4ff2598587176cea5287e8e19a5aa8ed4e5b7b9f049395930efd009e79dc7a1a

Analysis

max time kernel
144s
max time network
135s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
30-11-2024 05:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b4ec0d1d6f287103dd35a6da945fe2d6_JaffaCakes118.exe
Size

2.5MB
MD5

b4ec0d1d6f287103dd35a6da945fe2d6
SHA1

c40d4875223fbb6f5e5978f4389897f62f8591c3
SHA256

4ff2598587176cea5287e8e19a5aa8ed4e5b7b9f049395930efd009e79dc7a1a
SHA512

51578b9c9f4a141d92c7972ac197c78f0d7a2c42d63ac13f4a65e7c69bee275a4ed4a52d19b0dff87bf6a42cf44f53bd4b6f7eae8521b18bb100d56c335e6b99
SSDEEP

49152:kaSDJLr+Be0SeBk2a5wL18ou9DjMYcOajZqOLBNwDaebA5rOYiZnP:ktO0iaaB879Dj3cOodB+GebSivZnP

Score

8^/10

adware discovery persistence privilege_escalation stealer

Malware Config

Signatures

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\DRIVERS\SETE8AA.tmp	RUNDLL32.EXE
File created	C:\Windows\system32\DRIVERS\SETE8AA.tmp	RUNDLL32.EXE
File opened for modification	C:\Windows\system32\DRIVERS\tbrdrv.sys	RUNDLL32.EXE

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 8 IoCs

pid	Process
2556	b4ec0d1d6f287103dd35a6da945fe2d6_JaffaCakes118.tmp
2680	Inbox.exe
2456	Inbox.exe
316	Inbox.exe
1324	Inbox.exe
2968	AGupdate.exe
1848	AGupdate.exe
2132	Inbox.exe

Loads dropped DLL 20 IoCs

pid	Process
2120	b4ec0d1d6f287103dd35a6da945fe2d6_JaffaCakes118.exe
2556	b4ec0d1d6f287103dd35a6da945fe2d6_JaffaCakes118.tmp
2556	b4ec0d1d6f287103dd35a6da945fe2d6_JaffaCakes118.tmp
2556	b4ec0d1d6f287103dd35a6da945fe2d6_JaffaCakes118.tmp
2556	b4ec0d1d6f287103dd35a6da945fe2d6_JaffaCakes118.tmp
2456	Inbox.exe
2456	Inbox.exe
2780	regsvr32.exe
2952	regsvr32.exe
2556	b4ec0d1d6f287103dd35a6da945fe2d6_JaffaCakes118.tmp
316	Inbox.exe
316	Inbox.exe
316	Inbox.exe
316	Inbox.exe
1324	Inbox.exe
1324	Inbox.exe
1324	Inbox.exe
1324	Inbox.exe
2556	b4ec0d1d6f287103dd35a6da945fe2d6_JaffaCakes118.tmp
2556	b4ec0d1d6f287103dd35a6da945fe2d6_JaffaCakes118.tmp

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\InboxToolbar = "\"C:\\Program Files (x86)\\Inbox Toolbar\\Inbox.exe\" /STARTUP"	Inbox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\GrpConv = "grpconv -o"	RUNDLL32.EXE

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Installs/modifies Browser Helper Object 2 TTPs 6 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{D3D233D5-9F6D-436C-B6C7-E63F77503B30}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{D3D233D5-9F6D-436C-B6C7-E63F77503B30}\	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{D3D233D5-9F6D-436C-B6C7-E63F77503B30}\NoExplorer = "1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{D3D233D5-9F6D-436C-B6C7-E63F77503B30}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D3D233D5-9F6D-436C-B6C7-E63F77503B30}\	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D3D233D5-9F6D-436C-B6C7-E63F77503B30}\NoExplorer = "1"	regsvr32.exe

Drops file in Program Files directory 25 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Inbox Toolbar\is-NMT4A.tmp	b4ec0d1d6f287103dd35a6da945fe2d6_JaffaCakes118.tmp
File created	C:\Program Files (x86)\Inbox Toolbar\is-NJDK7.tmp	b4ec0d1d6f287103dd35a6da945fe2d6_JaffaCakes118.tmp
File opened for modification	C:\Program Files (x86)\Inbox Toolbar\setupcfg.ini	b4ec0d1d6f287103dd35a6da945fe2d6_JaffaCakes118.tmp
File opened for modification	C:\Program Files (x86)\Inbox Toolbar\Buttons\games_online_gb.xml	Inbox.exe
File opened for modification	C:\Program Files (x86)\Inbox Toolbar\uninstall.ini	b4ec0d1d6f287103dd35a6da945fe2d6_JaffaCakes118.tmp
File created	C:\Program Files (x86)\Inbox Toolbar\Driver\driver.cab	Inbox.exe
File opened for modification	C:\Program Files (x86)\Inbox Toolbar\Driver\tbrdrv.cat	Inbox.exe
File created	C:\Program Files (x86)\Inbox Toolbar\unins000.dat	b4ec0d1d6f287103dd35a6da945fe2d6_JaffaCakes118.tmp
File created	C:\Program Files (x86)\Inbox Toolbar\Buttons\is-PMJOU.tmp	b4ec0d1d6f287103dd35a6da945fe2d6_JaffaCakes118.tmp
File created	C:\Program Files (x86)\Inbox Toolbar\unins000.msg	b4ec0d1d6f287103dd35a6da945fe2d6_JaffaCakes118.tmp
File created	C:\Program Files (x86)\Inbox Toolbar\setupcfg.ini	b4ec0d1d6f287103dd35a6da945fe2d6_JaffaCakes118.tmp
File opened for modification	C:\Program Files (x86)\Inbox Toolbar\Driver\tbrdrv.inf	Inbox.exe
File opened for modification	C:\Program Files (x86)\Inbox Toolbar\Driver\tbrdrv.sys	Inbox.exe
File created	C:\Program Files (x86)\Inbox Toolbar\Buttons\is-O7V0O.tmp	b4ec0d1d6f287103dd35a6da945fe2d6_JaffaCakes118.tmp
File opened for modification	C:\Program Files (x86)\Inbox Toolbar\unins000.dat	b4ec0d1d6f287103dd35a6da945fe2d6_JaffaCakes118.tmp
File opened for modification	C:\Program Files (x86)\Inbox Toolbar\Buttons\black_green.xml	Inbox.exe
File opened for modification	C:\Program Files (x86)\Inbox Toolbar\Buttons\games_search.xml	Inbox.exe
File opened for modification	C:\Program Files (x86)\Inbox Toolbar\Inbox.ini	Inbox.exe
File opened for modification	C:\Program Files (x86)\Inbox Toolbar\uninstall.ini	Inbox.exe
File created	C:\Program Files (x86)\Inbox Toolbar\is-2SC6V.tmp	b4ec0d1d6f287103dd35a6da945fe2d6_JaffaCakes118.tmp
File created	C:\Program Files (x86)\Inbox Toolbar\is-PO9L0.tmp	b4ec0d1d6f287103dd35a6da945fe2d6_JaffaCakes118.tmp
File created	C:\Program Files (x86)\Inbox Toolbar\Buttons\is-T7RCF.tmp	b4ec0d1d6f287103dd35a6da945fe2d6_JaffaCakes118.tmp
File created	C:\Program Files (x86)\Inbox Toolbar\Buttons\is-82KNV.tmp	b4ec0d1d6f287103dd35a6da945fe2d6_JaffaCakes118.tmp
File opened for modification	C:\Program Files (x86)\Inbox Toolbar\Buttons\games_portals_gb.xml	Inbox.exe
File created	C:\Program Files (x86)\Inbox Toolbar\is-S2PVV.tmp	b4ec0d1d6f287103dd35a6da945fe2d6_JaffaCakes118.tmp

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\INF\setupapi.app.log	RUNDLL32.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b4ec0d1d6f287103dd35a6da945fe2d6_JaffaCakes118.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Inbox.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Inbox.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Inbox.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Inbox.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AGupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b4ec0d1d6f287103dd35a6da945fe2d6_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AGupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Inbox.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	runonce.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	runonce.exe

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Approved Extensions	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\IEWatsonEnabled = "0"	regsvr32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPageShow = "1"	Inbox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\SearchScopes\{C04B7D22-5AEC-4561-8F49-27F6269208F6}\ShowSearchSuggestions = "1"	Inbox.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{612AD33D-9824-4E87-8396-92374E91C4BB}	Inbox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "439105249"	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{612AD33D-9824-4E87-8396-92374E91C4BB}\AppPath = "C:\\Program Files (x86)\\Inbox Toolbar"	Inbox.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\Policy = "3"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\SearchScopes\{C04B7D22-5AEC-4561-8F49-27F6269208F6}\DisplayName = "Inbox Search"	Inbox.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{612AD33D-9824-4E87-8396-92374E91C4BB}	Inbox.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\IEWatsonEnabled = "0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\AppName = "Inbox.dll"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\SearchScopes\DefaultScope = "{C04B7D22-5AEC-4561-8F49-27F6269208F6}"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{612AD33D-9824-4E87-8396-92374E91C4BB}\Policy = "3"	Inbox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\AppPath = "C:\\Program Files (x86)\\Inbox Toolbar"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\AppPath = "C:\\Program Files (x86)\\Inbox Toolbar"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\User Preferences\2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81 = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000045c0dde48c11474f81d9a2c02be4ea220000000002000000000010660000000100002000000067000f45db681c9def040dfd422251b93ded657e6e477531643350c8fb91b8cf000000000e8000000002000020000000b66d35f3d1c88c0db28d0d7af95c3b4cce7d6d99663238abee6318a393456eeb10000000aa0350cc5a3b888329c88b1b835e89704000000056d44703c80430f9c1718a20379d0c74467eb9b4132dafdac512fba4901a5e2f8df919ae258dbace1e55a72fa561301e4c6ef13574a1d4c8ed97b49402139d4d	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\AppPath = "C:\\Program Files (x86)\\Inbox Toolbar"	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\SearchScopes\{C04B7D22-5AEC-4561-8F49-27F6269208F6}\SuggestionsURL_JSON = "http://www.inbox.com/s.aspx?q={searchTerms}"	Inbox.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\SearchScopes\	Inbox.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main	Inbox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000045c0dde48c11474f81d9a2c02be4ea2200000000020000000000106600000001000020000000f7df139e6aaf3f8ba5217e5559735eb1d1d786cbc17787427c7c6593fba4905f000000000e800000000200002000000068d87a568ad324c5ae3aa152ef4baac421155187e8062559fb71239b604288f2f001000058205f4af8d82c796346e97a49e7d1ddd12abc6b9f21dba7d4879bde3978bec7c3765730dd7c144e9100e4c040f1a6fbb07a7a760c84f75e050e5ba478c1779a13a6188486ad19ed0ce652fae4c7903575e961eb9fc881a7737198ac2e8c46117141a0084d34355957bd8f829275a6ea77dc19f2c87878942d7b815f1d61ff2179ca21088b1df407b849192b6621626d633c034baf509cd54a9b8a56729508af033455bffabd9e8c201f8f02a558c8808f834066f3c4aed7c6847e7fe2bf372f387b1534a57cc9b336d7832ef83a91b51964a185a5cbb88be022a437aab8bfafb4b1995c7d9ca0d697d26bdd11aedb70dba7fcafbf05207736e258b84d56fbef0c961d10962c301a717435eb78b944557cbee261109cc451d2360ba6caaa16a514b56e14cee03f4957fa54137178ccda2e700f550654b8c1f203f00cf7a440732e72e2526d1fb291a598c171205f659fa2accf7be86f0b5a806df93a0e6891517215f26a96208094cb6c017ffb1f67b0aa334f1228aa9af78bc9e63b8ba53460133cb5557158b9a433bd8eceac469e949485ed0ad4532b0f3640c54c1714a7345a313171d2259b5e9dca134b9b1e3d689b37c6fb74b73855ba9fc2dc64f7f19c95dee495a43393ea5807adb26b62ffba4e88fe948582e997bb74fd267f881b04c8b17a28fc6a910fcf141ae0aa2d26f84000000088ce1a75ab7289eb2d0d6920a7a7f4ac1b49f1d6066f4ce44d89f87a94d4efbcfebeee184a7119f01c31599c9eb64de8b529e9e18f6d3c9987f7d5c2205cc4f6	iexplore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\Policy = "3"	regsvr32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Approved Extensions\{D3D233D5-9F6D-436C-B6C7-E63F77503B30} = 51667a6c4c1d3b35c52ec5c959ce0607aac4a07f75167a2e	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\SearchScopes\{C04B7D22-5AEC-4561-8F49-27F6269208F6}	Inbox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\SearchScopes\{C04B7D22-5AEC-4561-8F49-27F6269208F6}\DisplayName = "Inbox Search"	Inbox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\User Preferences\88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977 = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000045c0dde48c11474f81d9a2c02be4ea22000000000200000000001066000000010000200000000167953bf2f6e5d5b0fc6399478b0c6d34156f7975495c1f7589d211d2678334000000000e8000000002000020000000d166d22c9600f8c40035c111757f4fb27462f1c4a59d0f3c91228af34407df5a5000000032b5a7b36966bdfb243830afb8e000704e18ab5d3e0310074b92cb14a97b461b11fb9ecc5451696947c109852d49d977d6c2901969ae07e606a519025023011427de20de8e2f32112377d1b0e16dd29440000000e20f8479c85cafad6ffdb3760a84a1ec5270e08dbbe0339e2186ac77cd4d2c42ff2771052acbaa5062ed88e0366704e7d05f7496c3944fd0719ec4230545f140	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{612AD33D-9824-4E87-8396-92374E91C4BB}\AppName = "Inbox.exe"	Inbox.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar\{D7E97865-918F-41E4-9CD0-25AB1C574CE8} = 00	regsvr32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\SearchScopes\{C04B7D22-5AEC-4561-8F49-27F6269208F6}\ShowSearchSuggestions = "1"	Inbox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\Secondary Start Pages = 68007400740070003a002f002f007700770077002e0069006e0062006f0078002e0063006f006d002f0068006f006d00650070006100670065002e0061007300700078003f0074006200690064003d00380030003100330039002600690077006b003d0038003500330026006c006e0067003d0065006e0000000000	Inbox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\SearchScopes\{C04B7D22-5AEC-4561-8F49-27F6269208F6}\URL = "http://search2.inbox.com/search/dispatcher.aspx?tp=bs&qkw={searchTerms}&tbid=80139&iwk=853&lng=en&rt=1"	Inbox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\SearchScopes\{C04B7D22-5AEC-4561-8F49-27F6269208F6}\FaviconURLFallback = "http://www2.inbox.com/favicon.ico"	Inbox.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{612AD33D-9824-4E87-8396-92374E91C4BB}\AppName = "Inbox.exe"	Inbox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\User Preferences	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\SearchScopes\DefaultScope = "{C04B7D22-5AEC-4561-8F49-27F6269208F6}"	Inbox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\AppName = "Inbox64.dll"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\AppName = "Inbox64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\AppName = "Inbox.dll"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\Policy = "3"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Approved Extensions	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\SearchScopes\{C04B7D22-5AEC-4561-8F49-27F6269208F6}\FaviconURLFallback = "http://www2.inbox.com/favicon.ico"	Inbox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\SearchScopes\{C04B7D22-5AEC-4561-8F49-27F6269208F6}\FaviconPath = "C:\\Users\\Admin\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services\\search_{C04B7D22-5AEC-4561-8F49-27F6269208F6}.ico"	Inbox.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\User Preferences	Inbox.exe

Modifies Internet Explorer start page 1 TTPs 1 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.inbox.com/homepage.aspx?tbid=80139&iwk=853&lng=en"	Inbox.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C7C55C60-F5B5-40A3-A2E9-EC00E1FE08F3}\InprocServer32\ = "C:\\PROGRA~2\\INBOXT~1\\Inbox.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CBEF8724-D080-4737-88DA-111EEC6651AA}\1.0\0\win32\ = "C:\\Program Files (x86)\\Inbox Toolbar\\Inbox.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Inbox.Toolbar\	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{37540F19-DD4C-478B-B2DF-C19281BCAF27}\	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{042DA63B-0933-403D-9395-B49307691690}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Inbox.Toolbar	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{042DA63B-0933-403D-9395-B49307691690}\ = "Inbox Toolbar"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D3D233D5-9F6D-436C-B6C7-E63F77503B30}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}\	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Inbox.IBX404\	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{042DA63B-0933-403D-9395-B49307691690}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}\	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Inbox.AppServer\Clsid\ = "{612AD33D-9824-4E87-8396-92374E91C4BB}"	Inbox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CBEF8724-D080-4737-88DA-111EEC6651AA}\1.0\0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CBEF8724-D080-4737-88DA-111EEC6651AA}\1.0\HELPDIR	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C7C55C60-F5B5-40A3-A2E9-EC00E1FE08F3}\InprocServer32\ = "C:\\PROGRA~2\\INBOXT~1\\Inbox64.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{615E8AA1-6BB8-4A3D-A1CC-373194DB612C}\1.0\0	Inbox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{28C3737A-32D1-492D-B76B-8D75EBBFB887}	Inbox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\inbox\ = "inbox"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{37540F19-DD4C-478B-B2DF-C19281BCAF27}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\inbox	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C7C55C60-F5B5-40A3-A2E9-EC00E1FE08F3}\InprocServer32\ = "C:\\Program Files (x86)\\Inbox Toolbar\\Inbox.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Inbox.JSServer\Clsid\ = "{042DA63B-0933-403D-9395-B49307691690}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D3D233D5-9F6D-436C-B6C7-E63F77503B30}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{042DA63B-0933-403D-9395-B49307691690}\	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{042DA63B-0933-403D-9395-B49307691690}\ProgID\ = "Inbox.JSServer"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Inbox.IBX404\Clsid	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C7C55C60-F5B5-40A3-A2E9-EC00E1FE08F3}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{28C3737A-32D1-492D-B76B-8D75EBBFB887}\TypeLib\Version = "1.0"	Inbox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8FAE973C-3FE3-44BF-81F0-ADB0D42CE851}\TypeLib	Inbox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8FAE973C-3FE3-44BF-81F0-ADB0D42CE851}\TypeLib\ = "{615E8AA1-6BB8-4A3D-A1CC-373194DB612C}"	Inbox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CBEF8724-D080-4737-88DA-111EEC6651AA}\1.0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CBEF8724-D080-4737-88DA-111EEC6651AA}\1.0\FLAGS\ = "0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{CE057E0D-2D7E-4DFF-A890-07BA69B8C762}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0E56FAFA-1B09-480E-B653-4B23918DC58A}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{042DA63B-0933-403D-9395-B49307691690}\Implemented Categories	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C7C55C60-F5B5-40A3-A2E9-EC00E1FE08F3}\Version\ = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\ProgID\ = "Inbox.Toolbar"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CE057E0D-2D7E-4DFF-A890-07BA69B8C762}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C7C55C60-F5B5-40A3-A2E9-EC00E1FE08F3}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C7C55C60-F5B5-40A3-A2E9-EC00E1FE08F3}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{37540F19-DD4C-478B-B2DF-C19281BCAF27}\InprocServer32\ = "C:\\Program Files (x86)\\Inbox Toolbar\\Inbox.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C7C55C60-F5B5-40A3-A2E9-EC00E1FE08F3}\InProcServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D3D233D5-9F6D-436C-B6C7-E63F77503B30}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D3D233D5-9F6D-436C-B6C7-E63F77503B30}\InprocServer32\ = "C:\\Program Files (x86)\\Inbox Toolbar\\Inbox64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C7C55C60-F5B5-40A3-A2E9-EC00E1FE08F3}\Version\ = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C7C55C60-F5B5-40A3-A2E9-EC00E1FE08F3}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}\	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D3D233D5-9F6D-436C-B6C7-E63F77503B30}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Inbox.JSServer\Clsid	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{042DA63B-0933-403D-9395-B49307691690}\Implemented Categories	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{042DA63B-0933-403D-9395-B49307691690}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{615E8AA1-6BB8-4A3D-A1CC-373194DB612C}\1.0\ = "Inbox"	Inbox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{042DA63B-0933-403D-9395-B49307691690}\ProgID\ = "Inbox.JSServer"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D3D233D5-9F6D-436C-B6C7-E63F77503B30}\ = "Inbox Toolbar"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{042DA63B-0933-403D-9395-B49307691690}\TypeLib\ = "{CBEF8724-D080-4737-88DA-111EEC6651AA}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Inbox.IBX404\Clsid\ = "{37540F19-DD4C-478B-B2DF-C19281BCAF27}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{28C3737A-32D1-492D-B76B-8D75EBBFB887}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	Inbox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8FAE973C-3FE3-44BF-81F0-ADB0D42CE851}\ProxyStubClsid32	Inbox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{37540F19-DD4C-478B-B2DF-C19281BCAF27}\InprocServer32\ = "C:\\PROGRA~2\\INBOXT~1\\Inbox.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\inbox	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D3D233D5-9F6D-436C-B6C7-E63F77503B30}\InprocServer32\ = "C:\\PROGRA~2\\INBOXT~1\\Inbox64.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Inbox.IBX404	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Inbox.Toolbar	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2556	b4ec0d1d6f287103dd35a6da945fe2d6_JaffaCakes118.tmp
2556	b4ec0d1d6f287103dd35a6da945fe2d6_JaffaCakes118.tmp
2556	b4ec0d1d6f287103dd35a6da945fe2d6_JaffaCakes118.tmp
2556	b4ec0d1d6f287103dd35a6da945fe2d6_JaffaCakes118.tmp

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
480	Process not Found

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeRestorePrivilege	960	RUNDLL32.EXE
Token: SeRestorePrivilege	960	RUNDLL32.EXE
Token: SeRestorePrivilege	960	RUNDLL32.EXE
Token: SeRestorePrivilege	960	RUNDLL32.EXE
Token: SeRestorePrivilege	960	RUNDLL32.EXE
Token: SeRestorePrivilege	960	RUNDLL32.EXE
Token: SeRestorePrivilege	960	RUNDLL32.EXE

Suspicious use of FindShellTrayWindow 8 IoCs

pid	Process
2556	b4ec0d1d6f287103dd35a6da945fe2d6_JaffaCakes118.tmp
1324	Inbox.exe
1324	Inbox.exe
2556	b4ec0d1d6f287103dd35a6da945fe2d6_JaffaCakes118.tmp
1324	Inbox.exe
1324	Inbox.exe
1324	Inbox.exe
2364	iexplore.exe

Suspicious use of SendNotifyMessage 4 IoCs

pid	Process
1324	Inbox.exe
1324	Inbox.exe
1324	Inbox.exe
1324	Inbox.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2364	iexplore.exe
2364	iexplore.exe
776	IEXPLORE.EXE
776	IEXPLORE.EXE
776	IEXPLORE.EXE
776	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2120 wrote to memory of 2556	2120	b4ec0d1d6f287103dd35a6da945fe2d6_JaffaCakes118.exe	30
PID 2120 wrote to memory of 2556	2120	b4ec0d1d6f287103dd35a6da945fe2d6_JaffaCakes118.exe	30
PID 2120 wrote to memory of 2556	2120	b4ec0d1d6f287103dd35a6da945fe2d6_JaffaCakes118.exe	30
PID 2120 wrote to memory of 2556	2120	b4ec0d1d6f287103dd35a6da945fe2d6_JaffaCakes118.exe	30
PID 2120 wrote to memory of 2556	2120	b4ec0d1d6f287103dd35a6da945fe2d6_JaffaCakes118.exe	30
PID 2120 wrote to memory of 2556	2120	b4ec0d1d6f287103dd35a6da945fe2d6_JaffaCakes118.exe	30
PID 2120 wrote to memory of 2556	2120	b4ec0d1d6f287103dd35a6da945fe2d6_JaffaCakes118.exe	30
PID 2556 wrote to memory of 2680	2556	b4ec0d1d6f287103dd35a6da945fe2d6_JaffaCakes118.tmp	32
PID 2556 wrote to memory of 2680	2556	b4ec0d1d6f287103dd35a6da945fe2d6_JaffaCakes118.tmp	32
PID 2556 wrote to memory of 2680	2556	b4ec0d1d6f287103dd35a6da945fe2d6_JaffaCakes118.tmp	32
PID 2556 wrote to memory of 2680	2556	b4ec0d1d6f287103dd35a6da945fe2d6_JaffaCakes118.tmp	32
PID 2556 wrote to memory of 2456	2556	b4ec0d1d6f287103dd35a6da945fe2d6_JaffaCakes118.tmp	33
PID 2556 wrote to memory of 2456	2556	b4ec0d1d6f287103dd35a6da945fe2d6_JaffaCakes118.tmp	33
PID 2556 wrote to memory of 2456	2556	b4ec0d1d6f287103dd35a6da945fe2d6_JaffaCakes118.tmp	33
PID 2556 wrote to memory of 2456	2556	b4ec0d1d6f287103dd35a6da945fe2d6_JaffaCakes118.tmp	33
PID 2556 wrote to memory of 2780	2556	b4ec0d1d6f287103dd35a6da945fe2d6_JaffaCakes118.tmp	35
PID 2556 wrote to memory of 2780	2556	b4ec0d1d6f287103dd35a6da945fe2d6_JaffaCakes118.tmp	35
PID 2556 wrote to memory of 2780	2556	b4ec0d1d6f287103dd35a6da945fe2d6_JaffaCakes118.tmp	35
PID 2556 wrote to memory of 2780	2556	b4ec0d1d6f287103dd35a6da945fe2d6_JaffaCakes118.tmp	35
PID 2556 wrote to memory of 2780	2556	b4ec0d1d6f287103dd35a6da945fe2d6_JaffaCakes118.tmp	35
PID 2556 wrote to memory of 2780	2556	b4ec0d1d6f287103dd35a6da945fe2d6_JaffaCakes118.tmp	35
PID 2556 wrote to memory of 2780	2556	b4ec0d1d6f287103dd35a6da945fe2d6_JaffaCakes118.tmp	35
PID 2556 wrote to memory of 2952	2556	b4ec0d1d6f287103dd35a6da945fe2d6_JaffaCakes118.tmp	36
PID 2556 wrote to memory of 2952	2556	b4ec0d1d6f287103dd35a6da945fe2d6_JaffaCakes118.tmp	36
PID 2556 wrote to memory of 2952	2556	b4ec0d1d6f287103dd35a6da945fe2d6_JaffaCakes118.tmp	36
PID 2556 wrote to memory of 2952	2556	b4ec0d1d6f287103dd35a6da945fe2d6_JaffaCakes118.tmp	36
PID 2556 wrote to memory of 2952	2556	b4ec0d1d6f287103dd35a6da945fe2d6_JaffaCakes118.tmp	36
PID 2556 wrote to memory of 2952	2556	b4ec0d1d6f287103dd35a6da945fe2d6_JaffaCakes118.tmp	36
PID 2556 wrote to memory of 2952	2556	b4ec0d1d6f287103dd35a6da945fe2d6_JaffaCakes118.tmp	36
PID 2556 wrote to memory of 316	2556	b4ec0d1d6f287103dd35a6da945fe2d6_JaffaCakes118.tmp	37
PID 2556 wrote to memory of 316	2556	b4ec0d1d6f287103dd35a6da945fe2d6_JaffaCakes118.tmp	37
PID 2556 wrote to memory of 316	2556	b4ec0d1d6f287103dd35a6da945fe2d6_JaffaCakes118.tmp	37
PID 2556 wrote to memory of 316	2556	b4ec0d1d6f287103dd35a6da945fe2d6_JaffaCakes118.tmp	37
PID 316 wrote to memory of 960	316	Inbox.exe	38
PID 316 wrote to memory of 960	316	Inbox.exe	38
PID 316 wrote to memory of 960	316	Inbox.exe	38
PID 316 wrote to memory of 960	316	Inbox.exe	38
PID 960 wrote to memory of 1652	960	RUNDLL32.EXE	39
PID 960 wrote to memory of 1652	960	RUNDLL32.EXE	39
PID 960 wrote to memory of 1652	960	RUNDLL32.EXE	39
PID 1652 wrote to memory of 2056	1652	runonce.exe	40
PID 1652 wrote to memory of 2056	1652	runonce.exe	40
PID 1652 wrote to memory of 2056	1652	runonce.exe	40
PID 316 wrote to memory of 1324	316	Inbox.exe	42
PID 316 wrote to memory of 1324	316	Inbox.exe	42
PID 316 wrote to memory of 1324	316	Inbox.exe	42
PID 316 wrote to memory of 1324	316	Inbox.exe	42
PID 2556 wrote to memory of 2968	2556	b4ec0d1d6f287103dd35a6da945fe2d6_JaffaCakes118.tmp	44
PID 2556 wrote to memory of 2968	2556	b4ec0d1d6f287103dd35a6da945fe2d6_JaffaCakes118.tmp	44
PID 2556 wrote to memory of 2968	2556	b4ec0d1d6f287103dd35a6da945fe2d6_JaffaCakes118.tmp	44
PID 2556 wrote to memory of 2968	2556	b4ec0d1d6f287103dd35a6da945fe2d6_JaffaCakes118.tmp	44
PID 2556 wrote to memory of 2968	2556	b4ec0d1d6f287103dd35a6da945fe2d6_JaffaCakes118.tmp	44
PID 2556 wrote to memory of 2968	2556	b4ec0d1d6f287103dd35a6da945fe2d6_JaffaCakes118.tmp	44
PID 2556 wrote to memory of 2968	2556	b4ec0d1d6f287103dd35a6da945fe2d6_JaffaCakes118.tmp	44
PID 2556 wrote to memory of 1848	2556	b4ec0d1d6f287103dd35a6da945fe2d6_JaffaCakes118.tmp	45
PID 2556 wrote to memory of 1848	2556	b4ec0d1d6f287103dd35a6da945fe2d6_JaffaCakes118.tmp	45
PID 2556 wrote to memory of 1848	2556	b4ec0d1d6f287103dd35a6da945fe2d6_JaffaCakes118.tmp	45
PID 2556 wrote to memory of 1848	2556	b4ec0d1d6f287103dd35a6da945fe2d6_JaffaCakes118.tmp	45
PID 2556 wrote to memory of 1848	2556	b4ec0d1d6f287103dd35a6da945fe2d6_JaffaCakes118.tmp	45
PID 2556 wrote to memory of 1848	2556	b4ec0d1d6f287103dd35a6da945fe2d6_JaffaCakes118.tmp	45
PID 2556 wrote to memory of 1848	2556	b4ec0d1d6f287103dd35a6da945fe2d6_JaffaCakes118.tmp	45
PID 2556 wrote to memory of 2132	2556	b4ec0d1d6f287103dd35a6da945fe2d6_JaffaCakes118.tmp	46
PID 2556 wrote to memory of 2132	2556	b4ec0d1d6f287103dd35a6da945fe2d6_JaffaCakes118.tmp	46
PID 2556 wrote to memory of 2132	2556	b4ec0d1d6f287103dd35a6da945fe2d6_JaffaCakes118.tmp	46

C:\Users\Admin\AppData\Local\Temp\b4ec0d1d6f287103dd35a6da945fe2d6_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b4ec0d1d6f287103dd35a6da945fe2d6_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2120
- C:\Users\Admin\AppData\Local\Temp\is-FBEDH.tmp\b4ec0d1d6f287103dd35a6da945fe2d6_JaffaCakes118.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-FBEDH.tmp\b4ec0d1d6f287103dd35a6da945fe2d6_JaffaCakes118.tmp" /SL5="$400E0,1888839,70144,C:\Users\Admin\AppData\Local\Temp\b4ec0d1d6f287103dd35a6da945fe2d6_JaffaCakes118.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2556
- - C:\Program Files (x86)\Inbox Toolbar\Inbox.exe
    "C:\Program Files (x86)\Inbox Toolbar\Inbox.exe" /regserver
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Modifies registry class
    PID:2680
- - C:\Program Files (x86)\Inbox Toolbar\Inbox.exe
    "C:\Program Files (x86)\Inbox Toolbar\Inbox.exe" /install
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    PID:2456
- - C:\Windows\SysWOW64\regsvr32.exe
    "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\Inbox Toolbar\Inbox.dll"
    3⤵
    - Loads dropped DLL
    - Installs/modifies Browser Helper Object
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Modifies registry class
    PID:2780
- - C:\Windows\system32\regsvr32.exe
    "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\Inbox Toolbar\Inbox64.dll"
    3⤵
    - Loads dropped DLL
    - Installs/modifies Browser Helper Object
    - Modifies Internet Explorer settings
    - Modifies registry class
    PID:2952
- - C:\Program Files (x86)\Inbox Toolbar\Inbox.exe
    "C:\Program Files (x86)\Inbox Toolbar\Inbox.exe" /afterinstall
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Modifies Internet Explorer start page
    - Suspicious use of WriteProcessMemory
    PID:316
  - - C:\Windows\system32\RUNDLL32.EXE
      "C:\Windows\sysnative\RUNDLL32.EXE" SETUPAPI.DLL,InstallHinfSection DefaultInstall 128 C:\PROGRA~2\INBOXT~1\Driver\tbrdrv.inf
      4⤵
      Drops file in Drivers directory
      Adds Run key to start application
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:960
    - - C:\Windows\system32\runonce.exe
        
        "C:\Windows\system32\runonce.exe" -r
        5⤵
        Checks processor information in registry
        Suspicious use of WriteProcessMemory
        
        PID:1652
      - C:\Windows\System32\grpconv.exe
        
        "C:\Windows\System32\grpconv.exe" -o
        6⤵
        
        PID:2056
  - - C:\Program Files (x86)\Inbox Toolbar\Inbox.exe
      "C:\Program Files (x86)\Inbox Toolbar\Inbox.exe" /TRAY 0
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:1324
- - C:\Users\Admin\AppData\Local\Temp\is-F762V.tmp\AGupdate.exe
    "C:\Users\Admin\AppData\Local\Temp\is-F762V.tmp\AGupdate.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2968
- - C:\Users\Admin\AppData\Local\Temp\is-F762V.tmp\AGupdate.exe
    "C:\Users\Admin\AppData\Local\Temp\is-F762V.tmp\AGupdate.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1848
- - C:\Program Files (x86)\Inbox Toolbar\Inbox.exe
    "C:\Program Files (x86)\Inbox Toolbar\Inbox.exe" /postinstall
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2132
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -noframemerging "http://toolbar.inbox.com/lp/inst.aspx?tname=Games&c=4&tbid=80139&iwk=853&addons=1&addonlist=&afa=3&lng=en"
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      PID:2364
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2364 CREDAT:275457 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:776

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Browser Extensions

T1176

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Inbox Toolbar\Buttons\black_green.xml

Filesize
51KB

MD5
01116f926b28cb3442473d8b47a6dd8f

SHA1
5303b4976d13bc6f3ffa0e3c443a0d36ea55fff4

SHA256
01f5b90e46c63749261d30ab669b55b581ae0c41912b54b38f71c7dc2c454511

SHA512
df6debe9debe900ff5338aa9d8637a6c887b9905a1fc77b6e2a50d3f8067cfa806e9fceb3d8d2a57b5b859346267048bca60c5f19d2bd9092f9c08a2d2859271

Download Submit
C:\Program Files (x86)\Inbox Toolbar\Buttons\games_online_gb.xml

Filesize
4KB

MD5
04e1df757b9b5a6418d79d072db000ce

SHA1
f118b45fa1092a7d473886b05984580dfa5eb5b8

SHA256
20ddca93499bb0a82627577b4cac56b6bb4c0ccb2c10ad92d16bac8b09a96864

SHA512
380eeaa2bd01629c7128a0971d6855f30d4e99bb9347d465a670419d8684585b1f7d52c6ea6e30d12bd7b0101ea1c9399c7e4f1f781db35c225f97a5e0d8d871

Download Submit
C:\Program Files (x86)\Inbox Toolbar\Buttons\games_portals_gb.xml

Filesize
4KB

MD5
4b3274899a510ce0a0eaa6427bfd2869

SHA1
bbc6075fd32dbb95a254ceec0083f008113f7dc3

SHA256
1799d52866f0579798e7817e9168017bfd5a0a6e452af848e1dbe7311324c0f6

SHA512
4e9ebb12d5e6fa334bf7cb3dd4424036b3493958b9d6755fcaa5b61af9cc2898c588e6914b16298012b385cd0e890c024a607f120332c677f7b7d521952d4059

Download Submit
C:\Program Files (x86)\Inbox Toolbar\Buttons\games_search.xml

Filesize
3KB

MD5
ccd6e298e340f9adc0e7359e9e924441

SHA1
87a1a8110e60fe6e0322e253170fb07c64dfc97b

SHA256
81857ce2a92da97d87e489612c6b5a82fb37f2a5856a36b772764f7072452701

SHA512
2bd078aaf07ece5a21c7353bd1843f9be60615775f19d1f14e0551c688b63bd21ac8c158230669f719180a724d64de9665720ba593323b87a638e3163ace5d17

Download Submit
C:\Program Files (x86)\Inbox Toolbar\Driver\tbrdrv.cat

Filesize
7KB

MD5
dacf44f0b690f4c0053d31535fef87f2

SHA1
d2318c6c771a4adddd507c2fa6aa7d81ebc7aca6

SHA256
9175d7ad0f699049214a066e3b7672036a64354fbd88b002fb34f1d8c583d334

SHA512
60c7e1f3fa5c5515907b4e2702b0ffc1f32129fc92c75653ab7591745d78f7fa59b0a6c505b21cedb36151d4ca4a0fa1b90f09f8d267f7c9bd91a9605a87b7ce

Download Submit
C:\Program Files (x86)\Inbox Toolbar\Driver\tbrdrv.inf

Filesize
1KB

MD5
c84b4baaa44b8989b2e76b42c1ab5301

SHA1
36ee3212aec954e82fd73c914717c7ad32cfc367

SHA256
94ecff1e1ce8d5d5ef349769ee4236d230a7f58dfbd0a7d32ebf84c2b41fcec8

SHA512
230bab43937d5ec8600882b2ca6249b07fc580fea5b1c8817ede28fae6566bc78fb8f2088dc4dea0997e217c94659063dc3d2adff0405944b427d325ebe373a7

Download Submit
C:\Program Files (x86)\Inbox Toolbar\Driver\tbrdrv.sys

Filesize
35KB

MD5
e7c0aac166d688ab41dff2f17e420a3a

SHA1
00b70a50af14b497cebd100344fafbd3a564fd5b

SHA256
babb144ed6471079b6922914646a110f9fe5588ca3d94deeeda584c484e4ed26

SHA512
fe539d89e28204b1d09607e9f0450ae619ff71efdfccb4597641a27cb3234fce1a2061e273bd8490c9bf15d19871aa93c1bf98c909b6c252549c40915d62721e

Download Submit
C:\Program Files (x86)\Inbox Toolbar\Inbox.dll

Filesize
1014KB

MD5
cef98a42f1f86652b0ca1c31fdc2e288

SHA1
39d597dffab6d36bc47f21fe20f2eedba864a5ba

SHA256
39490eab802f21e6d00ef5eef0e1532b69a64dbed537c39f6c6129c14b6406bb

SHA512
498fe3191d3d9852c5d7ccd960847f24dc41af43cd2d4d05569b11a2b2f0b5b1c74d66ce520b58a7a6759bbc729d11dccfe5d0a1e6c5b2422ddd083adffae5e6

Download Submit
C:\Program Files (x86)\Inbox Toolbar\Inbox.ini

Filesize
2KB

MD5
7e2839c0e98367690b3af21d6408aa17

SHA1
99d41f4b0c57b5e6ef1efa2350038e10d4188035

SHA256
8cec384377ada9c4f9bfa6d03b8e6a2ed0dc650cad45b82594e11338458271ba

SHA512
d637ad72dd205f47ba4a163a88eb503dfb24f03a4f0b0c01aef8c29dc49942679eb5db47a1c63ed042f1f1fecd06d8ca6121972f33360cce5b956c0fc530286a

Download Submit
C:\Program Files (x86)\Inbox Toolbar\Inbox.ini

Filesize
2KB

MD5
565371d1e7f731b426c5e36e61d9f003

SHA1
c7752a54f5ad38002ed6452c19570adc833f9e89

SHA256
ac43b254a21613bce70efc92a047cec6c5b9d5c4d6a2ab231ca5fd3b3665520e

SHA512
f498bfb9dc3016cf8be350b837d668441e0a4fd0611c1f28dff72f87d305ebbbf5656a8521245b7d388cff8a19d57ba1eb747f50d140beaab6a1902f66af0e92

Download Submit
C:\Program Files (x86)\Inbox Toolbar\uninstall.ini

Filesize
51B

MD5
5cfece4d6b6cb11ab8873514f6b8558e

SHA1
0ea00aeadc1ead04b07bc2b6b045d4f46695fef5

SHA256
ee1745199faa9908c7f87fcfdcbb5e625af6d80c30799a4615196adfa50a244e

SHA512
1d99834ab647d5f7fc03ecac7ec4648367744b1a58dbfa5a510f370a6d187056ebfd49e0696ef0810573701d4ffcefff0fc0dfd330f079b52c0b5761ff6f7fa8

Download Submit
C:\Users\Admin\AppData\LocalLow\Inbox Toolbar\config.ini

Filesize
30B

MD5
129a4ce81f9a7b3dc2d98e090a069f05

SHA1
a266de9a5f3fea40e7de85ddfde49f4b6c515c96

SHA256
9ec3cb3f9a5f238ab518e7b57bcad1ca765c429fb37be15057da7eb9170541f7

SHA512
3d15c7ddf93e944ed5ce634f35050f95989b1f1f35b4b8233e10658508f07953579c6dd62cced8efd22cf783c7e9565f39270e5bb46d2959a1312148af6414f2

Download Submit
C:\Users\Admin\AppData\LocalLow\Inbox Toolbar\config.ini

Filesize
119B

MD5
4cac12bd9b7e89bee207df7fa117610a

SHA1
d05b8e03f446c117508902ae6de3c0afa5562618

SHA256
ef04c98f7ab58ea2e79251038cb6353bd0f03acb4da1dc18995722464846a884

SHA512
9fa0632cd19578f58cbe8d2f02816badff2d56e05f7a7368e56321a29a6c50e2f2c756313c61545d2232b4a18fc8e9a514d68fbcf047d04e93507d634800efca

Download Submit
C:\Users\Admin\AppData\LocalLow\Inbox Toolbar\config.ini

Filesize
132B

MD5
462a77d2e953cae9903df4e4fe13ea90

SHA1
e69004a7659f1dc8038fe6db50f2a6fcb89b1a02

SHA256
48e524ddcb7f919a1d70ce703d1d515231be824bbe2124112c00244cd0e5fa51

SHA512
bab2300687ba9ed83d37fdc133642f2de580171f107478e1e6d8492f7ecbb64a748c6cfd581e860a020d49b0bd4780f4d90d84d93d1266ea9525b3322339abc4

Download Submit
C:\Users\Admin\AppData\LocalLow\Inbox Toolbar\config.ini

Filesize
173B

MD5
8685a9c4d6c199c2a08487b357ff7210

SHA1
5d9efc164240082eb80a648d6da27b0891047686

SHA256
25acce409a985e91adb7e0055fbfa00d2d73e0024e7bf99af0b014c6428cfbe5

SHA512
35268ead9b530ff2310f3f95a7f069dfa3ab19d5be08789b933c4148950d04f8f478e5d212d664636b735fb747ec7b6c79e189b2d17e3e9a72b50a60297c1957

Download Submit
C:\Users\Admin\AppData\LocalLow\Inbox Toolbar\config.ini

Filesize
210B

MD5
e17eff6b15bb98005c9850ed7460081b

SHA1
788c6017a2b33a3a1f7deb587cd4ea3c36a34281

SHA256
eb54358f8e0ac4ae7b4721a5856703d570fb4f1f68c6c5ad76c0985a49ae3902

SHA512
3be20f967cf2a1cfa45a5bdb24cfcaca3a6fd02ca606ae31f950cbb5c2e376f2b2c8fdd175814108c2f98c6b363bba817ede219344e14a3071c92d108f16578a

Download Submit
C:\Users\Admin\AppData\LocalLow\Inbox Toolbar\config.ini

Filesize
254B

MD5
c273695b3544e19e349aa5328d68ff12

SHA1
99689cdb34fb0e449f1b8ea77046f9b64049c06f

SHA256
90d53556a3470189b872a553a9ee51d307dd0e97f687ff7a82cd4b2762e31326

SHA512
d966cb386a174cec97816f6e0ec1835ee7ceca2b9baf792b4fa8f7db0619ff9b966d507b2334032ff4dacfb3adbb9f70702f47c281e8abae69478bd2161db0f3

Download Submit
C:\Users\Admin\AppData\LocalLow\Inbox Toolbar\config.ini

Filesize
265B

MD5
5e64712bd82c46e0d99baa8dde914ef4

SHA1
e19df9bf26128301231a3a0e93065324074b0765

SHA256
228c222fd159e5f65098bf465357c9720947b1b403846a7ceac02dd9745c172c

SHA512
ea369b53febd4e7d7870c778482a6a933139ff1c5b1c863c0ec3fce47cc57f215d49370c4b701ab2b460b912749e94ce1fc61ad6bab47df1a0d65f8ef1a32f9e

Download Submit
C:\Users\Admin\AppData\LocalLow\Inbox Toolbar\config.ini

Filesize
273B

MD5
de886b80d2eb35b29e314e9cd39783a5

SHA1
12e7f707a4ccd55d5472650b9b079457e935ff17

SHA256
e1998bf045d3eefc7df105ee178a67c21912178d341b8de4e7cccfcc05962616

SHA512
8f82768e093d09f39e201bef2069404c15707f5c99b983deccd789bc51116d8b3d1936d7a14a1ab8f7f52a9649000a091059eba6f11596f89073c795647cb9b7

Download Submit
C:\Users\Admin\AppData\LocalLow\Inbox Toolbar\translate.ini

Filesize
93KB

MD5
6aa650efb4605f4bb39bdcfd8a2198ba

SHA1
da12240ffb9984e3f3d8e93a859bc8d768a242a4

SHA256
8729058fc0a109bfaf82d84abdc954805cd46ed499ff235d5181ff3facdaf2cf

SHA512
6893a2f796546c859c1a9ab2a8c1960f2606fe779a07bbe3cf3c0ebdb9579defa87c3b1d4dbb7e4934839a0cd5062255fb6d019bee11cf57e09b0cf350ce2819

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5111e6bb06c07b277825bae94d4b916d

SHA1
623cecb72cd55121a772c57cf1d95a297e38e8c2

SHA256
a0abde6af0b9184e9df25444b49d0771ced0c0b78060e18ddece13529e3340eb

SHA512
908480b81998038d9ae9d05146b583a9c03b2a420cb84aeee5114f2ccc1ef39caacbe31bc86b36bbcfc369e626801ff846b5b64989f079b61bd8caa77ae90d78

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
98e77036a269510b3dfb50bc77d06f91

SHA1
5e9aab8daab010b53734ab75a84d5e2ffb5cc031

SHA256
92f53c88e4d036ec8445cbfd1a2ed39f916bbfcd3e0892bbeb0ac52ab1cd903d

SHA512
f40dbee0e15216d172576ddeb77498b28168f076fd92818848796ccf2f4aebb32bc32b15f678885d76335c1d9eca90bf247d7711ce7651116b4816037153a102

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bae577a6e5b62428bb560ca4e1d4fb6a

SHA1
09d80228ee643f3f86035d40b066953c904f4751

SHA256
c67be4efe9496925bcb0fbfc480ee3f60af301dff7d89328f25a18bafa22b9eb

SHA512
9fc058c5e6cebc7c982e11195540b7e0e38a95d8584e28632e6b1e02b7b63d4c5abb8b56d1c3d180d1db7b649cfad88013d570d58d482507b010312f073a0bd3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b87cb29c7e8e3f74684d254f9cbe34ef

SHA1
7b84c74edf09d9a20bb4aab9f4582b357ba1b985

SHA256
13b46dcca83ad87b431075f1f3d60ec189c4bb9a5396843039774ca2a8a95b51

SHA512
879fcef25122ec59757f5062ddc83ecd8e779b2911ceeff9aa2bf9fe22dbaa7871aea053268d8b90f68a43bd109e26ed07d5de001b36b4cfa1fdbfe9ab21cbe2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a10e43aa62870d63a3b258f1d28a13b6

SHA1
87318d9d2ab85ec508d7e47a3f5b968cdb536278

SHA256
788e54863b8a6329c060462666c30a52403929f1aa6eaa609a879c1dda6bfd22

SHA512
3792549598e6503046922d84a600bcd20c073329e31b24f243b947458d503ca20db51ee50d5ec1c3a9aa866e7a98711fa00971d9a331ac7462cd8885b79c67f4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d1bb7a58d1ba1f66523534208fd92e27

SHA1
831bd7df58b0a546935d5952de7dab734d84d61a

SHA256
e92c0d76387c913249b4e90fa78ad507b5a242e7b54aafbd5f4bf5c1eddf6e3f

SHA512
74c633d0499354331e73ff2c6eb7ab39dc913509a32884a458230aa895fdd839e20163191c1ebe6ebd03b3383acb898f29df6f306407558ecaa5928c5efca1dc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5dda057f86c6c9f58841ac592c247f00

SHA1
7c1201e1cf7889508b4b70d49848b70699088a64

SHA256
0ff940cb83e1c6070192923923afdedbe5c119cbb8d11de4aa8ec795627577a8

SHA512
0e24033d591852ff5d329cd8231e7833816371683ed0021a3959b8dee3aed8d0933d95a23d263885c142cbd8e7b663f72e7a353ba1b1c8c781b48d1e9f5a4886

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b7f8a5e8ffd0f9f2ad769699dd5dcce2

SHA1
aad011464afa9c23033ecc530f2a2934f50122de

SHA256
f1afa6c53b985a303079734a074373fb5b508845686b984da91666dc3b80fc84

SHA512
f424107347e7e85e256514c46b8e43b4fc43b7ca8a8dc13ce000e0b8206d0aae726dee492563be8da73310fc0b2b85b214e08385e07fddf51a0f5d4f643ec581

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9cdd21cd2ef2d7abdf02bf02c5087fb8

SHA1
fc65049e5acefbd122f331d4606dc2bc4039af57

SHA256
a16a18d6993a6da217666617072ecb911c9b8eeead4e246a0696d79aaf95371e

SHA512
8a1a41acb730fcdcde7b81946b30b26af3cb5fe9e95518ee402a756358b1f21d66a03774edd6a6e9502fc10ef31b7f46c0112939bdf659e3b59a5587dd28e5f3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7c86d4db73f5bfc286c7130580cc43e6

SHA1
cb476e2d50ce1bced9fdc521b3d57d61d982a38d

SHA256
67c63ac74658c81a0ff0738ef83ca5f5c5ce6341ba077b341c07e23aef3569e9

SHA512
d20b3b3c38201e1574b681d0bbdaca7dc026779f50612607bf720e474f926aa83dfe16e7bc6565ceb0af9fac03689ffba554f5ee82ef82f3897b210d1d861f68

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d10f9bafe22cdaa12d32f08262ccec9a

SHA1
e87d1af5932286ec819417abfead9872a3095e25

SHA256
435e458045a7e4c41f693fc303246703f87b14b2640e7ffb5df7a5a93baea6d5

SHA512
e748751be386654b7be9d7f40ef590532c99482d14d041331300bc3f4dad0acd35f0ba438d33488b833ee0500eac4a76ca46b28b01489390a948b77563d2b21e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
92260edd1d4b991751101a83da410e24

SHA1
cb2f25c68b7ae4b95451c0396f2e5f06b1693803

SHA256
7eb2f73686f76c901591fe3e6aeab42dd2bc3516024ebcfcccdc51b31c020f4a

SHA512
d568d75712468b2a025e88f12c4b46e632f2b0eed5366262dec80e7f7f2ce1f03d2fc7e371a40a8dccb1b86e08c9d99c1711ae0dc90077513a97a3cfdb0f5da3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
663a7d1339a82b75efaa6d3f2db5d8b4

SHA1
cdbc86fa47c7b749be8da7f1e837d9a242fbadf9

SHA256
9bf403d75af26e666e316cbad305c55f76d5b01df2a59fe86a58ff4fe4e9616c

SHA512
be469c987aee28de78bed00750a96ed16caa79c7e3b080a509da71bc79985b400a14ba4a8b75f6c2dbec530aa00eb06bfacf18b94e8743556b17d9b530ad289a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4ce8ab7cf3ca45a5e32d8cc12cd883a4

SHA1
77805e675fd31e3a55a96b2ba41ded3673e2c273

SHA256
5eb6e3784e88bbd750b9f19de576d11a444e9abccf7ae90b0ba9f6bac6d3adb3

SHA512
c5a740bf1e5044f207fbf8e6444e490f4a9e819a9420e7f5eaf5be663b4c2dd0d0f3a9bfe3a5dd37960ceae8856aad41fa05bbf27f2f3dd780bda46b6b885f58

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
688993a381569cf618ce7a705ac113a6

SHA1
6e27910717699ef74cd20ab188d81deef88f2d48

SHA256
3902c5f873010aa7314cc593e6de784a4024f10a4e5d663e517ac3ded913f9b9

SHA512
8d8142eb1b8f7009186be3cc834fa4c7e41e57f2630292eb7163530433ad88bf4a347c785f7187508793aefc57efe36f22d54517675c8e93c6b73625a88cacd5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9b7872310b37b0a6e8b4c6bb824905eb

SHA1
9e7aa0b9a218d4a681857581213dcf039cdff0a3

SHA256
962703051c9ad40657513024205fe88692673534e7937b0dc56a053895d9bf0f

SHA512
d5d52d0cf64427648ba0c3ed01eb586df500d4219e8a5cabb06dc657c35bc56f65d21793ea3cb0279d3c76cac360dd68f7ec3e8de25fe727c1a768da78fc7f00

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
abf23991986f68de5e1c8774e63fe5b6

SHA1
9d641a47a0df9b6f48fe0f383c70ed3e7482e955

SHA256
cafa4829689aed874e69d7899eeedaa1f4fb14f40fb7be8fab0231ba44a270c7

SHA512
5ef03537aed93f220329ec1b21fce960e8794e059fdab376ad7f64a266de7667f1b42539cda67bbcc19468193e3fcb7acf0e11209aad8a0df45a0c08e8028971

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6fe36a5e926c2f007e5769a462a34f77

SHA1
ae76c195b7578df57625a9fba8d17fddd0ed4d89

SHA256
7e1ff1f47d8329f8b1ffaee68848d3be3824a15fc6edb8d79959201dce2459ae

SHA512
716689f3fa1ea98d5567a729336960096e2dcebc6839525f6268008b12cdd30ffede9df92ae3ed3e09e49ad4a7f5f9e02a6db2f31016886db3a81d52fabce301

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e369aacb6ff69aa13ab6c9e245d80d03

SHA1
0c6dfb0a684fa4d51f5d82f7acf92465c3df370c

SHA256
896a774857b00e4800b330dc447007d7d025c7d7b99f10faf9240213e356ec51

SHA512
4a6861abf16f371d5bd74b1ea98f97d787721e7664b6f9c816f021281c6ce33b01f51b7e0b6e72ba3f8527012f7480d2f155bc29ecab43728f89a52e7247d9ef

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d9e2814937eeae9b8d4b20ef6bcf72f9

SHA1
2532fbe90e5790d216d88879007da26243bf5f97

SHA256
1f86d072494df83bd795923a5a68d64340cb39e05158c5e6f2543e90a44d413f

SHA512
b40dc4869abb85bd821cf656bddeb4c864fc7209b9c5f72760f8bf804494dc00384e7216fbdb943972ac57d4732317bfd85bcfee1335ae8adc0161ce1c845fa6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
dbd9feb3514e37392c0a5daa211b5c88

SHA1
2e99f14aa8049aee5d2e63944424ff0d7dfff4e0

SHA256
66874cf2963af5c8e262ce5ecec19568a70b179155d54ff10692974bf6e27a6e

SHA512
a337b37555d1600db656b9f577b0c149d6a00455ad1164c2b710dc8d8b2374145f135d8e0897c3ac40675e772be3f56bcc8131ce33fcbe21f6f6ecbcabc3bfe7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab4A3B.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar4AFB.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-F762V.tmp\setupcfg.ini

Filesize
85B

MD5
a9882935f747e7c636ad1f7ea95a5a73

SHA1
ced04ff02aabe433e6f8460a17937fad9a3e2cbe

SHA256
f5351091ef531ee6df7e1fac655baa82cdc2e66ddb9004284f29d013c531ca1d

SHA512
c964b8ff55d0fc35b9fc86c085f6e40f5541b4116bc429873c26dbd8d93e6a34ef5fb679a7ceee7d4648fb65bd473fa9c418a4da94a1490525ed206a62bd7286

Download Submit
\Program Files (x86)\Inbox Toolbar\Inbox.exe

Filesize
2.3MB

MD5
7bfb9bd61a69e7a4717f34f22dae8b4e

SHA1
a8b1ba82ee7172e9e5f184fef35bd41bdd373906

SHA256
f8404bd34230c1db313e2659ea483e7640c10987917e2cebdd4dd9c4ae67a19d

SHA512
19e6a0c065b1f6980b6927c6af5accf7b5d29f450daf37e57feb9ec901f3105cedd34e2129f2c5c320b516bd6a709a3b8a6885f4ee032e12dbae0dfd4b9a3273

Download Submit
\Program Files (x86)\Inbox Toolbar\Inbox64.dll

Filesize
1.5MB

MD5
5c2c888c50585ade35e03fa261e6c7a3

SHA1
228f8b2423945596d44892fff79cee851e725d89

SHA256
b88171732c2054dbc64a1649430646eeaf7b5d63c491e515a66736aacbb7aba9

SHA512
af463a375586f7a07f29c5855146be05ad74bd18fc90d46c653bc6911761b911472ab5bd7eab75a7bd8b9533704118d2d756368c74ccca7b88c4de294e8ee3d1

Download Submit
\Program Files (x86)\Inbox Toolbar\unins000.exe

Filesize
1.2MB

MD5
67e866dbad2c21354f585086d3f3e5b2

SHA1
6b0ccd164c9108b01a81f249a2d9c05ed3b5f67b

SHA256
6d7c851b4dc1acb135aa18ef28c5921472ca46d555358fc97bf2b10fc82ad8da

SHA512
ff0945ec265d3c04335e3a0ab08737ae68ba893455ffa3fa9e45e73ae2d58df737d247827e6b110f904fb18dd40e0d45882655f43b17c6bccd88265ad2aa494e

Download Submit
\Users\Admin\AppData\Local\Temp\is-F762V.tmp\AGupdate.exe

Filesize
873KB

MD5
a3ccbbb0735800b89931b73ccb69f9b1

SHA1
53c70f80017eff22ad88a53fdb3ffc518354af59

SHA256
97d0684ab1ecb2f89a3c8e53dc383aede506a1f9367aa283c0b9992a19854d43

SHA512
e4461a7cf5e8b8e655a2985be672af25e44276b018b7b532a665f26c1a44032bbada7e5a071a78827020c3f18d9d5c79bd0f59fe97876b1eb4279ec4094f3704

Download Submit
\Users\Admin\AppData\Local\Temp\is-F762V.tmp\DownLib.dll

Filesize
183KB

MD5
db25dfdd4c1f2b65c68a230881072695

SHA1
94cd6a3438041f0e61b0a1bea7b66461854efe69

SHA256
1b66aaf1e7e3c493dd96af3b7442ea60072f6e93ba45281eacd31a14ca7e7e73

SHA512
db69e4ab2218856e5184d9094e7e39705b83e3efdc15225067205c8faf6e5836145364f1d509192defa3b48864e72b9f8c0f2dc53a7adb2b86c655318b7afc2c

Download Submit
\Users\Admin\AppData\Local\Temp\is-F762V.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-FBEDH.tmp\b4ec0d1d6f287103dd35a6da945fe2d6_JaffaCakes118.tmp

Filesize
1.2MB

MD5
e7106fbf42fbc6d5b08a18ada4f781b4

SHA1
36d4a629f79d772c0b0df8bd2ae2ea09108d239d

SHA256
64e1f1fa7d91920b17bc7bc679a4cd8d87ff5b104318b6921bb6bf6a19055635

SHA512
adf876296a952aadeb4f25211c0939bf5a278809b5d3007ad7e26c5d4975e7684d242c1b3de796efd474a47cb7ecdb80f9047935924a1108bf0e4d7c973d1845

Download Submit
memory/316-296-0x0000000000400000-0x0000000000660000-memory.dmp

Filesize
2.4MB

Download
memory/1324-407-0x0000000000400000-0x0000000000660000-memory.dmp

Filesize
2.4MB

Download
memory/1848-414-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download
memory/2120-429-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2120-0-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2120-113-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2120-2-0x0000000000401000-0x000000000040D000-memory.dmp

Filesize
48KB

Download
memory/2132-430-0x0000000000400000-0x0000000000660000-memory.dmp

Filesize
2.4MB

Download
memory/2456-140-0x0000000000400000-0x0000000000660000-memory.dmp

Filesize
2.4MB

Download
memory/2556-125-0x0000000004220000-0x0000000004327000-memory.dmp

Filesize
1.0MB

Download
memory/2556-406-0x0000000004220000-0x0000000004327000-memory.dmp

Filesize
1.0MB

Download
memory/2556-115-0x0000000000540000-0x0000000000577000-memory.dmp

Filesize
220KB

Download
memory/2556-25-0x0000000000540000-0x0000000000577000-memory.dmp

Filesize
220KB

Download
memory/2556-116-0x0000000000400000-0x0000000000536000-memory.dmp

Filesize
1.2MB

Download
memory/2556-404-0x0000000000400000-0x0000000000536000-memory.dmp

Filesize
1.2MB

Download
memory/2556-9-0x0000000000400000-0x0000000000536000-memory.dmp

Filesize
1.2MB

Download
memory/2556-428-0x0000000000400000-0x0000000000536000-memory.dmp

Filesize
1.2MB

Download
memory/2556-416-0x0000000000400000-0x0000000000536000-memory.dmp

Filesize
1.2MB

Download
memory/2680-91-0x0000000000400000-0x0000000000660000-memory.dmp

Filesize
2.4MB

Download
memory/2780-119-0x00000000021F0000-0x00000000022F7000-memory.dmp

Filesize
1.0MB

Download
memory/2952-122-0x0000000001E40000-0x0000000001FCE000-memory.dmp

Filesize
1.6MB

Download
memory/2968-368-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download