60df45b9b43f6876187030be134652eb86ef6faa0b1908855ec1edbe7cd695a2

Analysis

max time kernel
140s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
15/10/2024, 04:59

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

45f7a759f842b17a906dc78c54f07fea_JaffaCakes118.exe
Size

1.7MB
MD5

45f7a759f842b17a906dc78c54f07fea
SHA1

16b0dc5be06a6596c2d1856a72e3808f52f0d525
SHA256

60df45b9b43f6876187030be134652eb86ef6faa0b1908855ec1edbe7cd695a2
SHA512

43eea71ddf80f5895156d538fab79eacde8b5be32fdaf6ce4b4a3f76dcf226533a618697bcf2202b00aa7edf9a364cff55972fc2ebab7e699cd240a0f93e1c72
SSDEEP

49152:c/acXOlrSXY4JzPzFZOPslLebA5rOYiZn9:V8OlrSRKERebSivZn9

Score

8^/10

adware discovery persistence privilege_escalation stealer

Malware Config

Signatures

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\DRIVERS\tbrdrv.sys	RUNDLL32.EXE
File opened for modification	C:\Windows\system32\DRIVERS\SET6B86.tmp	RUNDLL32.EXE
File created	C:\Windows\system32\DRIVERS\SET6B86.tmp	RUNDLL32.EXE

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	Inbox.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	Inbox.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	Inbox.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	45f7a759f842b17a906dc78c54f07fea_JaffaCakes118.tmp
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	Inbox.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 7 IoCs

pid	Process
2588	45f7a759f842b17a906dc78c54f07fea_JaffaCakes118.tmp
3672	Inbox.exe
1288	Inbox.exe
3772	Inbox.exe
3528	Inbox.exe
2452	Inbox.exe
404	Inbox.exe

Loads dropped DLL 4 IoCs

pid	Process
4360	regsvr32.exe
4364	regsvr32.exe
2588	45f7a759f842b17a906dc78c54f07fea_JaffaCakes118.tmp
2588	45f7a759f842b17a906dc78c54f07fea_JaffaCakes118.tmp

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\InboxToolbar = "\"C:\\Program Files (x86)\\Inbox Toolbar\\Inbox.exe\" /STARTUP"	Inbox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\GrpConv = "grpconv -o"	RUNDLL32.EXE

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Installs/modifies Browser Helper Object 2 TTPs 6 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D3D233D5-9F6D-436C-B6C7-E63F77503B30}\NoExplorer = "1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{D3D233D5-9F6D-436C-B6C7-E63F77503B30}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D3D233D5-9F6D-436C-B6C7-E63F77503B30}\	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D3D233D5-9F6D-436C-B6C7-E63F77503B30}\NoExplorer = "1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{D3D233D5-9F6D-436C-B6C7-E63F77503B30}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D3D233D5-9F6D-436C-B6C7-E63F77503B30}\	regsvr32.exe

Drops file in Program Files directory 30 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Inbox Toolbar\is-8KVCO.tmp	45f7a759f842b17a906dc78c54f07fea_JaffaCakes118.tmp
File created	C:\Program Files (x86)\Inbox Toolbar\Buttons\is-U5R6H.tmp	45f7a759f842b17a906dc78c54f07fea_JaffaCakes118.tmp
File opened for modification	C:\Program Files (x86)\Inbox Toolbar\setupcfg.ini	45f7a759f842b17a906dc78c54f07fea_JaffaCakes118.tmp
File opened for modification	C:\Program Files (x86)\Inbox Toolbar\Buttons\default_skin.xml	Inbox.exe
File created	C:\Program Files (x86)\Inbox Toolbar\unins000.dat	45f7a759f842b17a906dc78c54f07fea_JaffaCakes118.tmp
File created	C:\Program Files (x86)\Inbox Toolbar\is-FM7NH.tmp	45f7a759f842b17a906dc78c54f07fea_JaffaCakes118.tmp
File created	C:\Program Files (x86)\Inbox Toolbar\Buttons\is-HB6TS.tmp	45f7a759f842b17a906dc78c54f07fea_JaffaCakes118.tmp
File opened for modification	C:\Program Files (x86)\Inbox Toolbar\Buttons\games_online.xml	Inbox.exe
File opened for modification	C:\Program Files (x86)\Inbox Toolbar\Buttons\movie_videos.xml	Inbox.exe
File created	C:\Program Files (x86)\Inbox Toolbar\is-G6RQV.tmp	45f7a759f842b17a906dc78c54f07fea_JaffaCakes118.tmp
File created	C:\Program Files (x86)\Inbox Toolbar\Buttons\is-8F1S4.tmp	45f7a759f842b17a906dc78c54f07fea_JaffaCakes118.tmp
File created	C:\Program Files (x86)\Inbox Toolbar\unins000.msg	45f7a759f842b17a906dc78c54f07fea_JaffaCakes118.tmp
File opened for modification	C:\Program Files (x86)\Inbox Toolbar\Buttons\reference_search.xml	Inbox.exe
File opened for modification	C:\Program Files (x86)\Inbox Toolbar\Inbox.ini	Inbox.exe
File opened for modification	C:\Program Files (x86)\Inbox Toolbar\Driver\tbrdrv.cat	Inbox.exe
File created	C:\Program Files (x86)\Inbox Toolbar\Buttons\is-L7L1P.tmp	45f7a759f842b17a906dc78c54f07fea_JaffaCakes118.tmp
File created	C:\Program Files (x86)\Inbox Toolbar\is-38DEN.tmp	45f7a759f842b17a906dc78c54f07fea_JaffaCakes118.tmp
File created	C:\Program Files (x86)\Inbox Toolbar\Buttons\is-QREV3.tmp	45f7a759f842b17a906dc78c54f07fea_JaffaCakes118.tmp
File opened for modification	C:\Program Files (x86)\Inbox Toolbar\Buttons\maps_navigate_mapquest.xml	Inbox.exe
File opened for modification	C:\Program Files (x86)\Inbox Toolbar\Buttons\weather_weather_plugin.xml	Inbox.exe
File opened for modification	C:\Program Files (x86)\Inbox Toolbar\uninstall.ini	45f7a759f842b17a906dc78c54f07fea_JaffaCakes118.tmp
File created	C:\Program Files (x86)\Inbox Toolbar\is-ORHN7.tmp	45f7a759f842b17a906dc78c54f07fea_JaffaCakes118.tmp
File created	C:\Program Files (x86)\Inbox Toolbar\Buttons\is-UQ13P.tmp	45f7a759f842b17a906dc78c54f07fea_JaffaCakes118.tmp
File opened for modification	C:\Program Files (x86)\Inbox Toolbar\unins000.dat	45f7a759f842b17a906dc78c54f07fea_JaffaCakes118.tmp
File opened for modification	C:\Program Files (x86)\Inbox Toolbar\Buttons\music_freemusic.xml	Inbox.exe
File created	C:\Program Files (x86)\Inbox Toolbar\Driver\driver.cab	Inbox.exe
File opened for modification	C:\Program Files (x86)\Inbox Toolbar\Driver\tbrdrv.sys	Inbox.exe
File created	C:\Program Files (x86)\Inbox Toolbar\setupcfg.ini	45f7a759f842b17a906dc78c54f07fea_JaffaCakes118.tmp
File opened for modification	C:\Program Files (x86)\Inbox Toolbar\Driver\tbrdrv.inf	Inbox.exe
File created	C:\Program Files (x86)\Inbox Toolbar\Buttons\is-PEM2D.tmp	45f7a759f842b17a906dc78c54f07fea_JaffaCakes118.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Inbox.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Inbox.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Inbox.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Inbox.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	45f7a759f842b17a906dc78c54f07fea_JaffaCakes118.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Inbox.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Inbox.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	45f7a759f842b17a906dc78c54f07fea_JaffaCakes118.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	runonce.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	runonce.exe

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{C04B7D22-5AEC-4561-8F49-27F6269208F6}\FaviconPath = "C:\\Users\\Admin\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services\\search_{C04B7D22-5AEC-4561-8F49-27F6269208F6}.ico"	Inbox.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\IESettingSync	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000013f787289f1be14e87be8dc204ff715d00000000020000000000106600000001000020000000d8c73aaf3b3771186e3abf994ecfde1b8e4037b61ae636cf84882dfc0c4be48f000000000e800000000200002000000006f7d27d792e5662ba62ed2129cf1e7e63eae3a4280826ee24f32df60db05b7570010000d3943ed9f404ce1a29b6ec139a0ad50204efd13f617d7e3990bfa1358435b3abc766df6e97e124bbbe711db0e899266ac4e297b56ccb7d23ce0ca6fa979997d011410b42ac2be13cb525fbd51db4e54ef3f7f170ff439dfd433e61d301a4d1afa7b0d2a77763dd48db00b2fb3532c07914c8b31f1bfe3ee13182b22b4abd50c8a6d0ff0407d81a99914d82cf2e9ef9bea19ff8a84d03e45248af0ed43693c9a0737e826cf300c717471bf8995e5109fd19cf9dd041b3e95bb52477fede4e400f1e0238fe4d5d66ff34a7b63d9cb464b15420796cdd3c4f5ebe0698906dfd69fa2cbdab43f9df7b5906896164b7a8866375e38c3e4e712aa2c24f0a401a451614c945d8b58ce8b587b48b292bcf5bb9ae6f76dad858afd6b0b9c7810063b4aa08db5ffdc35b40230538e24c29650b1f1abb5b970ce8e80aabfd9f8dbcc2cd80765304907b2d91e2c0e79fb5e227798d0462e21bec0497bec67579fa1de36cc76d8370655ce33de47873616363bdf2f64840000000ec91439495d7632e2c800ed6e68bc7ec3706b69ea884efab3456d463798a4044ee2c6f2d58fac1f1add39528ba285c80945022523694d8d275fc014f846197c6	iexplore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\Policy = "3"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Toolbar	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\AppPath = "C:\\Program Files (x86)\\Inbox Toolbar"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\SearchScopes\{C04B7D22-5AEC-4561-8F49-27F6269208F6}	Inbox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{C04B7D22-5AEC-4561-8F49-27F6269208F6}\ShowSearchSuggestions = "1"	Inbox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1180851911"	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\AppPath = "C:\\Program Files (x86)\\Inbox Toolbar"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\User Preferences	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\User Preferences\3DB9590C4C4C26C4CCBDD94ECAD790359708C3267B = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000013f787289f1be14e87be8dc204ff715d00000000020000000000106600000001000020000000cbc149324dd07e1d9680ae19868bfb4812f2763849130539b3c1e5028cb571ae000000000e8000000002000020000000e5a66b1d4e81efe57a87753b463c2b2462b01d0c4072e39a087684f361b84e6750000000b0e9dd162e716aebe03745100847afdcd83e12ae084259bcb331a2036c33febeec97e93e86b75196bd0285c47f0e58d6a781d47f19a5f588eb3195fab223202ca1a6695c1dac858afa5b0f47e81ee5ae400000006323b973d1dff65fbe27e8c5436bc4a353e4cd5c62e905396aa05e617d05080beb4e8202c075a78dbf3c9c946af86b6f201448983e630a51695aa54efdaf4682	iexplore.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Main	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\Inbox.exe = "11000"	Inbox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\AppName = "Inbox64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{C04B7D22-5AEC-4561-8F49-27F6269208F6}\FaviconURLFallback = "http://www2.inbox.com/favicon.ico"	Inbox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\Main	Inbox.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\IEWatsonEnabled = "0"	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31137471"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31137471"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{612AD33D-9824-4E87-8396-92374E91C4BB}\Policy = "3"	Inbox.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\Approved Extensions	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\IEWatsonEnabled = "0"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\Main\	Inbox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\Policy = "3"	regsvr32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{C04B7D22-5AEC-4561-8F49-27F6269208F6}\ShowSearchSuggestions = "1"	Inbox.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	Inbox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\AppPath = "C:\\Program Files (x86)\\Inbox Toolbar"	regsvr32.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\User Preferences	Inbox.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 30894947bf1edb01	iexplore.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Main	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\DefaultScope = "{C04B7D22-5AEC-4561-8F49-27F6269208F6}"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{612AD33D-9824-4E87-8396-92374E91C4BB}\AppName = "Inbox.exe"	Inbox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\Approved Extensions\{D7E97865-918F-41E4-9CD0-25AB1C574CE8} = 51667a6c4c1d3b357564f3c9b0c48f0d82da66eb1a1d0ff0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\AppName = "Inbox.dll"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{612AD33D-9824-4E87-8396-92374E91C4BB}\AppPath = "C:\\Program Files (x86)\\Inbox Toolbar"	Inbox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{C04B7D22-5AEC-4561-8F49-27F6269208F6}\FaviconPath = "C:\\Users\\Admin\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services\\search_{C04B7D22-5AEC-4561-8F49-27F6269208F6}.ico"	Inbox.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{71ECE7D5-8AB2-11EF-B319-520873AEBE93} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{C04B7D22-5AEC-4561-8F49-27F6269208F6}\DisplayName = "Inbox Search"	Inbox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{C04B7D22-5AEC-4561-8F49-27F6269208F6}\FaviconURLFallback = "http://www2.inbox.com/favicon.ico"	Inbox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks\{D3D233D5-9F6D-436C-B6C7-E63F77503B30}	Inbox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000013f787289f1be14e87be8dc204ff715d00000000020000000000106600000001000020000000763be967201f30544c5ce7f453d8682d3859c22a028cefbe319d987ceef20d04000000000e800000000200002000000062d63e9c13c113cc8be9bb34e0d511f722b341626bb69596ae22dc1ba5f00491200000003f66ab2ed699a0e22e8315a19cc49088c6e9a99d8f0e0de3d17d9544bd98b10840000000ae24c8f60bc9f194fea5333878ea8c820d79378ef364349a3fb1f998d7a53de8d5671857f3bac72bda9f109ed6aab83933301a25dc817b28101a2547641b0664	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\AppName = "Inbox64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{C04B7D22-5AEC-4561-8F49-27F6269208F6}\SuggestionsURL_JSON = "http://www.inbox.com/s.aspx?q={searchTerms}"	Inbox.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\IESettingSync	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\Approved Extensions	regsvr32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31137471"	iexplore.exe

Modifies Internet Explorer start page 1 TTPs 1 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://search2.inbox.com/homepage.aspx?tbid=80001&iwk=846&lng=en&rt=1"	Inbox.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CBEF8724-D080-4737-88DA-111EEC6651AA}\1.0\HELPDIR	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C7C55C60-F5B5-40A3-A2E9-EC00E1FE08F3}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CBEF8724-D080-4737-88DA-111EEC6651AA}\1.0\0\win32\ = "C:\\Program Files (x86)\\Inbox Toolbar\\Inbox64.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{042DA63B-0933-403D-9395-B49307691690}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{37540F19-DD4C-478B-B2DF-C19281BCAF27}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CBEF8724-D080-4737-88DA-111EEC6651AA}\1.0\FLAGS\ = "0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Inbox.AppServer\Clsid	Inbox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0E56FAFA-1B09-480E-B653-4B23918DC58A}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0E56FAFA-1B09-480E-B653-4B23918DC58A}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0E56FAFA-1B09-480E-B653-4B23918DC58A}\TypeLib\ = "{CBEF8724-D080-4737-88DA-111EEC6651AA}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C7C55C60-F5B5-40A3-A2E9-EC00E1FE08F3}\ = "Inbox Toolbar"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D3D233D5-9F6D-436C-B6C7-E63F77503B30}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Inbox.JSServer2\	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{28C3737A-32D1-492D-B76B-8D75EBBFB887}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	Inbox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C7C55C60-F5B5-40A3-A2E9-EC00E1FE08F3}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}\	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C7C55C60-F5B5-40A3-A2E9-EC00E1FE08F3}\ = "Inbox Toolbar"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C7C55C60-F5B5-40A3-A2E9-EC00E1FE08F3}\Implemented Categories\	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8FAE973C-3FE3-44BF-81F0-ADB0D42CE851}\TypeLib	Inbox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CBEF8724-D080-4737-88DA-111EEC6651AA}\1.0\0\win32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{CE057E0D-2D7E-4DFF-A890-07BA69B8C762}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\Implemented Categories	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Inbox.IBX404	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{612AD33D-9824-4E87-8396-92374E91C4BB}\ProgID	Inbox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D3D233D5-9F6D-436C-B6C7-E63F77503B30}\Implemented Categories	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D3D233D5-9F6D-436C-B6C7-E63F77503B30}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}\	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\inbox\CLSID = "{37540F19-DD4C-478B-B2DF-C19281BCAF27}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C7C55C60-F5B5-40A3-A2E9-EC00E1FE08F3}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Inbox.IBX404	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{042DA63B-0933-403D-9395-B49307691690}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}\	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{042DA63B-0933-403D-9395-B49307691690}\InprocServer32\ = "C:\\Program Files (x86)\\Inbox Toolbar\\Inbox.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{042DA63B-0933-403D-9395-B49307691690}\Version	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D3D233D5-9F6D-436C-B6C7-E63F77503B30}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{37540F19-DD4C-478B-B2DF-C19281BCAF27}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D3D233D5-9F6D-436C-B6C7-E63F77503B30}\Implemented Categories\	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Inbox.Toolbar\Clsid\ = "{D7E97865-918F-41E4-9CD0-25AB1C574CE8}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{612AD33D-9824-4E87-8396-92374E91C4BB}\TypeLib	Inbox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C7C55C60-F5B5-40A3-A2E9-EC00E1FE08F3}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Inbox.AppServer\	Inbox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C7C55C60-F5B5-40A3-A2E9-EC00E1FE08F3}\Version\ = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Inbox.JSServer\Clsid	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Inbox.JSServer\Clsid\ = "{042DA63B-0933-403D-9395-B49307691690}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{28C3737A-32D1-492D-B76B-8D75EBBFB887}\TypeLib\ = "{615E8AA1-6BB8-4A3D-A1CC-373194DB612C}"	Inbox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CE057E0D-2D7E-4DFF-A890-07BA69B8C762}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0E56FAFA-1B09-480E-B653-4B23918DC58A}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{042DA63B-0933-403D-9395-B49307691690}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}\	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{615E8AA1-6BB8-4A3D-A1CC-373194DB612C}\1.0\ = "Inbox"	Inbox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C7C55C60-F5B5-40A3-A2E9-EC00E1FE08F3}\InprocServer32\ = "C:\\PROGRA~2\\INBOXT~1\\Inbox64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C7C55C60-F5B5-40A3-A2E9-EC00E1FE08F3}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Inbox.JSServer	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}\	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{612AD33D-9824-4E87-8396-92374E91C4BB}\TypeLib\ = "{615E8AA1-6BB8-4A3D-A1CC-373194DB612C}"	Inbox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8FAE973C-3FE3-44BF-81F0-ADB0D42CE851}\ = "IAppServer2"	Inbox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8FAE973C-3FE3-44BF-81F0-ADB0D42CE851}\TypeLib\Version = "1.0"	Inbox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{612AD33D-9824-4E87-8396-92374E91C4BB}\Version	Inbox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{042DA63B-0933-403D-9395-B49307691690}\ProgID\ = "Inbox.JSServer"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\ProgID\ = "Inbox.Toolbar"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C7C55C60-F5B5-40A3-A2E9-EC00E1FE08F3}\Implemented Categories	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{615E8AA1-6BB8-4A3D-A1CC-373194DB612C}\1.0\0\win32	Inbox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{042DA63B-0933-403D-9395-B49307691690}\Implemented Categories	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{37540F19-DD4C-478B-B2DF-C19281BCAF27}\InprocServer32\ = "C:\\PROGRA~2\\INBOXT~1\\Inbox.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C7C55C60-F5B5-40A3-A2E9-EC00E1FE08F3}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}\	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2588	45f7a759f842b17a906dc78c54f07fea_JaffaCakes118.tmp
2588	45f7a759f842b17a906dc78c54f07fea_JaffaCakes118.tmp
2588	45f7a759f842b17a906dc78c54f07fea_JaffaCakes118.tmp
2588	45f7a759f842b17a906dc78c54f07fea_JaffaCakes118.tmp
2588	45f7a759f842b17a906dc78c54f07fea_JaffaCakes118.tmp
2588	45f7a759f842b17a906dc78c54f07fea_JaffaCakes118.tmp
2588	45f7a759f842b17a906dc78c54f07fea_JaffaCakes118.tmp
2588	45f7a759f842b17a906dc78c54f07fea_JaffaCakes118.tmp

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
656	Process not Found

Suspicious use of FindShellTrayWindow 7 IoCs

pid	Process
2588	45f7a759f842b17a906dc78c54f07fea_JaffaCakes118.tmp
3528	Inbox.exe
3528	Inbox.exe
3528	Inbox.exe
3528	Inbox.exe
3528	Inbox.exe
3524	iexplore.exe

Suspicious use of SendNotifyMessage 4 IoCs

pid	Process
3528	Inbox.exe
3528	Inbox.exe
3528	Inbox.exe
3528	Inbox.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
3524	iexplore.exe
3524	iexplore.exe
1812	IEXPLORE.EXE
1812	IEXPLORE.EXE
1812	IEXPLORE.EXE
1812	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 37 IoCs

description	pid	Process	procid_target
PID 1316 wrote to memory of 2588	1316	45f7a759f842b17a906dc78c54f07fea_JaffaCakes118.exe	86
PID 1316 wrote to memory of 2588	1316	45f7a759f842b17a906dc78c54f07fea_JaffaCakes118.exe	86
PID 1316 wrote to memory of 2588	1316	45f7a759f842b17a906dc78c54f07fea_JaffaCakes118.exe	86
PID 2588 wrote to memory of 3672	2588	45f7a759f842b17a906dc78c54f07fea_JaffaCakes118.tmp	100
PID 2588 wrote to memory of 3672	2588	45f7a759f842b17a906dc78c54f07fea_JaffaCakes118.tmp	100
PID 2588 wrote to memory of 3672	2588	45f7a759f842b17a906dc78c54f07fea_JaffaCakes118.tmp	100
PID 2588 wrote to memory of 1288	2588	45f7a759f842b17a906dc78c54f07fea_JaffaCakes118.tmp	101
PID 2588 wrote to memory of 1288	2588	45f7a759f842b17a906dc78c54f07fea_JaffaCakes118.tmp	101
PID 2588 wrote to memory of 1288	2588	45f7a759f842b17a906dc78c54f07fea_JaffaCakes118.tmp	101
PID 2588 wrote to memory of 4360	2588	45f7a759f842b17a906dc78c54f07fea_JaffaCakes118.tmp	105
PID 2588 wrote to memory of 4360	2588	45f7a759f842b17a906dc78c54f07fea_JaffaCakes118.tmp	105
PID 2588 wrote to memory of 4360	2588	45f7a759f842b17a906dc78c54f07fea_JaffaCakes118.tmp	105
PID 2588 wrote to memory of 4364	2588	45f7a759f842b17a906dc78c54f07fea_JaffaCakes118.tmp	106
PID 2588 wrote to memory of 4364	2588	45f7a759f842b17a906dc78c54f07fea_JaffaCakes118.tmp	106
PID 2588 wrote to memory of 3772	2588	45f7a759f842b17a906dc78c54f07fea_JaffaCakes118.tmp	112
PID 2588 wrote to memory of 3772	2588	45f7a759f842b17a906dc78c54f07fea_JaffaCakes118.tmp	112
PID 2588 wrote to memory of 3772	2588	45f7a759f842b17a906dc78c54f07fea_JaffaCakes118.tmp	112
PID 3772 wrote to memory of 3528	3772	Inbox.exe	113
PID 3772 wrote to memory of 3528	3772	Inbox.exe	113
PID 3772 wrote to memory of 3528	3772	Inbox.exe	113
PID 3528 wrote to memory of 2452	3528	Inbox.exe	116
PID 3528 wrote to memory of 2452	3528	Inbox.exe	116
PID 3528 wrote to memory of 2452	3528	Inbox.exe	116
PID 2452 wrote to memory of 4968	2452	Inbox.exe	117
PID 2452 wrote to memory of 4968	2452	Inbox.exe	117
PID 4968 wrote to memory of 1740	4968	RUNDLL32.EXE	120
PID 4968 wrote to memory of 1740	4968	RUNDLL32.EXE	120
PID 1740 wrote to memory of 3728	1740	runonce.exe	121
PID 1740 wrote to memory of 3728	1740	runonce.exe	121
PID 2588 wrote to memory of 404	2588	45f7a759f842b17a906dc78c54f07fea_JaffaCakes118.tmp	122
PID 2588 wrote to memory of 404	2588	45f7a759f842b17a906dc78c54f07fea_JaffaCakes118.tmp	122
PID 2588 wrote to memory of 404	2588	45f7a759f842b17a906dc78c54f07fea_JaffaCakes118.tmp	122
PID 404 wrote to memory of 3524	404	Inbox.exe	123
PID 404 wrote to memory of 3524	404	Inbox.exe	123
PID 3524 wrote to memory of 1812	3524	iexplore.exe	125
PID 3524 wrote to memory of 1812	3524	iexplore.exe	125
PID 3524 wrote to memory of 1812	3524	iexplore.exe	125

C:\Users\Admin\AppData\Local\Temp\45f7a759f842b17a906dc78c54f07fea_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\45f7a759f842b17a906dc78c54f07fea_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1316
- C:\Users\Admin\AppData\Local\Temp\is-PADC6.tmp\45f7a759f842b17a906dc78c54f07fea_JaffaCakes118.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-PADC6.tmp\45f7a759f842b17a906dc78c54f07fea_JaffaCakes118.tmp" /SL5="$90054,1064361,70144,C:\Users\Admin\AppData\Local\Temp\45f7a759f842b17a906dc78c54f07fea_JaffaCakes118.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2588
- - C:\Program Files (x86)\Inbox Toolbar\Inbox.exe
    "C:\Program Files (x86)\Inbox Toolbar\Inbox.exe" /regserver
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Modifies registry class
    PID:3672
- - C:\Program Files (x86)\Inbox Toolbar\Inbox.exe
    "C:\Program Files (x86)\Inbox Toolbar\Inbox.exe" /install
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    PID:1288
- - C:\Windows\SysWOW64\regsvr32.exe
    "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\Inbox Toolbar\Inbox.dll"
    3⤵
    - Loads dropped DLL
    - Installs/modifies Browser Helper Object
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Modifies registry class
    PID:4360
- - C:\Windows\system32\regsvr32.exe
    "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\Inbox Toolbar\Inbox64.dll"
    3⤵
    - Loads dropped DLL
    - Installs/modifies Browser Helper Object
    - Modifies Internet Explorer settings
    - Modifies registry class
    PID:4364
- - C:\Program Files (x86)\Inbox Toolbar\Inbox.exe
    "C:\Program Files (x86)\Inbox Toolbar\Inbox.exe" /afterinstall
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of WriteProcessMemory
    PID:3772
  - - C:\Program Files (x86)\Inbox Toolbar\Inbox.exe
      "C:\Program Files (x86)\Inbox Toolbar\Inbox.exe" /TRAY 0
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Modifies Internet Explorer start page
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:3528
    - - C:\Program Files (x86)\Inbox Toolbar\Inbox.exe
        
        "C:\Program Files (x86)\Inbox Toolbar\Inbox.exe" /installdrv 3
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2452
      - C:\Windows\system32\RUNDLL32.EXE
        
        "C:\Windows\sysnative\RUNDLL32.EXE" SETUPAPI.DLL,InstallHinfSection DefaultInstall 128 C:\PROGRA~2\INBOXT~1\Driver\tbrdrv.inf
        6⤵
        Drops file in Drivers directory
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:4968
        
        C:\Windows\system32\runonce.exe
        
        "C:\Windows\system32\runonce.exe" -r
        7⤵
        Checks processor information in registry
        Suspicious use of WriteProcessMemory
        
        PID:1740
        
        C:\Windows\System32\grpconv.exe
        
        "C:\Windows\System32\grpconv.exe" -o
        8⤵
        
        PID:3728
- - C:\Program Files (x86)\Inbox Toolbar\Inbox.exe
    "C:\Program Files (x86)\Inbox Toolbar\Inbox.exe" /postinstall
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:404
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -noframemerging "http://toolbar.inbox.com/lp/inst.aspx?tname=General2&tbid=80001&iwk=846&addons=1&addonlist=&afa=0&lng=en"
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:3524
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3524 CREDAT:17410 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:1812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Browser Extensions

T1176

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Inbox Toolbar\Buttons\default_skin.xml

Filesize
65B

MD5
17027e20fdaed63f2ac1ba890420b006

SHA1
730628baa6a3e2621f19a13a8534b7840ed5b527

SHA256
c597ce45f809da4b10b49dea4fced88efa3aa04aa76186ff759510bbcea51301

SHA512
c29dd92bd9ff5dcbb07360be44c7c21cff39f15eeb98d44cd89dcc7eedda8a3dc13325676845527629c79714e6fd5b9be46b3d6fde4760a37f961178824fc124

Download Submit
C:\Program Files (x86)\Inbox Toolbar\Buttons\games_online.xml

Filesize
5KB

MD5
3b1d45e2edc9cbbea793044e38850cca

SHA1
eb1d2a9e7f2d09403db17ecf84374b61f4209bc4

SHA256
e14bce863c9d889b2504859ca347237671ee665c39b80b598f36b1144565d9f0

SHA512
2db3cacfc459555c9ae1ae363df20443081d02981093fd5296f4ae60599852f1231b6461b7729c680ac33c0fd2f82ac3efb0d4edec7430bb674176ac82e9c46f

Download Submit
C:\Program Files (x86)\Inbox Toolbar\Buttons\maps_navigate_mapquest.xml

Filesize
4KB

MD5
5cb4994f8cab63ac594f9e0a60c78b3b

SHA1
e53bff524af6ebed26322ccbc6794da4c2705358

SHA256
f1663308e1bb4be46503afbb5fcffef82386e5774ee172dd7ca4eb41558701ad

SHA512
d1513851de5f86a644500b01cc850ebaaa2e1a2849641f3f65ff810e1f2c5bea5f53e76493b843da6b1164f899cfb138494f989b8b520c082daf8a581a873c0f

Download Submit
C:\Program Files (x86)\Inbox Toolbar\Buttons\movie_videos.xml

Filesize
5KB

MD5
cfbf1862636c82e8feb99120d13b0292

SHA1
a59e129f769ad171970bc034df210449308e939f

SHA256
89f58bda88777e3d55ce106849994855812d17e0d3399f7710568831c3465b58

SHA512
608cf7a104ff8cb66545773d524c9386c38e3255efb33c7ede5c4122e7d5f2dfa77c47f424d6656ea95cf5571a90211e1685cc0cb58010ef6bc8c3f910ee93e4

Download Submit
C:\Program Files (x86)\Inbox Toolbar\Buttons\music_freemusic.xml

Filesize
5KB

MD5
ac2f6f85ff81c15c3503d8201946162f

SHA1
ef64bdb0f765181dc8a75347cbd66ca07ae9cc66

SHA256
435c66ea24b4737404c3b7fb5f47bcb03987c37ab4a17a3aa7fb81ede43111a4

SHA512
873d3e1db0fdaf576b607451bf7e02e71a6b3aa90c78ad9dbeb84505768da358d89e302392a1ceee7b6c4232309f6d31a506b6e1a1f14a0d0ba2d060e793d1bf

Download Submit
C:\Program Files (x86)\Inbox Toolbar\Buttons\reference_search.xml

Filesize
4KB

MD5
35c5cb3610ed06dc386ffcd6e2cdc6a5

SHA1
9e7a3b151014a24c4bda466a4036939e9941a150

SHA256
e874d65c581a2b047b1802cb28f45a3b8354462fe8b5baae5766245c26682408

SHA512
174c9c5eb8844dc473bb8d207f045fb4a0e7bf290633d3830bc37480ee8e420a7c0f1f54c849c394bb8e05922003533b5f9e0fde194463f9b13fd09764315ce2

Download Submit
C:\Program Files (x86)\Inbox Toolbar\Buttons\weather_weather_plugin.xml

Filesize
4KB

MD5
f717d24a1672a48e50f25329a7e189b0

SHA1
0540576208f2a899060e425f2d2f1d159368d089

SHA256
cf5faaded2f2316fae4eab1e8b688b84270914e832546dad4cc64de34544fcc1

SHA512
fce6a9eb264833162436b87565b36d6217f142cef12ba3d4c101b7c991d59cddc596d00cffb8a8a8f6f0deb12855207916befed474eb8420a6e9e47140d36fd9

Download Submit
C:\Program Files (x86)\Inbox Toolbar\Driver\tbrdrv.cat

Filesize
7KB

MD5
dacf44f0b690f4c0053d31535fef87f2

SHA1
d2318c6c771a4adddd507c2fa6aa7d81ebc7aca6

SHA256
9175d7ad0f699049214a066e3b7672036a64354fbd88b002fb34f1d8c583d334

SHA512
60c7e1f3fa5c5515907b4e2702b0ffc1f32129fc92c75653ab7591745d78f7fa59b0a6c505b21cedb36151d4ca4a0fa1b90f09f8d267f7c9bd91a9605a87b7ce

Download Submit
C:\Program Files (x86)\Inbox Toolbar\Driver\tbrdrv.inf

Filesize
1KB

MD5
c84b4baaa44b8989b2e76b42c1ab5301

SHA1
36ee3212aec954e82fd73c914717c7ad32cfc367

SHA256
94ecff1e1ce8d5d5ef349769ee4236d230a7f58dfbd0a7d32ebf84c2b41fcec8

SHA512
230bab43937d5ec8600882b2ca6249b07fc580fea5b1c8817ede28fae6566bc78fb8f2088dc4dea0997e217c94659063dc3d2adff0405944b427d325ebe373a7

Download Submit
C:\Program Files (x86)\Inbox Toolbar\Driver\tbrdrv.sys

Filesize
35KB

MD5
e7c0aac166d688ab41dff2f17e420a3a

SHA1
00b70a50af14b497cebd100344fafbd3a564fd5b

SHA256
babb144ed6471079b6922914646a110f9fe5588ca3d94deeeda584c484e4ed26

SHA512
fe539d89e28204b1d09607e9f0450ae619ff71efdfccb4597641a27cb3234fce1a2061e273bd8490c9bf15d19871aa93c1bf98c909b6c252549c40915d62721e

Download Submit
C:\Program Files (x86)\Inbox Toolbar\Inbox.dll

Filesize
1014KB

MD5
f310b2b3401c8771497705062e6ce692

SHA1
e12f0a10092d844ef607ee2bf8b8dd8402e520ed

SHA256
80962fbf38cd66fdfd6df01c9439a06d14cc1ca70f537e4ab0f1a033ca88c84f

SHA512
c7ce3d4c7204757a35aa191750e72b65d2befb718df936a89244d9c5f5dd377ca9d72e330ffae34a61f168ba5b51b5b0085d720577e6d792076aadf9100a3680

Download Submit
C:\Program Files (x86)\Inbox Toolbar\Inbox.exe

Filesize
2.3MB

MD5
57e8d2b1473328877d38a2b97eaf8f11

SHA1
59a94c5913126c733be33ddbf2ed1e74bd8dec24

SHA256
afbc8b0f053e8501fff59efebac5864f701f77685c917e7050417bbafc3244fc

SHA512
b88328d9523f2bd83bf5f2f655ebd17c94ab5ad40e61caa8cfd82c55c240cf11f2ca4fcf5ade3c79390715cacac8b41c7a5a25e7c63118b3844841d10722f1d4

Download Submit
C:\Program Files (x86)\Inbox Toolbar\Inbox.ini

Filesize
2KB

MD5
bbdd74e8214348db749e1a7bb8595d1c

SHA1
4a666255ef94251fb2d63522c30f885b71519026

SHA256
f6990618b5a20d7914e4cbc42f3eeb3001cc37a503b432e36f3718f8c478ba0e

SHA512
b896a794740cf9e8a1595e2c666d329abe68bbf550255ace4acb4a51b928e2c39ec0efb5b2aacae4de411a11cd24881d0c41de9f2bd890fd6b6701a780d86a13

Download Submit
C:\Program Files (x86)\Inbox Toolbar\Inbox.ini

Filesize
2KB

MD5
be933a837153743c6b56073e479ce5b8

SHA1
c1bf1b0e3c312d1dfe3895b144fd84fac0bd9d02

SHA256
c7a4cbf113e189658d2a9fd8871d6873a6418013e7f2c8eb3e47bedc9d7767f0

SHA512
adddbe246ec6c37c2ced97fc9861694d2a4c610646fa8c01de171e8a3e733c9153cd7872e0ca52f1e5c444a745724cd3be1fea91c121904224f61eb59bb5fe43

Download Submit
C:\Program Files (x86)\Inbox Toolbar\Inbox64.dll

Filesize
1.5MB

MD5
85648d9431502bc73ff4332e6022498e

SHA1
fcb08f29358306cff829ab92711e2c9ea80e9281

SHA256
179cc34b4833994666352177bafbb8142cb43b7847045a071306d54c11e2a24d

SHA512
b0311f62850058185c921d56ef27d1098af0d415a3b7df7e8cf4b6ccd64940419eef48f494c4f0f84b4eaab6bc4c55595494011b01ac3e8c9525e4f934df1ae0

Download Submit
C:\Program Files (x86)\Inbox Toolbar\unins000.exe

Filesize
1.2MB

MD5
5c4bf3bdb5df4f5c1aa6b3593b3aac33

SHA1
205e7a9f1ace5099ee7dcb8534bd124cadcc23f5

SHA256
e2a4448058f2fc7355856f9e9074add6d62bfde6bf47f1b82f1e8a2c65526ae7

SHA512
9fe6855a3ce88bc027a9e7097d0d635e19d80765356399b8ff3113335a52a878c244feaf7bac91172d179b8b275d7f3ae03830a752d1f95f5491bf484c322310

Download Submit
C:\Users\Admin\AppData\LocalLow\Inbox Toolbar\config.ini

Filesize
90B

MD5
31924180263a66026e88d63a45311c5c

SHA1
ef10f37212ee9f55d9f478b5306fe48a9bb14b0d

SHA256
3c286e31f14a62b27e937d6afa76a903f5cb9faa69b7a0734ab0e8ae26cebfba

SHA512
3bf88e06c4196c170ea36a759210166955b88a38c6363b7bedec2eab05e8f8f28e943492ca0211a626214637a9ef569f9d3d91a788a0f16aee3efcfd96b88be3

Download Submit
C:\Users\Admin\AppData\LocalLow\Inbox Toolbar\config.ini

Filesize
120B

MD5
b08e51add96a2f3e6d2cdc3107b5a217

SHA1
1e7e119ca570281c3f6b029c54ec8f11c918ddf3

SHA256
3ae9149799302c62e43fcff0800ce0f33d89230f72199086642156125be5096f

SHA512
1db13c72aec6be71b59f5e7fb4950f805f4e419ed9755c6af5b359ad92ce9ff87b92d4dae475f890e88392d929ab7b6a034ed2469e2730c5a904e6f692bcf46e

Download Submit
C:\Users\Admin\AppData\LocalLow\Inbox Toolbar\config.ini

Filesize
133B

MD5
e2743c69355cfc1666f3c1af665b9404

SHA1
1dd90dcdd3be6e8b5b682224dc68ae73bc58c86b

SHA256
cfe066f47e1ca80d1f146ee114e5e15f1f285eac0976da8cc7b6918e6aeeab0a

SHA512
d4896a0b5dde7bf0e126e45397a5da0ed99937aa99946538a0d435ecefe34d696d41b7407bda21b172aaeaa626cf4b6723ae00c84f11ced1b4f41e51b430e012

Download Submit
C:\Users\Admin\AppData\LocalLow\Inbox Toolbar\config.ini

Filesize
174B

MD5
b532818f5b62d3cbad1e2b4f6c43942c

SHA1
2b1e2e4561201d15fde8051019cdc9a8f43739ac

SHA256
ddac952e158c08e1e3afcea68a1a1fb979368718c7f949d24ca7bfa636a2d8a1

SHA512
c3cf9bcf5a36ac4f41182801ce49aa5ef62018e33532fda60eae65163c061abee260de3515ad3f47a818d9de4db5c6848aede4c173ce84d2407022fe99e8d6f9

Download Submit
C:\Users\Admin\AppData\LocalLow\Inbox Toolbar\config.ini

Filesize
211B

MD5
c6beb9a8435f94f9b3a5ef19ccaede65

SHA1
275d008fa1aab3173fc18e1eb52af47d1ee9703c

SHA256
f0c570cc58e691bf38829d7fabc3ceab551819c04ec1e3251e05e23fca7ee010

SHA512
05f173d0d9d264a1d922f1eb6b08d343cf7e99a71db71afb17b1715f52dbe4e161141f49f0a4d508a59160b746c7e5533e0feec225f1c03e1005a936f4a884e4

Download Submit
C:\Users\Admin\AppData\LocalLow\Inbox Toolbar\config.ini

Filesize
244B

MD5
06f640e357cb4c7006472112b9f18e5c

SHA1
d254f2e184a30b9079e1597dc76faa8ffe06806d

SHA256
f6d196e1b17db563122ab54cf56f5715557405d23b53776670efffc276f97a6b

SHA512
1b26fa2349622bd588a28105294501cd84ff03fec09d0e812be540aedbba94cfab6bd02acd67e736ae1e95df3825a96509a7cad0ceb8523421fa7245ca329ed7

Download Submit
C:\Users\Admin\AppData\LocalLow\Inbox Toolbar\config.ini

Filesize
288B

MD5
52a8460ab06487e206f984b6a0633e04

SHA1
0e5bbcde3b4d0a2919c0584f39249d9983cc3eff

SHA256
f961f81a52a052b35420ae11dbe6f15a6229af786afc7318eb9278057e19d018

SHA512
b9bb91462b087c90adcd814e7995268edbab724cc65309377745ca683c190171424019e2a10c0a7edcc93863a47dd80df98f797450c4ae22b5b9eff455d1d091

Download Submit
C:\Users\Admin\AppData\LocalLow\Inbox Toolbar\config.ini

Filesize
299B

MD5
5307e83d9948fc69a0f7b98063a68138

SHA1
f52158e5687e0279437746effc6a0086d47ac65f

SHA256
ba77d2e197ee7fbabe262920e487a2cc389d66b9e1d3aceca751069fea2d0fbc

SHA512
0d8cafce44074964f3b173d89ec66a502b6adcde35579e920536510a529c04ba195fca44b8371200a3957e84d7a05b9a60d1b74b2c947f236ce7204d6087401d

Download Submit
C:\Users\Admin\AppData\LocalLow\Inbox Toolbar\config.ini

Filesize
311B

MD5
8148c6e425f3b3b0963d510e41d4d3c4

SHA1
85d3dee8a0c1098a1d3cf0d8bf55ae07fddf44a0

SHA256
615e33cb14953b065ab9a8e1018de0b74432f90c8f1b238e34e3d93479b9d3a8

SHA512
2c578eeb63d8f346b8ccf0bb62d116a94c225bb09356f20c6db8894cd9d87b31687bbbeff030d2e8f0652f7e354f7eb9e9f187569a7b7bf3f0852ddca25e913a

Download Submit
C:\Users\Admin\AppData\LocalLow\Inbox Toolbar\config.ini

Filesize
322B

MD5
3956a7113a8aba668dee23144dd7e790

SHA1
ce2e28b1b73c0649e76f430611765e19f9b9497a

SHA256
46950a97dbe3bbc395bf97c08ed3093c693e5310f61af64fdedb32d2066b9143

SHA512
e1c25cff27c5d5c4958167b7b3f44efeb6b2774eed2850c214d0bb9b7905894b02641930241d242e629a341b758db71915981197fe7277bdc078556a1217f246

Download Submit
C:\Users\Admin\AppData\LocalLow\Inbox Toolbar\config.ini

Filesize
330B

MD5
05e1af34fc21952ae61e775deca592e4

SHA1
0ceee651840a8cbc3609aa02151c49cb85abc895

SHA256
c6507a1e8765d15933cc477bbf8d687c769deeff3bafcffe9e8ad825232f2c2d

SHA512
109eff69a7c03e53729ede1e1beadd118200da6045309bb2d103739b4a2ccac48d0221c8da2491d5dd0f37b8d3ca222449ce2219f480cd02c7487317b37881a5

Download Submit
C:\Users\Admin\AppData\LocalLow\Inbox Toolbar\translate.ini

Filesize
93KB

MD5
6aa650efb4605f4bb39bdcfd8a2198ba

SHA1
da12240ffb9984e3f3d8e93a859bc8d768a242a4

SHA256
8729058fc0a109bfaf82d84abdc954805cd46ed499ff235d5181ff3facdaf2cf

SHA512
6893a2f796546c859c1a9ab2a8c1960f2606fe779a07bbe3cf3c0ebdb9579defa87c3b1d4dbb7e4934839a0cd5062255fb6d019bee11cf57e09b0cf350ce2819

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751

Filesize
717B

MD5
822467b728b7a66b081c91795373789a

SHA1
d8f2f02e1eef62485a9feffd59ce837511749865

SHA256
af2343382b88335eea72251ad84949e244ff54b6995063e24459a7216e9576b9

SHA512
bacea07d92c32078ca6a0161549b4e18edab745dd44947e5f181d28cc24468e07769d6835816cdfb944fd3d0099bde5e21b48f4966824c5c16c1801712303eb6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\9DCB39497F031D5F29924F3E93AAF1F2

Filesize
504B

MD5
3454bd287e345edd21dbe7c31d1cf571

SHA1
53ea662a88e826bd8e8041abdd46b5854cfa1335

SHA256
d9e1022e5d7a6b8eb1dbff6260fb244c07d1c2d746f4db66c3fe13bf651e4408

SHA512
b9cc52b7b024026346564f07b4e7649253877184ffa2481fc0972ddae292c7d5590270e0939806f6468385b57e44e1bb61d629e8325a92dcf55483388cda61ae

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B624848E7D0C04204BF0E664FB37FBEA

Filesize
504B

MD5
e49cbf003fd1bf3261a452e0903698c5

SHA1
824d5990e3b2fd35890a7fd79aef2ddf2971c3d3

SHA256
a66382fa0de352ba46c0005a7c92fde4c6d094007746feea72bdeb2a890680a5

SHA512
e0af28d72b4152780ca083c7e6f2c386de9f18a8ae42577dad4122a84983c5c1e2a9c2b0c9f54083ed0443f0573ba8f50969c777d728673cfd8a80ce89a0df37

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751

Filesize
192B

MD5
37566613cf643eb0f3580bd16dae2274

SHA1
3f881121a518699691155e9d77420b41ab510ffb

SHA256
0e2d9d5c3a7c65b00af508d679c3c126a16559d7615492422ed022696135f117

SHA512
4aee7daf708eb45a935c85972cfac51be2e74ae2fb6dc610166593cb838de7da754be9039a7a32b4ada1205d84a229f3d8253ced0d82544d2066f4cb066e66dc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\9DCB39497F031D5F29924F3E93AAF1F2

Filesize
546B

MD5
6b27dc8d1a1052abc6ec24e2f2869950

SHA1
992dc50964eaada808cae8111321ab063e2a4e31

SHA256
a96bc5266aef201a867b3e8c80efc1ba1d0fe3a2f55975d8cbf3c5c11f95ae8d

SHA512
de4aa0118e4b691aab3ac53c5b9ed7ddfb1944875e329ac80222413ae81f692cc566b8b019ffb87ed783dd9a7bc6a6b62435dcebb601683bb5c7a80bd13536c0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B624848E7D0C04204BF0E664FB37FBEA

Filesize
550B

MD5
6d66d2b89377aec8e27587bf7f64cf26

SHA1
8b9f6a8eeb3b47ced022501ca7e31f35d11da56a

SHA256
24c92cb380196bc14be80e7fa3e178b84a56f4515906c20b8cf76b65b628d4e8

SHA512
2ab26c4f1aec28a4eb86494023fa1aefda9d29430b361f8aec6576299158a1895de8c3bf253da4caa4e3b6358d3580d72fe58c638bd6d1667e2f2a6e1cab2397

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\verF901.tmp

Filesize
15KB

MD5
1a545d0052b581fbb2ab4c52133846bc

SHA1
62f3266a9b9925cd6d98658b92adec673cbe3dd3

SHA256
557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1

SHA512
bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\5a279vn\imagestore.dat

Filesize
15KB

MD5
765acead2ec5d67e48ba0da8f8490095

SHA1
191ad6d871f48b6cc6760fbbf23d5c46bf278a95

SHA256
88f32f18f16f8f857f02391ddf6c1532579dc42349601a2c49f998b50ab1c322

SHA512
9387bf0a7f00d4966bd2ff0fd32875ae6ff8e04a807fa0d61eb837bcf48537be8f5af0fdd087c3f9b3989d28d24e077b14ec42e38f9f3e981acfe40e2ec3b6b3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\8R55UT9S\favicon[1].ico

Filesize
14KB

MD5
de4c71e881f03193bb0884185b51bbdf

SHA1
8f51bb36b81298f9fb57824716539520553b77fe

SHA256
1f8e952702b912ccb4326c9bfd76f4cb49459787a2955924798792c20ed45580

SHA512
cf91b32ff05ce6fab615d727c6a1e25c9f4f08d51af5cadbba74650921333b0f0f3a0444a36c4c4ae77abd3ea54c846c8248af7cc0256c06ca4aabac457eced0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\8R55UT9S\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-E8N6M.tmp\setupcfg.ini

Filesize
85B

MD5
55c96f10d23713d60e423f8045f516cc

SHA1
5c902a00cd9d163678fa72506d0b383eb75fc780

SHA256
6b6833aa26784a4bdbbcd2d31f7ff6ba5f7474598b668bd010b245c7c8f0d623

SHA512
c08c60d079051410a53d213c54523bda6aecb5e4a81820efab1f573d90e952e3da494b58a255a1a833b2027a228040da5d58472fce927bbd7994937d338444a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-PADC6.tmp\45f7a759f842b17a906dc78c54f07fea_JaffaCakes118.tmp

Filesize
1.2MB

MD5
e7106fbf42fbc6d5b08a18ada4f781b4

SHA1
36d4a629f79d772c0b0df8bd2ae2ea09108d239d

SHA256
64e1f1fa7d91920b17bc7bc679a4cd8d87ff5b104318b6921bb6bf6a19055635

SHA512
adf876296a952aadeb4f25211c0939bf5a278809b5d3007ad7e26c5d4975e7684d242c1b3de796efd474a47cb7ecdb80f9047935924a1108bf0e4d7c973d1845

Download Submit
memory/404-357-0x0000000000400000-0x0000000000660000-memory.dmp

Filesize
2.4MB

Download
memory/1288-124-0x0000000000400000-0x0000000000660000-memory.dmp

Filesize
2.4MB

Download
memory/1316-356-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1316-0-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1316-49-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1316-2-0x0000000000401000-0x000000000040D000-memory.dmp

Filesize
48KB

Download
memory/2452-343-0x0000000000400000-0x0000000000660000-memory.dmp

Filesize
2.4MB

Download
memory/2588-253-0x0000000000400000-0x0000000000536000-memory.dmp

Filesize
1.2MB

Download
memory/2588-141-0x0000000004EC0000-0x0000000004FC7000-memory.dmp

Filesize
1.0MB

Download
memory/2588-7-0x0000000000400000-0x0000000000536000-memory.dmp

Filesize
1.2MB

Download
memory/2588-152-0x0000000000400000-0x0000000000536000-memory.dmp

Filesize
1.2MB

Download
memory/2588-131-0x0000000004EC0000-0x0000000004FC7000-memory.dmp

Filesize
1.0MB

Download
memory/2588-346-0x0000000000400000-0x0000000000536000-memory.dmp

Filesize
1.2MB

Download
memory/2588-355-0x0000000000400000-0x0000000000536000-memory.dmp

Filesize
1.2MB

Download
memory/2588-140-0x0000000000400000-0x0000000000536000-memory.dmp

Filesize
1.2MB

Download
memory/2588-50-0x0000000000400000-0x0000000000536000-memory.dmp

Filesize
1.2MB

Download
memory/2588-145-0x0000000000400000-0x0000000000536000-memory.dmp

Filesize
1.2MB

Download
memory/3528-344-0x0000000000400000-0x0000000000660000-memory.dmp

Filesize
2.4MB

Download
memory/3528-442-0x0000000000400000-0x0000000000660000-memory.dmp

Filesize
2.4MB

Download
memory/3672-85-0x0000000000400000-0x0000000000660000-memory.dmp

Filesize
2.4MB

Download
memory/3772-208-0x0000000000400000-0x0000000000660000-memory.dmp

Filesize
2.4MB

Download