456dfff54af10020a0838bc81c8807b0d6681607fe5b9c99f12e7ab5ecc366dd

Analysis

max time kernel
144s
max time network
136s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
18-10-2024 07:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

563c77e1ba47c5f9aa47e9964a910aa2_JaffaCakes118.exe
Size

2.4MB
MD5

563c77e1ba47c5f9aa47e9964a910aa2
SHA1

5ae3a598aeeb023c56caa4b488357cc7b2500665
SHA256

456dfff54af10020a0838bc81c8807b0d6681607fe5b9c99f12e7ab5ecc366dd
SHA512

0184dfa1e2f1decd4ac0f79fd7a805f86e06f008ffa89518c9500135beda6f7bae5c8a18276db8ee6b2a0225592eb3967c9bffba75eaebfd630e339bb1bd8e08
SSDEEP

49152:rl1SW/Z9qQAoe1NZ6xCi4B7ySm+vmSIOQzeMR7zZHFRYptebA5rOYiZnn:mKgo6NZ64i4oSfSKy1H/uebSivZnn

Score

8^/10

adware discovery persistence privilege_escalation stealer

Malware Config

Signatures

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\DRIVERS\SETB941.tmp	RUNDLL32.EXE
File created	C:\Windows\system32\DRIVERS\SETB941.tmp	RUNDLL32.EXE
File opened for modification	C:\Windows\system32\DRIVERS\tbrdrv.sys	RUNDLL32.EXE

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 8 IoCs

pid	Process
1916	563c77e1ba47c5f9aa47e9964a910aa2_JaffaCakes118.tmp
3008	Inbox.exe
1840	Inbox.exe
1688	Inbox.exe
2924	Inbox.exe
1932	AGupdate.exe
2284	AGupdate.exe
2464	Inbox.exe

Loads dropped DLL 20 IoCs

pid	Process
2184	563c77e1ba47c5f9aa47e9964a910aa2_JaffaCakes118.exe
1916	563c77e1ba47c5f9aa47e9964a910aa2_JaffaCakes118.tmp
1916	563c77e1ba47c5f9aa47e9964a910aa2_JaffaCakes118.tmp
1916	563c77e1ba47c5f9aa47e9964a910aa2_JaffaCakes118.tmp
1916	563c77e1ba47c5f9aa47e9964a910aa2_JaffaCakes118.tmp
1840	Inbox.exe
1840	Inbox.exe
2640	regsvr32.exe
2488	regsvr32.exe
1916	563c77e1ba47c5f9aa47e9964a910aa2_JaffaCakes118.tmp
1688	Inbox.exe
1688	Inbox.exe
1688	Inbox.exe
1688	Inbox.exe
2924	Inbox.exe
2924	Inbox.exe
2924	Inbox.exe
2924	Inbox.exe
1916	563c77e1ba47c5f9aa47e9964a910aa2_JaffaCakes118.tmp
1916	563c77e1ba47c5f9aa47e9964a910aa2_JaffaCakes118.tmp

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\InboxToolbar = "\"C:\\Program Files (x86)\\Inbox Toolbar\\Inbox.exe\" /STARTUP"	Inbox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\GrpConv = "grpconv -o"	RUNDLL32.EXE

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Installs/modifies Browser Helper Object 2 TTPs 6 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{D3D233D5-9F6D-436C-B6C7-E63F77503B30}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{D3D233D5-9F6D-436C-B6C7-E63F77503B30}\	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{D3D233D5-9F6D-436C-B6C7-E63F77503B30}\NoExplorer = "1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{D3D233D5-9F6D-436C-B6C7-E63F77503B30}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D3D233D5-9F6D-436C-B6C7-E63F77503B30}\	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D3D233D5-9F6D-436C-B6C7-E63F77503B30}\NoExplorer = "1"	regsvr32.exe

Drops file in Program Files directory 29 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Inbox Toolbar\is-0PU6M.tmp	563c77e1ba47c5f9aa47e9964a910aa2_JaffaCakes118.tmp
File opened for modification	C:\Program Files (x86)\Inbox Toolbar\Driver\tbrdrv.inf	Inbox.exe
File created	C:\Program Files (x86)\Inbox Toolbar\is-2JF7D.tmp	563c77e1ba47c5f9aa47e9964a910aa2_JaffaCakes118.tmp
File opened for modification	C:\Program Files (x86)\Inbox Toolbar\unins000.dat	563c77e1ba47c5f9aa47e9964a910aa2_JaffaCakes118.tmp
File opened for modification	C:\Program Files (x86)\Inbox Toolbar\Buttons\reference_encyclopedia_br.xml	Inbox.exe
File created	C:\Program Files (x86)\Inbox Toolbar\is-BTJOP.tmp	563c77e1ba47c5f9aa47e9964a910aa2_JaffaCakes118.tmp
File created	C:\Program Files (x86)\Inbox Toolbar\is-2IQVN.tmp	563c77e1ba47c5f9aa47e9964a910aa2_JaffaCakes118.tmp
File created	C:\Program Files (x86)\Inbox Toolbar\Buttons\is-H8OP3.tmp	563c77e1ba47c5f9aa47e9964a910aa2_JaffaCakes118.tmp
File created	C:\Program Files (x86)\Inbox Toolbar\Buttons\is-3CGNS.tmp	563c77e1ba47c5f9aa47e9964a910aa2_JaffaCakes118.tmp
File created	C:\Program Files (x86)\Inbox Toolbar\Buttons\is-ACG43.tmp	563c77e1ba47c5f9aa47e9964a910aa2_JaffaCakes118.tmp
File opened for modification	C:\Program Files (x86)\Inbox Toolbar\Buttons\reference_translator_br.xml	Inbox.exe
File opened for modification	C:\Program Files (x86)\Inbox Toolbar\Driver\tbrdrv.sys	Inbox.exe
File created	C:\Program Files (x86)\Inbox Toolbar\is-INCNI.tmp	563c77e1ba47c5f9aa47e9964a910aa2_JaffaCakes118.tmp
File created	C:\Program Files (x86)\Inbox Toolbar\Buttons\is-98QSC.tmp	563c77e1ba47c5f9aa47e9964a910aa2_JaffaCakes118.tmp
File opened for modification	C:\Program Files (x86)\Inbox Toolbar\Driver\tbrdrv.cat	Inbox.exe
File opened for modification	C:\Program Files (x86)\Inbox Toolbar\uninstall.ini	Inbox.exe
File created	C:\Program Files (x86)\Inbox Toolbar\unins000.dat	563c77e1ba47c5f9aa47e9964a910aa2_JaffaCakes118.tmp
File opened for modification	C:\Program Files (x86)\Inbox Toolbar\uninstall.ini	563c77e1ba47c5f9aa47e9964a910aa2_JaffaCakes118.tmp
File opened for modification	C:\Program Files (x86)\Inbox Toolbar\Buttons\reference_dictionary_br.xml	Inbox.exe
File created	C:\Program Files (x86)\Inbox Toolbar\setupcfg.ini	563c77e1ba47c5f9aa47e9964a910aa2_JaffaCakes118.tmp
File created	C:\Program Files (x86)\Inbox Toolbar\Buttons\is-C7TU1.tmp	563c77e1ba47c5f9aa47e9964a910aa2_JaffaCakes118.tmp
File created	C:\Program Files (x86)\Inbox Toolbar\unins000.msg	563c77e1ba47c5f9aa47e9964a910aa2_JaffaCakes118.tmp
File opened for modification	C:\Program Files (x86)\Inbox Toolbar\setupcfg.ini	563c77e1ba47c5f9aa47e9964a910aa2_JaffaCakes118.tmp
File opened for modification	C:\Program Files (x86)\Inbox Toolbar\Buttons\reference_history_br.xml	Inbox.exe
File created	C:\Program Files (x86)\Inbox Toolbar\Driver\driver.cab	Inbox.exe
File created	C:\Program Files (x86)\Inbox Toolbar\Buttons\is-NMDIC.tmp	563c77e1ba47c5f9aa47e9964a910aa2_JaffaCakes118.tmp
File opened for modification	C:\Program Files (x86)\Inbox Toolbar\Buttons\reference_search_br.xml	Inbox.exe
File opened for modification	C:\Program Files (x86)\Inbox Toolbar\Inbox.ini	Inbox.exe
File opened for modification	C:\Program Files (x86)\Inbox Toolbar\Buttons\blue_green.xml	Inbox.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\INF\setupapi.app.log	RUNDLL32.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Inbox.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Inbox.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Inbox.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Inbox.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Inbox.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AGupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AGupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	563c77e1ba47c5f9aa47e9964a910aa2_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	563c77e1ba47c5f9aa47e9964a910aa2_JaffaCakes118.tmp

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	runonce.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	runonce.exe

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{612AD33D-9824-4E87-8396-92374E91C4BB}\Policy = "3"	Inbox.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\IEWatsonEnabled = "0"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\Policy = "3"	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\SearchScopes\{C04B7D22-5AEC-4561-8F49-27F6269208F6}\FaviconURLFallback = "http://www2.inbox.com/favicon.ico"	Inbox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000045c0dde48c11474f81d9a2c02be4ea2200000000020000000000106600000001000020000000bad190f98979eb92b5d37314ef46b97d31dd238e108840267cf615eeda3896ad000000000e8000000002000020000000c56f5bca6112834699a2bd7d29ff9063d906b633e29cd5fd5d5103046ab8b86af00100002bcdab3e81339885cc6ae8765bf33e85f3b8d762b14ca6c4feb77023b053ecefaafe9824ef1db70b50918a9396b8bb9fa27ab669f9248a2d3224fe4958d3176653b27969999172b2919dfe166795e2d50ac2852034aab26a2b9e4e14ba67a3627af9d777a0af576a48a299a363f2db24d8e3e673eda1ab368c0cb124b5822260230d1b34468746ce27118af2729aaa9f46838e30cd630479f21a677211182347099bf0e48659dbd00ca987a2931a6d677348b0260634d18e1dca9992df9d827eff6f4e09cdd4dc0904c643235c429874be8996e0d4a5afc8bf7546abeb3c674aca5414e40ead8df26ade75687f6d9a355e95b1dd01e0abf541f880249633374590d53e706e3c8ea104fed8abbdc8ec4c6b9c2495b9722786f6fc3044487bd5a9d88f67b344021dbe07eac97ec6f8eb1477af9d1a9705156d6f8da16bd02d8130e8de396890aac87e17a2309997fa04c02810a2a983d2a640b301ea3e557305ca624a35fb8db40fc09a655cbbb949d0322e1ec19a994232ca1e45b9234cc2e0ff8b02017fee8574ed0234494e24104b9f489e5aba4e7f8734eaacd23de9574bb671397882cced81a223b7b12f17924c69027b658f0cece9687800bf5ef390e47f6f35a0b2b605342751ee361ecc4e0261c39d00baefad9167368476fc6f84553ef4cb6160cce137d82c82a82bb93aa18840000000953e6bff367429e47f646f2e3c92886528915acfb43b7cbdafc9b5c4745c60fc1853bbf33542aa1707b3d5234da6b3e965b484337d5e7eec25c0a809f2e6e973	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{612AD33D-9824-4E87-8396-92374E91C4BB}\AppPath = "C:\\Program Files (x86)\\Inbox Toolbar"	Inbox.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar\{D7E97865-918F-41E4-9CD0-25AB1C574CE8} = 00	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\	Inbox.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "435399448"	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\AppName = "Inbox.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\AppPath = "C:\\Program Files (x86)\\Inbox Toolbar"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\AppPath = "C:\\Program Files (x86)\\Inbox Toolbar"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\IEWatsonEnabled = "0"	regsvr32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Approved Extensions\{D7E97865-918F-41E4-9CD0-25AB1C574CE8} = 51667a6c4c1d3b357565fecdbbc08e0580d363eb1e110df6	regsvr32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\AppName = "Inbox64.dll"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\SearchScopes\	Inbox.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\User Preferences\88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977 = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000045c0dde48c11474f81d9a2c02be4ea2200000000020000000000106600000001000020000000cc510631608c3a6bea379ce17f57e64c43c8b2977b0072d30e5587b9eddab9ba000000000e80000000020000200000002bf0e4cad31f4b583547cc09eb78371d8325d028193e0e44aeefad98536fe36650000000d1547a656d8a3ea52228f95120080a07685ee53000b0ed84d75aeae072162f8282faf0f06a6083c6449c23b9b3ef5a44a54fe0b0e0ca09de56867b2855f6b494c3c5fdc192749be3b8494d5a574a7fc8400000007d5d3b02599d9dc69ebad745cde82a09b337a69d2cf5f12d5024a06f2eabd29f9e386b893301732b5750e765c85ed4d3ea59c33e7a4f7a168520331c3c1d4f24	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\Policy = "3"	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\SearchScopes\{C04B7D22-5AEC-4561-8F49-27F6269208F6}\SuggestionsURL_JSON = "http://www.inbox.com/s.aspx?q={searchTerms}"	Inbox.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Approved Extensions\{D7E97865-918F-41E4-9CD0-25AB1C574CE8} = 51667a6c4c1d3b357565fecdbbc08e0580d363eb1e110df6	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Approved Extensions	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\SearchScopes\{C04B7D22-5AEC-4561-8F49-27F6269208F6}	Inbox.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\	Inbox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\SearchScopes\{C04B7D22-5AEC-4561-8F49-27F6269208F6}\FaviconPath = "C:\\Users\\Admin\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services\\search_{C04B7D22-5AEC-4561-8F49-27F6269208F6}.ico"	Inbox.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 308c97e53121db01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\SearchScopes\{C04B7D22-5AEC-4561-8F49-27F6269208F6}	Inbox.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	Inbox.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\Policy = "3"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\AppPath = "C:\\Program Files (x86)\\Inbox Toolbar"	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\SearchScopes\DefaultScope = "{C04B7D22-5AEC-4561-8F49-27F6269208F6}"	Inbox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{612AD33D-9824-4E87-8396-92374E91C4BB}	Inbox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Approved Extensions\{D3D233D5-9F6D-436C-B6C7-E63F77503B30} = 51667a6c4c1d3b35c52ec5c959ce0607aac4a07f75167a2e	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\SearchScopes\{C04B7D22-5AEC-4561-8F49-27F6269208F6}\DisplayName = "Inbox Search"	Inbox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\SearchScopes\{C04B7D22-5AEC-4561-8F49-27F6269208F6}\ShowSearchSuggestions = "1"	Inbox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{10B29C71-8D25-11EF-9733-46BBF83CD43C} = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000045c0dde48c11474f81d9a2c02be4ea2200000000020000000000106600000001000020000000829348988114f08d84157612c03a9f0deb9085f095ddc29500be3f6aae384297000000000e8000000002000020000000976966f6734a5b3f74f391de51368c1ec75677e25b6f4f32ecafde5ada94085520000000562502b37f9c51680074ee9789da67fa08680e2964afc1427b5b6c8de885b33a400000008f42740c22d684577a220318026dbecd053eed027e89e390f760508f48420563ecc5eca9047417c6b31ef58b0f316b04d1a948355aa444d816ac35e326ab7116	iexplore.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\User Preferences	Inbox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\SearchScopes\{C04B7D22-5AEC-4561-8F49-27F6269208F6}\DisplayName = "Inbox Search"	Inbox.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{612AD33D-9824-4E87-8396-92374E91C4BB}\AppName = "Inbox.exe"	Inbox.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{612AD33D-9824-4E87-8396-92374E91C4BB}\Policy = "3"	Inbox.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION\Inbox.exe = "11000"	Inbox.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Approved Extensions	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\AppName = "Inbox64.dll"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe

Modifies Internet Explorer start page 1 TTPs 1 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.inbox.com/homepage.aspx?tbid=80389&iwk=847&lng=en"	Inbox.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Inbox.Toolbar\	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C7C55C60-F5B5-40A3-A2E9-EC00E1FE08F3}\InprocServer32\ = "C:\\Program Files (x86)\\Inbox Toolbar\\Inbox64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{37540F19-DD4C-478B-B2DF-C19281BCAF27}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Inbox.AppServer\Clsid\ = "{612AD33D-9824-4E87-8396-92374E91C4BB}"	Inbox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0E56FAFA-1B09-480E-B653-4B23918DC58A}\ = "IJSServer2"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Inbox.JSServer2\	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C7C55C60-F5B5-40A3-A2E9-EC00E1FE08F3}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{37540F19-DD4C-478B-B2DF-C19281BCAF27}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Inbox.IBX404	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C7C55C60-F5B5-40A3-A2E9-EC00E1FE08F3}\TypeLib\ = "{CBEF8724-D080-4737-88DA-111EEC6651AA}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C7C55C60-F5B5-40A3-A2E9-EC00E1FE08F3}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{612AD33D-9824-4E87-8396-92374E91C4BB}\	Inbox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{612AD33D-9824-4E87-8396-92374E91C4BB}\LocalServer32\ = "C:\\PROGRA~2\\INBOXT~1\\Inbox.exe"	Inbox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CE057E0D-2D7E-4DFF-A890-07BA69B8C762}\ = "IJSServer"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0E56FAFA-1B09-480E-B653-4B23918DC58A}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Inbox.JSServer2	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0E56FAFA-1B09-480E-B653-4B23918DC58A}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C7C55C60-F5B5-40A3-A2E9-EC00E1FE08F3}\InProcServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{37540F19-DD4C-478B-B2DF-C19281BCAF27}\InprocServer32\ = "C:\\PROGRA~2\\INBOXT~1\\Inbox64.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{615E8AA1-6BB8-4A3D-A1CC-373194DB612C}	Inbox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CE057E0D-2D7E-4DFF-A890-07BA69B8C762}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0E56FAFA-1B09-480E-B653-4B23918DC58A}\TypeLib\ = "{CBEF8724-D080-4737-88DA-111EEC6651AA}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{042DA63B-0933-403D-9395-B49307691690}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}\	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D3D233D5-9F6D-436C-B6C7-E63F77503B30}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D3D233D5-9F6D-436C-B6C7-E63F77503B30}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D3D233D5-9F6D-436C-B6C7-E63F77503B30}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}\	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C7C55C60-F5B5-40A3-A2E9-EC00E1FE08F3}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{615E8AA1-6BB8-4A3D-A1CC-373194DB612C}\1.0\ = "Inbox"	Inbox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0E56FAFA-1B09-480E-B653-4B23918DC58A}\TypeLib\ = "{CBEF8724-D080-4737-88DA-111EEC6651AA}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0E56FAFA-1B09-480E-B653-4B23918DC58A}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{042DA63B-0933-403D-9395-B49307691690}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}\	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{28C3737A-32D1-492D-B76B-8D75EBBFB887}	Inbox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CBEF8724-D080-4737-88DA-111EEC6651AA}\1.0\FLAGS	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{CE057E0D-2D7E-4DFF-A890-07BA69B8C762}\ = "IJSServer"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{042DA63B-0933-403D-9395-B49307691690}\ProgID\ = "Inbox.JSServer"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{37540F19-DD4C-478B-B2DF-C19281BCAF27}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C7C55C60-F5B5-40A3-A2E9-EC00E1FE08F3}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Inbox.IBX404\Clsid	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{CE057E0D-2D7E-4DFF-A890-07BA69B8C762}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C7C55C60-F5B5-40A3-A2E9-EC00E1FE08F3}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{042DA63B-0933-403D-9395-B49307691690}\Version	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\InprocServer32\ = "C:\\PROGRA~2\\INBOXT~1\\Inbox.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0E56FAFA-1B09-480E-B653-4B23918DC58A}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C7C55C60-F5B5-40A3-A2E9-EC00E1FE08F3}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{042DA63B-0933-403D-9395-B49307691690}\	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{042DA63B-0933-403D-9395-B49307691690}\ = "Inbox Toolbar"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{CE057E0D-2D7E-4DFF-A890-07BA69B8C762}\TypeLib\ = "{CBEF8724-D080-4737-88DA-111EEC6651AA}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CE057E0D-2D7E-4DFF-A890-07BA69B8C762}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Inbox.JSServer	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{042DA63B-0933-403D-9395-B49307691690}\Implemented Categories	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{042DA63B-0933-403D-9395-B49307691690}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Inbox.Toolbar\	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8FAE973C-3FE3-44BF-81F0-ADB0D42CE851}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	Inbox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0E56FAFA-1B09-480E-B653-4B23918DC58A}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{042DA63B-0933-403D-9395-B49307691690}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{37540F19-DD4C-478B-B2DF-C19281BCAF27}\InprocServer32\ = "C:\\PROGRA~2\\INBOXT~1\\Inbox.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CBEF8724-D080-4737-88DA-111EEC6651AA}\1.0\0\win32\ = "C:\\Program Files (x86)\\Inbox Toolbar\\Inbox.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\inbox	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{615E8AA1-6BB8-4A3D-A1CC-373194DB612C}\1.0\HELPDIR	Inbox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Inbox.JSServer	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1916	563c77e1ba47c5f9aa47e9964a910aa2_JaffaCakes118.tmp
1916	563c77e1ba47c5f9aa47e9964a910aa2_JaffaCakes118.tmp
1916	563c77e1ba47c5f9aa47e9964a910aa2_JaffaCakes118.tmp
1916	563c77e1ba47c5f9aa47e9964a910aa2_JaffaCakes118.tmp

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
472	Process not Found

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeRestorePrivilege	1352	RUNDLL32.EXE
Token: SeRestorePrivilege	1352	RUNDLL32.EXE
Token: SeRestorePrivilege	1352	RUNDLL32.EXE
Token: SeRestorePrivilege	1352	RUNDLL32.EXE
Token: SeRestorePrivilege	1352	RUNDLL32.EXE
Token: SeRestorePrivilege	1352	RUNDLL32.EXE
Token: SeRestorePrivilege	1352	RUNDLL32.EXE

Suspicious use of FindShellTrayWindow 8 IoCs

pid	Process
1916	563c77e1ba47c5f9aa47e9964a910aa2_JaffaCakes118.tmp
2924	Inbox.exe
1916	563c77e1ba47c5f9aa47e9964a910aa2_JaffaCakes118.tmp
2924	Inbox.exe
2924	Inbox.exe
2924	Inbox.exe
2924	Inbox.exe
1308	iexplore.exe

Suspicious use of SendNotifyMessage 4 IoCs

pid	Process
2924	Inbox.exe
2924	Inbox.exe
2924	Inbox.exe
2924	Inbox.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1308	iexplore.exe
1308	iexplore.exe
1020	IEXPLORE.EXE
1020	IEXPLORE.EXE
1020	IEXPLORE.EXE
1020	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2184 wrote to memory of 1916	2184	563c77e1ba47c5f9aa47e9964a910aa2_JaffaCakes118.exe	30
PID 2184 wrote to memory of 1916	2184	563c77e1ba47c5f9aa47e9964a910aa2_JaffaCakes118.exe	30
PID 2184 wrote to memory of 1916	2184	563c77e1ba47c5f9aa47e9964a910aa2_JaffaCakes118.exe	30
PID 2184 wrote to memory of 1916	2184	563c77e1ba47c5f9aa47e9964a910aa2_JaffaCakes118.exe	30
PID 2184 wrote to memory of 1916	2184	563c77e1ba47c5f9aa47e9964a910aa2_JaffaCakes118.exe	30
PID 2184 wrote to memory of 1916	2184	563c77e1ba47c5f9aa47e9964a910aa2_JaffaCakes118.exe	30
PID 2184 wrote to memory of 1916	2184	563c77e1ba47c5f9aa47e9964a910aa2_JaffaCakes118.exe	30
PID 1916 wrote to memory of 3008	1916	563c77e1ba47c5f9aa47e9964a910aa2_JaffaCakes118.tmp	31
PID 1916 wrote to memory of 3008	1916	563c77e1ba47c5f9aa47e9964a910aa2_JaffaCakes118.tmp	31
PID 1916 wrote to memory of 3008	1916	563c77e1ba47c5f9aa47e9964a910aa2_JaffaCakes118.tmp	31
PID 1916 wrote to memory of 3008	1916	563c77e1ba47c5f9aa47e9964a910aa2_JaffaCakes118.tmp	31
PID 1916 wrote to memory of 1840	1916	563c77e1ba47c5f9aa47e9964a910aa2_JaffaCakes118.tmp	32
PID 1916 wrote to memory of 1840	1916	563c77e1ba47c5f9aa47e9964a910aa2_JaffaCakes118.tmp	32
PID 1916 wrote to memory of 1840	1916	563c77e1ba47c5f9aa47e9964a910aa2_JaffaCakes118.tmp	32
PID 1916 wrote to memory of 1840	1916	563c77e1ba47c5f9aa47e9964a910aa2_JaffaCakes118.tmp	32
PID 1916 wrote to memory of 2640	1916	563c77e1ba47c5f9aa47e9964a910aa2_JaffaCakes118.tmp	34
PID 1916 wrote to memory of 2640	1916	563c77e1ba47c5f9aa47e9964a910aa2_JaffaCakes118.tmp	34
PID 1916 wrote to memory of 2640	1916	563c77e1ba47c5f9aa47e9964a910aa2_JaffaCakes118.tmp	34
PID 1916 wrote to memory of 2640	1916	563c77e1ba47c5f9aa47e9964a910aa2_JaffaCakes118.tmp	34
PID 1916 wrote to memory of 2640	1916	563c77e1ba47c5f9aa47e9964a910aa2_JaffaCakes118.tmp	34
PID 1916 wrote to memory of 2640	1916	563c77e1ba47c5f9aa47e9964a910aa2_JaffaCakes118.tmp	34
PID 1916 wrote to memory of 2640	1916	563c77e1ba47c5f9aa47e9964a910aa2_JaffaCakes118.tmp	34
PID 1916 wrote to memory of 2488	1916	563c77e1ba47c5f9aa47e9964a910aa2_JaffaCakes118.tmp	35
PID 1916 wrote to memory of 2488	1916	563c77e1ba47c5f9aa47e9964a910aa2_JaffaCakes118.tmp	35
PID 1916 wrote to memory of 2488	1916	563c77e1ba47c5f9aa47e9964a910aa2_JaffaCakes118.tmp	35
PID 1916 wrote to memory of 2488	1916	563c77e1ba47c5f9aa47e9964a910aa2_JaffaCakes118.tmp	35
PID 1916 wrote to memory of 2488	1916	563c77e1ba47c5f9aa47e9964a910aa2_JaffaCakes118.tmp	35
PID 1916 wrote to memory of 2488	1916	563c77e1ba47c5f9aa47e9964a910aa2_JaffaCakes118.tmp	35
PID 1916 wrote to memory of 2488	1916	563c77e1ba47c5f9aa47e9964a910aa2_JaffaCakes118.tmp	35
PID 1916 wrote to memory of 1688	1916	563c77e1ba47c5f9aa47e9964a910aa2_JaffaCakes118.tmp	36
PID 1916 wrote to memory of 1688	1916	563c77e1ba47c5f9aa47e9964a910aa2_JaffaCakes118.tmp	36
PID 1916 wrote to memory of 1688	1916	563c77e1ba47c5f9aa47e9964a910aa2_JaffaCakes118.tmp	36
PID 1916 wrote to memory of 1688	1916	563c77e1ba47c5f9aa47e9964a910aa2_JaffaCakes118.tmp	36
PID 1688 wrote to memory of 1352	1688	Inbox.exe	37
PID 1688 wrote to memory of 1352	1688	Inbox.exe	37
PID 1688 wrote to memory of 1352	1688	Inbox.exe	37
PID 1688 wrote to memory of 1352	1688	Inbox.exe	37
PID 1352 wrote to memory of 480	1352	RUNDLL32.EXE	38
PID 1352 wrote to memory of 480	1352	RUNDLL32.EXE	38
PID 1352 wrote to memory of 480	1352	RUNDLL32.EXE	38
PID 480 wrote to memory of 844	480	runonce.exe	39
PID 480 wrote to memory of 844	480	runonce.exe	39
PID 480 wrote to memory of 844	480	runonce.exe	39
PID 1688 wrote to memory of 2924	1688	Inbox.exe	41
PID 1688 wrote to memory of 2924	1688	Inbox.exe	41
PID 1688 wrote to memory of 2924	1688	Inbox.exe	41
PID 1688 wrote to memory of 2924	1688	Inbox.exe	41
PID 1916 wrote to memory of 1932	1916	563c77e1ba47c5f9aa47e9964a910aa2_JaffaCakes118.tmp	44
PID 1916 wrote to memory of 1932	1916	563c77e1ba47c5f9aa47e9964a910aa2_JaffaCakes118.tmp	44
PID 1916 wrote to memory of 1932	1916	563c77e1ba47c5f9aa47e9964a910aa2_JaffaCakes118.tmp	44
PID 1916 wrote to memory of 1932	1916	563c77e1ba47c5f9aa47e9964a910aa2_JaffaCakes118.tmp	44
PID 1916 wrote to memory of 1932	1916	563c77e1ba47c5f9aa47e9964a910aa2_JaffaCakes118.tmp	44
PID 1916 wrote to memory of 1932	1916	563c77e1ba47c5f9aa47e9964a910aa2_JaffaCakes118.tmp	44
PID 1916 wrote to memory of 1932	1916	563c77e1ba47c5f9aa47e9964a910aa2_JaffaCakes118.tmp	44
PID 1916 wrote to memory of 2284	1916	563c77e1ba47c5f9aa47e9964a910aa2_JaffaCakes118.tmp	45
PID 1916 wrote to memory of 2284	1916	563c77e1ba47c5f9aa47e9964a910aa2_JaffaCakes118.tmp	45
PID 1916 wrote to memory of 2284	1916	563c77e1ba47c5f9aa47e9964a910aa2_JaffaCakes118.tmp	45
PID 1916 wrote to memory of 2284	1916	563c77e1ba47c5f9aa47e9964a910aa2_JaffaCakes118.tmp	45
PID 1916 wrote to memory of 2284	1916	563c77e1ba47c5f9aa47e9964a910aa2_JaffaCakes118.tmp	45
PID 1916 wrote to memory of 2284	1916	563c77e1ba47c5f9aa47e9964a910aa2_JaffaCakes118.tmp	45
PID 1916 wrote to memory of 2284	1916	563c77e1ba47c5f9aa47e9964a910aa2_JaffaCakes118.tmp	45
PID 1916 wrote to memory of 2464	1916	563c77e1ba47c5f9aa47e9964a910aa2_JaffaCakes118.tmp	46
PID 1916 wrote to memory of 2464	1916	563c77e1ba47c5f9aa47e9964a910aa2_JaffaCakes118.tmp	46
PID 1916 wrote to memory of 2464	1916	563c77e1ba47c5f9aa47e9964a910aa2_JaffaCakes118.tmp	46

C:\Users\Admin\AppData\Local\Temp\563c77e1ba47c5f9aa47e9964a910aa2_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\563c77e1ba47c5f9aa47e9964a910aa2_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2184
- C:\Users\Admin\AppData\Local\Temp\is-638UG.tmp\563c77e1ba47c5f9aa47e9964a910aa2_JaffaCakes118.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-638UG.tmp\563c77e1ba47c5f9aa47e9964a910aa2_JaffaCakes118.tmp" /SL5="$40152,1824239,70144,C:\Users\Admin\AppData\Local\Temp\563c77e1ba47c5f9aa47e9964a910aa2_JaffaCakes118.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:1916
- - C:\Program Files (x86)\Inbox Toolbar\Inbox.exe
    "C:\Program Files (x86)\Inbox Toolbar\Inbox.exe" /regserver
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Modifies registry class
    PID:3008
- - C:\Program Files (x86)\Inbox Toolbar\Inbox.exe
    "C:\Program Files (x86)\Inbox Toolbar\Inbox.exe" /install
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    PID:1840
- - C:\Windows\SysWOW64\regsvr32.exe
    "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\Inbox Toolbar\Inbox.dll"
    3⤵
    - Loads dropped DLL
    - Installs/modifies Browser Helper Object
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Modifies registry class
    PID:2640
- - C:\Windows\system32\regsvr32.exe
    "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\Inbox Toolbar\Inbox64.dll"
    3⤵
    - Loads dropped DLL
    - Installs/modifies Browser Helper Object
    - Modifies Internet Explorer settings
    - Modifies registry class
    PID:2488
- - C:\Program Files (x86)\Inbox Toolbar\Inbox.exe
    "C:\Program Files (x86)\Inbox Toolbar\Inbox.exe" /afterinstall
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Modifies Internet Explorer start page
    - Suspicious use of WriteProcessMemory
    PID:1688
  - - C:\Windows\system32\RUNDLL32.EXE
      "C:\Windows\sysnative\RUNDLL32.EXE" SETUPAPI.DLL,InstallHinfSection DefaultInstall 128 C:\PROGRA~2\INBOXT~1\Driver\tbrdrv.inf
      4⤵
      Drops file in Drivers directory
      Adds Run key to start application
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1352
    - - C:\Windows\system32\runonce.exe
        
        "C:\Windows\system32\runonce.exe" -r
        5⤵
        Checks processor information in registry
        Suspicious use of WriteProcessMemory
        
        PID:480
      - C:\Windows\System32\grpconv.exe
        
        "C:\Windows\System32\grpconv.exe" -o
        6⤵
        
        PID:844
  - - C:\Program Files (x86)\Inbox Toolbar\Inbox.exe
      "C:\Program Files (x86)\Inbox Toolbar\Inbox.exe" /TRAY 0
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:2924
- - C:\Users\Admin\AppData\Local\Temp\is-U7VHC.tmp\AGupdate.exe
    "C:\Users\Admin\AppData\Local\Temp\is-U7VHC.tmp\AGupdate.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1932
- - C:\Users\Admin\AppData\Local\Temp\is-U7VHC.tmp\AGupdate.exe
    "C:\Users\Admin\AppData\Local\Temp\is-U7VHC.tmp\AGupdate.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2284
- - C:\Program Files (x86)\Inbox Toolbar\Inbox.exe
    "C:\Program Files (x86)\Inbox Toolbar\Inbox.exe" /postinstall
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2464
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -noframemerging "http://toolbar.inbox.com/lp/inst.aspx?tname=Translators&c=4&tbid=80389&iwk=847&addons=1&addonlist=&afa=3&lng=en"
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      PID:1308
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1308 CREDAT:275457 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:1020

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Browser Extensions

T1176

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Inbox Toolbar\Buttons\blue_green.xml

Filesize
52KB

MD5
73ae8ec141d41888f4f4efc96e3158aa

SHA1
ed00518da7d76b725af71e493026e1645f33a9f9

SHA256
3b18558a9b1f02bc5724b37c128389804f89a6aee5f9b9b484e94d0548057110

SHA512
95adef46aef2529a9f33050a88dde6a8217e88f4ae6246ffc2f9fbdf985bd1bef1b505561a8bf10ddef376ecb340e632994be127f5a7b36f60bc0b4642cd0108

Download Submit
C:\Program Files (x86)\Inbox Toolbar\Buttons\reference_dictionary_br.xml

Filesize
5KB

MD5
a68075fa8f8c2312da27ddcc6e70a9de

SHA1
d11fbfaaa9450991ec9e8b70ebb7051de4ba239d

SHA256
bef21899bffe2bcaa0df4fc33906139b04cb7a02c97dc46e7c71b76cc0ccb3f1

SHA512
1cccca0ccb85311a783fbb19b38a78b3efd164df8e05d38f3e45d2baf279435f9db41da9bd29cf672b586d1d1b5aa3e0ad721b13d9a0a52381cd63bfa7176320

Download Submit
C:\Program Files (x86)\Inbox Toolbar\Buttons\reference_encyclopedia_br.xml

Filesize
5KB

MD5
d48b7a2bf23cad2e3c86e5336c6f03fe

SHA1
d5b1d477851bffd24ee65e60166985c08bf960c2

SHA256
80ce55abf5a8f9c92e65279e456844bccba09141b7b0e22b8c51288766f8f854

SHA512
0cffe8464b6022c5d803b405dfcb21b21ccba5a93401c71875ba2dbd7ffd0e51e1c56afe32fe95bab243edf3a6bbdb166374bb75531ecd73f3c1f63f1f79b40b

Download Submit
C:\Program Files (x86)\Inbox Toolbar\Buttons\reference_history_br.xml

Filesize
4KB

MD5
255d2cd2ffbf0e0dcd5a7555d293ddc5

SHA1
b19d386ca76b35fba2597ca8baa962e5986440a2

SHA256
132e6e7c5b3b12bdecfbf82eced716d4a0342e2ff21727cd5190af3d159c74b6

SHA512
80c898b1b119fbbe9861a8a385f50dd74acdaef182ad7b39379c1273fc787306d7cf02107e303cc5dd0253b41a1d7d8140420025fd88be698bdbdbf24dbe2e65

Download Submit
C:\Program Files (x86)\Inbox Toolbar\Buttons\reference_search_br.xml

Filesize
4KB

MD5
0b68802d3253068df66f23dfe7b93e0a

SHA1
be2e8050748d75eb95a7bc8257982f81ee8a2b2b

SHA256
8b0707feece3adff817442357f5c5a6aab64a3d91de8362dfa0e95ab194330b2

SHA512
51ebff472aef81b9808c32d1bb1db3153d5e7d1fa46ab5bb36c75171fbda952d0acf36aea3daf4d80d671739e5a0fd94ca301004f0de434443116139af2f0943

Download Submit
C:\Program Files (x86)\Inbox Toolbar\Buttons\reference_translator_br.xml

Filesize
5KB

MD5
1c9297aa0ea4b67845686a49c8b486ef

SHA1
aa42a24a47ebecac0afeebdcfbd89a8e8b727e87

SHA256
b63d238162d4b21bf557a1c1597a4f948d27b5414b8a984c0aa5539648478dbe

SHA512
8c8ba090ddfdaf49268b34b7ddac9bbeacd699f521d2897f17539f2aa8e16927dfcdb2613c546d972b6da9c23a72edc153bc0c11c13dc577c09938752707c122

Download Submit
C:\Program Files (x86)\Inbox Toolbar\Driver\tbrdrv.cat

Filesize
7KB

MD5
dacf44f0b690f4c0053d31535fef87f2

SHA1
d2318c6c771a4adddd507c2fa6aa7d81ebc7aca6

SHA256
9175d7ad0f699049214a066e3b7672036a64354fbd88b002fb34f1d8c583d334

SHA512
60c7e1f3fa5c5515907b4e2702b0ffc1f32129fc92c75653ab7591745d78f7fa59b0a6c505b21cedb36151d4ca4a0fa1b90f09f8d267f7c9bd91a9605a87b7ce

Download Submit
C:\Program Files (x86)\Inbox Toolbar\Driver\tbrdrv.inf

Filesize
1KB

MD5
c84b4baaa44b8989b2e76b42c1ab5301

SHA1
36ee3212aec954e82fd73c914717c7ad32cfc367

SHA256
94ecff1e1ce8d5d5ef349769ee4236d230a7f58dfbd0a7d32ebf84c2b41fcec8

SHA512
230bab43937d5ec8600882b2ca6249b07fc580fea5b1c8817ede28fae6566bc78fb8f2088dc4dea0997e217c94659063dc3d2adff0405944b427d325ebe373a7

Download Submit
C:\Program Files (x86)\Inbox Toolbar\Driver\tbrdrv.sys

Filesize
35KB

MD5
e7c0aac166d688ab41dff2f17e420a3a

SHA1
00b70a50af14b497cebd100344fafbd3a564fd5b

SHA256
babb144ed6471079b6922914646a110f9fe5588ca3d94deeeda584c484e4ed26

SHA512
fe539d89e28204b1d09607e9f0450ae619ff71efdfccb4597641a27cb3234fce1a2061e273bd8490c9bf15d19871aa93c1bf98c909b6c252549c40915d62721e

Download Submit
C:\Program Files (x86)\Inbox Toolbar\Inbox.dll

Filesize
1014KB

MD5
d673907569a04e0b0475f3040cf566e2

SHA1
b592a76de20a34d4df1d2a00e8f77dcc85b411db

SHA256
4da6045ad6a2cc08bfd06f1b0b72609c4bbb3e07807eb3d2b4599cbe024165fe

SHA512
897b531b67f92498980d72a1764ef43384db7d3e8076927624eec4144eb625416f34a17fb5c759620e20820969951033e3d7eba45ae81bf9d6e917eaa6b05f27

Download Submit
C:\Program Files (x86)\Inbox Toolbar\Inbox.ini

Filesize
2KB

MD5
0ea75496d9716ba269f47b723c4dbea7

SHA1
157e6ac6d9d71b8431c43c06d0619916ed57b45a

SHA256
17b2dbc3d4e531b902792d93480c64e01a960e174ba88809c83627cef3e2cdda

SHA512
c9c90a275b372a6454e890893e70844879bd8a22c5873bf16a115e1fb1b951297f341b4b1791e477e12ac17ec8ba915396b36a1e0fc240d92c25d13fccf8983a

Download Submit
C:\Program Files (x86)\Inbox Toolbar\Inbox.ini

Filesize
2KB

MD5
cbf23a1a0eb1d5a4db96f0800c1b560e

SHA1
72ba79961741cc9e153402e940ab6f974bd7c469

SHA256
a6fb7be17ffca80e4492434fc6920264099036dff9486747e4e79d9c0f8df769

SHA512
c9e91e080672ec5cca69f81647d310d1187e095c6023579e40d667a4c4b0930b84e617ef58891a758e7bf46216190ec5443d54717a1a14f3318540983d97216d

Download Submit
C:\Program Files (x86)\Inbox Toolbar\Inbox64.dll

Filesize
1.5MB

MD5
2c9596e97c9e11b7a30a75aa464dc70e

SHA1
60effa4eac84edd2260b2af5edbd1743156da6d7

SHA256
ab314891b78efca4c154a13aa0f91a8d4c6fcdac8431d45ae56bd116456cb7e4

SHA512
7ffd01f425c25619243a21a2fb498035d11fa8096f20e837aeb548c5144d67af0b2fe5cefebf5a16f17698304162079be7ac793cbcbad0e0718e61b0f70c5445

Download Submit
C:\Program Files (x86)\Inbox Toolbar\uninstall.ini

Filesize
54B

MD5
1e821ff0a1935f790a2b16122d75cadf

SHA1
2a88fde78e21a9693f685cc2029a9b1f58b48ba4

SHA256
bfab0d25901e6a2b95aca3aab297b6a77fb2ec0ac9695cb7cea5649091633b50

SHA512
0b2c4013d9303085d5175fa1fcd1208541964d1438865007cd2bc361cf528665c40ed921367780e3588b849c237aab945a1f4f7fcc2c2f543ce314292fd38c27

Download Submit
C:\Users\Admin\AppData\LocalLow\Inbox Toolbar\config.ini

Filesize
29B

MD5
3ae883e8a3e0272e3b0844d35a05fd87

SHA1
45b5ad9ea39c60ee61d6ad5776b82975c27191c5

SHA256
c37f72f8519621289d97d31889959c508ecd8ee7a18dd04462fcce53b74719c1

SHA512
5dbcd8f6ed1891f9099723934f46955f90d9219dc07ba468ab1cd286f9b96154365f4ada2515639a8f0710b98fa01451d01e02482ba334905d9443782eb2ed0d

Download Submit
C:\Users\Admin\AppData\LocalLow\Inbox Toolbar\config.ini

Filesize
88B

MD5
ac83f8305fe5be53ca4dfb54b8648e88

SHA1
e7b568c11a8bf0d65c7da175c2e2538a233c6349

SHA256
94f264cb78388abdbeee9e3ba83ed40bf3b4beb4dbd03fc3c8ace7a95a14c993

SHA512
f4efaba6bb65dfe614e1fa1a0df7d780005907b5561f60b57f8d442710f2f5500bce31b501aa5b43f215bcd0365ebdedc7a91b6d4dc2b3fdbaeaac13833f3d3e

Download Submit
C:\Users\Admin\AppData\LocalLow\Inbox Toolbar\config.ini

Filesize
118B

MD5
5d2e2e2d39aeba6538fdf081d4e6b7eb

SHA1
c236e2f5d2bf40058c007c1f62544f132dc98150

SHA256
0344dad38e450bb3f8459204c8a6eca9f2e2c35252c7e408eb1d183f1d9b6c76

SHA512
514ebff67314b686eda446ece12d56ddb95431112a06cbae637298d17604f5f7811f9029090960a0bea580c44b58b35b6e70ffc9755ff17808214535b58b257f

Download Submit
C:\Users\Admin\AppData\LocalLow\Inbox Toolbar\config.ini

Filesize
172B

MD5
098e7497c08d2cceea0c78c7759ff6e0

SHA1
0d4a81eaf2a95ea96e7486b07ce67f4458c0de0d

SHA256
ff884998979a4b161b400fee86f61d92ae0f98e146ebe4b059ac1ef2a2559cc3

SHA512
7ba6cc1f0e1625b24513852e99bf50cb65bc09c07d9f85d4f78e6e602db4de82f1b4a345618f10cd6e8c14dfaeb9f7edb0484180b908ef640549511362ed263d

Download Submit
C:\Users\Admin\AppData\LocalLow\Inbox Toolbar\config.ini

Filesize
209B

MD5
2b1b951d34e333f3c9a94ee3515ddd47

SHA1
59341b5076c25f1fadd75b17b022d23fe7725dfb

SHA256
6161ea7237a9de91662ec7fde8c4c71d8eca8f1068a18fd0ca3103aa360a8ee9

SHA512
2e8ca84b00f79f55b35871b1c46f7b29fe56ad443cb801603805e99410429c80e379d97556761791337f3b6a8ad17b48feeebcdd7114b6ceaab2eb92a201fa42

Download Submit
C:\Users\Admin\AppData\LocalLow\Inbox Toolbar\config.ini

Filesize
253B

MD5
31cab19b32450b01641605ed7dd0cca8

SHA1
212eb88518edb670ddcc2e371746777317092b02

SHA256
b47a0ec5c392af96e30ade7011335789d38da9aad36d42a88bceca39bf26dc76

SHA512
a2e56534186525145fb281db86156a5c3a20d5df17959a731343a0658d14de2317e79dcb3f5135aef7fa20353d71a164901fb79ec60035a0722a6f51699b7d58

Download Submit
C:\Users\Admin\AppData\LocalLow\Inbox Toolbar\config.ini

Filesize
264B

MD5
fe87b857973defa2318635a7890ab137

SHA1
eee7f217866c7e0f0d8218fd337c905573828bbe

SHA256
13938e2816ffd751a683c92b8cfb180b48eb8a9308fe5ec5c4053ec53bbe2e08

SHA512
bab6f316d1a396f063aec86adfcbdf1ddd8ddaabbcdd2e5a348ff1bcc700a99fcd3ed43f149e28770d2be7dbdaedc6aade12c8d931beaa2f0807a9dee18c616c

Download Submit
C:\Users\Admin\AppData\LocalLow\Inbox Toolbar\config.ini

Filesize
272B

MD5
b8f517e277bb83853126e786ddc8575b

SHA1
d8dff544e798916cf53f2e8a1d736df5256422c1

SHA256
c6b508f23fbbf10105cebfb36e096a2c042d4a0b8855db222826deb5fa1a32f0

SHA512
02b622cfa72b44a31c8e717e56f0ffecc4d5d6b5c692ce57b355fd498172dd0003a8e7196be390cf533ff8c8126ecf5d37f310ec3f0975ede2deacf3fac8c48f

Download Submit
C:\Users\Admin\AppData\LocalLow\Inbox Toolbar\translate.ini

Filesize
93KB

MD5
6aa650efb4605f4bb39bdcfd8a2198ba

SHA1
da12240ffb9984e3f3d8e93a859bc8d768a242a4

SHA256
8729058fc0a109bfaf82d84abdc954805cd46ed499ff235d5181ff3facdaf2cf

SHA512
6893a2f796546c859c1a9ab2a8c1960f2606fe779a07bbe3cf3c0ebdb9579defa87c3b1d4dbb7e4934839a0cd5062255fb6d019bee11cf57e09b0cf350ce2819

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8b348198ce445a300c59d74df900368b

SHA1
a142a19b046d5f24a9dd27b45d0cda154eaf86a7

SHA256
effc401ebf63560e0b4c4f7361e984fdef4b04b4e90b97177c73f56625df6873

SHA512
97d737431f257a692e3e5252532385c1dfe3700afb599eac02412e4bab9180b7d9e32c16e61ae1e14264fe574b0bdb914dd9d1838921430a9c44721830939c8f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ff06deffa785d34ebb05846c67221645

SHA1
838b833f715ca7ce92eb1c8a6a6a939344424c33

SHA256
1bcc4730dfcb40467ba2aea835c4812fb0173ac2287f5f8583992761208a95ce

SHA512
e7b14bdff974572b8e35e0f3be955a3563a8b7de01a437b18dd995420b3f5f6047f08ef9b5463da2107ba1e5a9342e8bc089e48bf76468cbff2a2fd0fefdfe33

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f237711f1bd631e14a107a4403c5ee1e

SHA1
e9b2eb51fab12ed80f5c18f458e10a0e69f66c28

SHA256
e6b163c51b0a044ebdf19cb084782233a0123983742ff8ba6a84c7faa4d92e50

SHA512
0cb8806a00d75223d57e4542ab472fc5b0a958cb1e96f38d2206a4db86e0bc17e3a5c0f5dbd13771a852e0afd60d061088a8dcf3e80fc0c0d5cbbcc726fab510

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fda1c10919309ec2a0a4b7bc47e916ff

SHA1
22893f717d2a89f7a95a4e22b0bd8ed40a10916e

SHA256
50b681e2d81887a04e3723276744091d2bf56d8a08deb6a4f0d32bae621487b0

SHA512
687d23ed7b1eaea3d5753dcb3922eb1b1ce4d36030a306e5e5e464eb881b32d6d87f9b469d1054a0805c16b5cc9d00b3cd19a2831d5460b89b3d1b7406996a94

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
80d95d4f0426e4c4e6524548a74ecfd4

SHA1
89b125debff56955b1ddc00668d8f8c9bef1aea8

SHA256
4e65861ae7fb2dac0e7df61199445735daf67f30c710cdb90e5e88f2329905d0

SHA512
63cf36ea98c51df2ea9e803807d8bdbedd7e57f5b17f7caff5d7df417ca05a1c3a465fda954e8bd3162507884294464aa290874ec84a202c88ac04ba05de0733

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2e0a771ad26f3ed60d92ce4c3f75868f

SHA1
012653cc9bc6f82a5628e2e193da5fa9e299fa2a

SHA256
02e43818defdb5488d8a6a1af434e1ce92f2f21cedcb1a516916c0af035edb39

SHA512
9cc042a1281d922b366926c08bb0d4a9008b45a33a29a572840c2d0374cac707af56c1431d31a6c203ba159e4d2822b27b42d8416cfaed0595cacfbe76c64072

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c8a86c675fc836ca28e7bedb40a6ea0f

SHA1
90575b1c202edc9176f5664de5a6f27e1e99e73e

SHA256
3c372fe30befc5f389b8d8d8d5540c321b17da7aeb5f6d982c95b5973cebb6ba

SHA512
7e14a7714c27f4a59b431c8dd98ca4136ee91fdccdcf6f74ae6394fe0588e3b1e7eff039d0eb55390698e745b47f4ddfd29d0c93835f4bce4850b08e56cfc93d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
94942d97decb97f7eedfe1d507817b8e

SHA1
ef1cd67042a50f72f5dbc6339c7e7d225e4e95c3

SHA256
458f8a7546e9fb8c425d5cb391b2ba3d70a2abdf15475a66d6efc1285cf51fef

SHA512
e2b577f231fc642cfbaceb55d12058475ff4d922f36b74c3e71d13760ff5a05d25143636f857082eb12a12b84f09851500fafe96654854aaf0ad52a2cefa4ce9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
81d936a75ea2fa7f1996fc2a7d737054

SHA1
3e2fc0adc22107b02bca410dbb725e4486941ea0

SHA256
0b444fb61b5f2ba8d83442f156b405a41df26e5a02261460627cd739783db90f

SHA512
456571b4165ac149e2dda72e43ec43519429414485ed1f077ebfc7579db0efbb8c6062148f11155ce808d1fe0a7c3bcbceebd82716e48fb08244742584f5bc0a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3be1cb8062e06343c9e70fd73f0bb7ff

SHA1
b5600aa1318073a4d3178654ed77dec1e9524207

SHA256
2b6c514103ca730115943f469fa06034ea94ac19d57c2ac06b1b971d00b1d7d1

SHA512
a623abdf2705a1dcdd002ca528748115eacd1c550655258d9a479b1e4e6c3a3d2ad7f516f4b7ee29ea80150b5be1e5f0059acb60c802be16b1a0d1c88e664e33

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
63989be24ae65a24af43ca680ff54c61

SHA1
e34a96c2e1990c421acf60aeb031f786e4057acf

SHA256
4ef4881720871bcdb6398ae2004fe83ea632e755446eed34f746733d05cb3ec2

SHA512
94dc28062751e8cb59c3e0eec9c3be921ba3bf8893ad48f968a5085eccb752ad1f687f7ce724c930d7c0b661d8454067318476f1023f86c63afe820a955f4687

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a6f28afcf56164c8957b3b592f021b94

SHA1
247fcc2d44e99da8529c76dd5ea3156a92991c4a

SHA256
488b21dbc0df18a482ecab64262b4e6ccd98b86d1cbd04aac5434dd1859f703b

SHA512
eacfb0a904ea40bcb68e4fa12e49e358cae1d68d05dfafa5206ec35a1a01e1ec99c482ac73d124dc0fea2d99758ad0e4f3d11ee724e13ca6a31a9387bc2c5c33

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7dd0f48997a4655b312bf89588e067a0

SHA1
63834d854ece028a070244ebed86d7bbc7a17686

SHA256
6ff9724e753c1bf1accb0063f670a13860c31634182f765e4f91c8eb1006996c

SHA512
ceaff285d858a0022a1ca01779f4850808b93f90a439f5a0a3676037df7acbdae599e64da48511a4a449ea9456c65420c2287e66f195c87fc0b753dffb550f9e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
468e9eaa7987032b80a56ba8e23f9d20

SHA1
420c8140840866c648e98ee40b495bf48bf4dc60

SHA256
e969db2c2c898b7dc200c7274b0c6889c09687bec22bd3bab5f985b84dd73a24

SHA512
2926ff1012ff46e081f78a201d9951939efa2a84e24a1f564879ceb4992e2f77c0e80cd5fe8d94fcc97a1c2f0829bf51e97411dd9eb9bd037dbd3fc04b22ae20

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c3090c62b0db457ce54de562b4ad2ba2

SHA1
5ebf27a640221035c93e89861dbf7b81baab3481

SHA256
8ef08a97b7699ba76ee409e2c210d6562b2c250cd1f36d03be3a16019504fedf

SHA512
b6e75757291e07418d0190b87c43454e7af29930ecc27e57629278257ef6c46913d8c740125d827e6bb92e0510b4031bd75ec9199cc67e885d6859cdd6eaa57e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a4c29309c89d3d33176e48d80c26dcc1

SHA1
881e21885b40f4cb7bb0adc30d820aaa014cf2da

SHA256
29fa0ee92892ff56325f80ab0fdded15270e7a36280b4198f7852d0fba022b13

SHA512
9febc5c51af1e523f13c10b3fd9828f39fe456b6c12cf89f5e327350bc7c50ee75d79ae39ae44bfb4a42fba538aed800002e58f65000faacc96330f9c5ffbe03

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab1B22.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar1BD0.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-U7VHC.tmp\setupcfg.ini

Filesize
85B

MD5
3c994d4353f00f2eb473c1094e58ae67

SHA1
e804ea9ba11f71176aee9117849371596b954986

SHA256
0db3302e6ebd653a3128a1d54ebb1f53de580bb58702a4b4e5e65f1747807433

SHA512
508ff803c3dd522b4513c420667f9e22056b366f03cdd806a5db97ab0abe67dd3789c70af065055cbe7498c828a02d8046907af9ceb96bffdee195c62f338281

Download Submit
\Program Files (x86)\Inbox Toolbar\Inbox.exe

Filesize
2.3MB

MD5
b9a8c8345079aae42ecf0ad2177975f7

SHA1
2137855a12bd99604fe8fcd30e90c83ee245aa29

SHA256
cd40b98ef96ce492251eb58e30a3524f276b63998475c21599a3b7f1981405fc

SHA512
68408a3e91c8720ffe3fe3ac0767491b140e1fae902adee4e26a96dc3e5fd9ee3e0c293fc4fe2ed316414397a938b0602580dc422b5d43cc29b9ed655a7a5d57

Download Submit
\Program Files (x86)\Inbox Toolbar\unins000.exe

Filesize
1.2MB

MD5
3ae9703c8eb945c3559c6ddd38515503

SHA1
50c6ac0bcf326e51b8e173dbf111bbd74301a97c

SHA256
24de43663274da426020181911894c3f4831396def816e6627805e0956679bd5

SHA512
743678ebd23576537fb779c299526df6da91b1e6aca0725d3b9520e129d5d4ac6add5d98b0c7aeb48b10b9fa78d0312bece6b1120b9c3c7f792a3f96af5538d2

Download Submit
\Users\Admin\AppData\Local\Temp\is-638UG.tmp\563c77e1ba47c5f9aa47e9964a910aa2_JaffaCakes118.tmp

Filesize
1.2MB

MD5
e7106fbf42fbc6d5b08a18ada4f781b4

SHA1
36d4a629f79d772c0b0df8bd2ae2ea09108d239d

SHA256
64e1f1fa7d91920b17bc7bc679a4cd8d87ff5b104318b6921bb6bf6a19055635

SHA512
adf876296a952aadeb4f25211c0939bf5a278809b5d3007ad7e26c5d4975e7684d242c1b3de796efd474a47cb7ecdb80f9047935924a1108bf0e4d7c973d1845

Download Submit
\Users\Admin\AppData\Local\Temp\is-U7VHC.tmp\AGupdate.exe

Filesize
873KB

MD5
a3ccbbb0735800b89931b73ccb69f9b1

SHA1
53c70f80017eff22ad88a53fdb3ffc518354af59

SHA256
97d0684ab1ecb2f89a3c8e53dc383aede506a1f9367aa283c0b9992a19854d43

SHA512
e4461a7cf5e8b8e655a2985be672af25e44276b018b7b532a665f26c1a44032bbada7e5a071a78827020c3f18d9d5c79bd0f59fe97876b1eb4279ec4094f3704

Download Submit
\Users\Admin\AppData\Local\Temp\is-U7VHC.tmp\DownLib.dll

Filesize
183KB

MD5
db25dfdd4c1f2b65c68a230881072695

SHA1
94cd6a3438041f0e61b0a1bea7b66461854efe69

SHA256
1b66aaf1e7e3c493dd96af3b7442ea60072f6e93ba45281eacd31a14ca7e7e73

SHA512
db69e4ab2218856e5184d9094e7e39705b83e3efdc15225067205c8faf6e5836145364f1d509192defa3b48864e72b9f8c0f2dc53a7adb2b86c655318b7afc2c

Download Submit
\Users\Admin\AppData\Local\Temp\is-U7VHC.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
memory/1688-302-0x0000000000400000-0x0000000000660000-memory.dmp

Filesize
2.4MB

Download
memory/1840-149-0x0000000000400000-0x0000000000660000-memory.dmp

Filesize
2.4MB

Download
memory/1916-9-0x0000000000400000-0x0000000000536000-memory.dmp

Filesize
1.2MB

Download
memory/1916-439-0x0000000000400000-0x0000000000536000-memory.dmp

Filesize
1.2MB

Download
memory/1916-417-0x0000000003EE0000-0x0000000003FE7000-memory.dmp

Filesize
1.0MB

Download
memory/1916-427-0x0000000000400000-0x0000000000536000-memory.dmp

Filesize
1.2MB

Download
memory/1916-415-0x0000000000400000-0x0000000000536000-memory.dmp

Filesize
1.2MB

Download
memory/1916-134-0x0000000003EE0000-0x0000000003FE7000-memory.dmp

Filesize
1.0MB

Download
memory/1916-125-0x0000000000540000-0x0000000000577000-memory.dmp

Filesize
220KB

Download
memory/1916-25-0x0000000000540000-0x0000000000577000-memory.dmp

Filesize
220KB

Download
memory/1916-124-0x0000000000400000-0x0000000000536000-memory.dmp

Filesize
1.2MB

Download
memory/1932-370-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download
memory/2184-440-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2184-2-0x0000000000401000-0x000000000040D000-memory.dmp

Filesize
48KB

Download
memory/2184-0-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2184-123-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2284-425-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download
memory/2464-441-0x0000000000400000-0x0000000000660000-memory.dmp

Filesize
2.4MB

Download
memory/2488-131-0x0000000001E40000-0x0000000001FCE000-memory.dmp

Filesize
1.6MB

Download
memory/2640-128-0x00000000022B0000-0x00000000023B7000-memory.dmp

Filesize
1.0MB

Download
memory/2924-418-0x0000000000400000-0x0000000000660000-memory.dmp

Filesize
2.4MB

Download
memory/3008-95-0x0000000000400000-0x0000000000660000-memory.dmp

Filesize
2.4MB

Download