82af18802d

SHA512
25f6864ce2f686e9afe059f0b8c74ae45cc34a4a06b7bad9d4b133d8ea8baa11c48271d42e2cd469acb1a7dd975367db92596a5bd41b08c9b89e45bee4f4d6d6

Download Submit
C:\Users\Admin\AppData\LocalLow\Inbox Toolbar\config.ini

Filesize
265B

MD5
6ac6b61478ca1cbeb2a4009aeb32e79d

SHA1
114894fc72127210c93f79eb57ad8c8e94e4e90a

SHA256
296306ff1a541bf58d01813e377910311a35818cd106da92b9452a3e9fa8d287

SHA512
a6e5ef5797f3a7521a2a1beab1aadcf12058beb238b75fe13017f1e4668376997f05d00e691f4b0097916483c5de8fcaf6d8e6c34663af3e12cc306f088be1c1

Download Submit
C:\Users\Admin\AppData\LocalLow\Inbox Toolbar\config.ini

Filesize
273B

MD5
c29f1f836ad30cc331b48ca9e3cb429c

SHA1
9260f3fd9ec98d87a46305a1402e71c85b5cba19

SHA256
2cae94a77a234b2c5ce0123c4b7f77415b5c55bc1b746b69d9520c289dd8b449

SHA512
ca7f6565ef36f58ef5bdde34aefd1fec118d641a4329350b836d853e662d98da5db9dd3c2ce36dfc1acdda2483df50e8c2721267c80f44a23112d86fdf283d98

Download Submit
C:\Users\Admin\AppData\LocalLow\Inbox Toolbar\translate.ini

Filesize
93KB

MD5
6aa650efb4605f4bb39bdcfd8a2198ba

SHA1
da12240ffb9984e3f3d8e93a859bc8d768a242a4

SHA256
8729058fc0a109bfaf82d84abdc954805cd46ed499ff235d5181ff3facdaf2cf

SHA512
6893a2f796546c859c1a9ab2a8c1960f2606fe779a07bbe3cf3c0ebdb9579defa87c3b1d4dbb7e4934839a0cd5062255fb6d019bee11cf57e09b0cf350ce2819

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5eb3826e49e74d41193b4f797d6c223d

SHA1
2c1bca3c348fcb4adbf864b1bbfc0cfc88ef0c0d

SHA256
82ab0ec131eee9f38fcf499e6ab1e97b6fc7c346deed8ffb8e0a6c68222cbe5d

SHA512
9c92fd66530ee5f53c9697713c5ef3f479dd10fcdf2088ecd6de7f459f948c765e1d6f06b06b5e02a3c8207597a499c850c7e81e4788abe88e04de7f7910062f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c0746f5bd98709729d5ba3bdf92e2b39

SHA1
e2d1c2f7876632ce6a647aa68de528e612d4ce08

SHA256
e90b07af2ab34e7e528f2e492cef0d74b9b3600f5be1454e85e624733d39b326

SHA512
3eca4501f23406486d6b2475d2f135afa9f0094b7777195d1d50754438c20bf51e0c01154db7040cb4e6ecf7c905b5db5593a7d127b2e8ae1f7156324f022e74

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f020220b15848d5872e3d3fdf2a647b5

SHA1
0a4ce88f096af8ff336c93160b5b3ff2e55234ca

SHA256
b9f9ae2084970c3656604e89a30b2dac61c46bdf9360a3c0beb39e85e3a5bbf7

SHA512
a3ced815a4c026b21fc0cdf1c9652ad61f1ef25589e71b1b22a78e82e399168decd5e0cda707822ffd313ba6ee79bfc8565010a66a5e70ede621cfcb394011c4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
53369033d3a37d3991feb32fbbdda713

SHA1
c50a55b72ad072f1a22903eb7ada2eeb878c5c1a

SHA256
7ccfbce332122cea9dd5b95624a9e838810eed584c6176d3991d582df735b69b

SHA512
acf7930a77d1cf648664b41e022e07eef964effdad32e2a792f6e18bcb83c940c46da27395c0f5eed49f7223d9e08fd34d00e5daf9e27521d151ae6d9128d058

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ac0a08075fee35f5822f2606ea9057ba

SHA1
60425f2a19eeee20673d3442a11a276cca8914eb

SHA256
afe42c9c210ea5e10f793078a1fa5d9cdac1300035210b707982cd3626f2c311

SHA512
ec2f61ee146904dcd6008e6067555bcaed8f51c3e0485369055d915c0af60dde129f4f71a647cfec61a156739962247758edc0999e0f783242655d889da1a897

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
08bc27702a33c625fdfeb57d0e124451

SHA1
191c3323771eef749ebbf7b9d1b379d067196351

SHA256
1f001fae88fcf3bd4c22b225157ff089affe75048af3282b80514e9b926c95f8

SHA512
d0df5346f93d92c3275fa95de3652dff13e2c1ef7bcdfb06075ab95316d246bbfc39b0d201f597bca6c078ff68568bf4e7053318129018761affb3169b413fe2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5f731e4250ac2c94e23d5b515fceee2a

SHA1
e7ffe5554c59f0235335dcc8d91ca77f1f2dda96

SHA256
961f595c326f1d5cdf7407528b3f723e2add04f771d49824643b8c5e19148561

SHA512
5eb8897271727f430f18d209f8b95009735d59801976f6244ddf5cd3fe4deec9d92000069d5301bf6f11509ff1ecbc69aa97ae533c5ff2bc69bae9aea7fd9ebd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0237c8394353ffe1d721619c41f184dd

SHA1
97a382af491c746b7a4d7d037dc60c6f365ef438

SHA256
01b05922838f5c43f764f53073c03f2a13ebe7b1b137cbe0cbeadb059ebfb005

SHA512
b4d64ee4f20cc95e2cfc268206a6ad2c0e005ad7ba28f2fd0f28912c88066e434c375b1c57be44b9f4b69f349cef74daabd4940114f90cbe03c6b56a4dd6a781

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
41ec2e0b60728626b2b4fab920c7dd7f

SHA1
a2d983a63b3b29522dae7c04bac8a76ee2613ee1

SHA256
35f491ab86d264c6d1e207f5be05901064bea312e7336e85055086f3c42c8955

SHA512
5034956382ee6b695dbd00aa4f5f9d2b0fa1e0e07e154a4b9bd7380865bff85d4c58b4ac6f8ae8564e0beaea77f24eb1c158dd1ff272e34f048dc5de05cea96b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
09d01c82964d3af8b0fd423e2443f4e4

SHA1
bccb9fe4d03df7cd961b37b6f789768283efc666

SHA256
eec5c1fa2e569a9c54b3073cac24cfdf914bdc274d00bb50358d3f4267d3689f

SHA512
0ea09c8a7a3f8e322e138d521815602e9b502afff90c0a5d4ea8d70e0ae33cee833a8a48981fdd5dbb282f40ff88b6f225c887656d60049eb6213fc8fb4b9e3a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
85f26cdd43cd71eef9a488c0ea1bf22d

SHA1
f2d4f35da867d49ce540c73e3363aa45df6c2898

SHA256
2ad9b7e6e162997b1da99f2424e20995ddf2a6db91f4e73e89e507edcb062d8a

SHA512
c3b35309790cd278936ddc024e9428af07c7f46eb6314b623ffe1ba256222c0b5e972c91fca74b25201914d80062fed31981f10f1a312bd7d7ec6cc284e8f6bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab3822.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar38B3.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-EC4T6.tmp\setupcfg.ini

Filesize
85B

MD5
00e9d0f34b3a913968be26c46c156644

SHA1
20e7a6b33595bc4444c696533f6182836d997aa6

SHA256
7a837a30f1812197812e6a8a231034c51852d57f0a1e444b2bb5a33be6c1d83a

SHA512
fcc04e08d263042c991a8d320f4720f4410b66ac365946dd6bcb1a829b7b129a073fa4b2180b06aae65f5a72ef431b8916d38f5866f9b739054bd71a7c224555

Download Submit
\Program Files (x86)\Inbox Toolbar\Inbox.exe

Filesize
2.3MB

MD5
7bfb9bd61a69e7a4717f34f22dae8b4e

SHA1
a8b1ba82ee7172e9e5f184fef35bd41bdd373906

SHA256
f8404bd34230c1db313e2659ea483e7640c10987917e2cebdd4dd9c4ae67a19d

SHA512
19e6a0c065b1f6980b6927c6af5accf7b5d29f450daf37e57feb9ec901f3105cedd34e2129f2c5c320b516bd6a709a3b8a6885f4ee032e12dbae0dfd4b9a3273

Download Submit
\Program Files (x86)\Inbox Toolbar\unins000.exe

Filesize
1.2MB

MD5
67e866dbad2c21354f585086d3f3e5b2

SHA1
6b0ccd164c9108b01a81f249a2d9c05ed3b5f67b

SHA256
6d7c851b4dc1acb135aa18ef28c5921472ca46d555358fc97bf2b10fc82ad8da

SHA512
ff0945ec265d3c04335e3a0ab08737ae68ba893455ffa3fa9e45e73ae2d58df737d247827e6b110f904fb18dd40e0d45882655f43b17c6bccd88265ad2aa494e

Download Submit
\Users\Admin\AppData\Local\Temp\is-4NSIB.tmp\4310d664e629499a4fbfa199076842e3_JaffaCakes118.tmp

Filesize
1.2MB

MD5
e7106fbf42fbc6d5b08a18ada4f781b4

SHA1
36d4a629f79d772c0b0df8bd2ae2ea09108d239d

SHA256
64e1f1fa7d91920b17bc7bc679a4cd8d87ff5b104318b6921bb6bf6a19055635

SHA512
adf876296a952aadeb4f25211c0939bf5a278809b5d3007ad7e26c5d4975e7684d242c1b3de796efd474a47cb7ecdb80f9047935924a1108bf0e4d7c973d1845

Download Submit
\Users\Admin\AppData\Local\Temp\is-EC4T6.tmp\AGupdate.exe

Filesize
873KB

MD5
a3ccbbb0735800b89931b73ccb69f9b1

SHA1
53c70f80017eff22ad88a53fdb3ffc518354af59

SHA256
97d0684ab1ecb2f89a3c8e53dc383aede506a1f9367aa283c0b9992a19854d43

SHA512
e4461a7cf5e8b8e655a2985be672af25e44276b018b7b532a665f26c1a44032bbada7e5a071a78827020c3f18d9d5c79bd0f59fe97876b1eb4279ec4094f3704

Download Submit
\Users\Admin\AppData\Local\Temp\is-EC4T6.tmp\DownLib.dll

Filesize
183KB

MD5
db25dfdd4c1f2b65c68a230881072695

SHA1
94cd6a3438041f0e61b0a1bea7b66461854efe69

SHA256
1b66aaf1e7e3c493dd96af3b7442ea60072f6e93ba45281eacd31a14ca7e7e73

SHA512
db69e4ab2218856e5184d9094e7e39705b83e3efdc15225067205c8faf6e5836145364f1d509192defa3b48864e72b9f8c0f2dc53a7adb2b86c655318b7afc2c

Download Submit
\Users\Admin\AppData\Local\Temp\is-EC4T6.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
memory/316-122-0x0000000001FC0000-0x000000000214E000-memory.dmp

Filesize
1.6MB

Download
memory/680-114-0x0000000000400000-0x0000000000660000-memory.dmp

Filesize
2.4MB

Download
memory/692-413-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download
memory/1092-429-0x0000000000400000-0x0000000000660000-memory.dmp

Filesize
2.4MB

Download
memory/1696-320-0x0000000000400000-0x0000000000660000-memory.dmp

Filesize
2.4MB

Download
memory/2260-119-0x0000000001E70000-0x0000000001F77000-memory.dmp

Filesize
1.0MB

Download
memory/2340-406-0x0000000000400000-0x0000000000660000-memory.dmp

Filesize
2.4MB

Download
memory/2556-427-0x0000000000400000-0x0000000000536000-memory.dmp

Filesize
1.2MB

Download
memory/2556-116-0x0000000000400000-0x0000000000536000-memory.dmp

Filesize
1.2MB

Download
memory/2556-415-0x0000000000400000-0x0000000000536000-memory.dmp

Filesize
1.2MB

Download
memory/2556-125-0x0000000004030000-0x0000000004137000-memory.dmp

Filesize
1.0MB

Download
memory/2556-117-0x0000000000740000-0x0000000000777000-memory.dmp

Filesize
220KB

Download
memory/2556-405-0x0000000004030000-0x0000000004137000-memory.dmp

Filesize
1.0MB

Download
memory/2556-25-0x0000000000740000-0x0000000000777000-memory.dmp

Filesize
220KB

Download
memory/2556-9-0x0000000000400000-0x0000000000536000-memory.dmp

Filesize
1.2MB

Download
memory/2556-403-0x0000000000400000-0x0000000000536000-memory.dmp

Filesize
1.2MB

Download
memory/2704-91-0x0000000000400000-0x0000000000660000-memory.dmp

Filesize
2.4MB

Download
memory/2908-2-0x0000000000401000-0x000000000040D000-memory.dmp

Filesize
48KB

Download
memory/2908-428-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2908-0-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2908-115-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3040-367-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download