4ff2598587176cea5287e8e19a5aa8ed4e5b7b9f049395930efd009e79dc7a1a

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
30-11-2024 05:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b4ec0d1d6f287103dd35a6da945fe2d6_JaffaCakes118.exe
Size

2.5MB
MD5

b4ec0d1d6f287103dd35a6da945fe2d6
SHA1

c40d4875223fbb6f5e5978f4389897f62f8591c3
SHA256

4ff2598587176cea5287e8e19a5aa8ed4e5b7b9f049395930efd009e79dc7a1a
SHA512

51578b9c9f4a141d92c7972ac197c78f0d7a2c42d63ac13f4a65e7c69bee275a4ed4a52d19b0dff87bf6a42cf44f53bd4b6f7eae8521b18bb100d56c335e6b99
SSDEEP

49152:kaSDJLr+Be0SeBk2a5wL18ou9DjMYcOajZqOLBNwDaebA5rOYiZnP:ktO0iaaB879Dj3cOodB+GebSivZnP

Score

8^/10

adware discovery persistence privilege_escalation stealer

Malware Config

Signatures

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\DRIVERS\tbrdrv.sys	RUNDLL32.EXE
File opened for modification	C:\Windows\system32\DRIVERS\SET79C.tmp	RUNDLL32.EXE
File created	C:\Windows\system32\DRIVERS\SET79C.tmp	RUNDLL32.EXE

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	Inbox.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	b4ec0d1d6f287103dd35a6da945fe2d6_JaffaCakes118.tmp
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	Inbox.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 9 IoCs

pid	Process
4644	b4ec0d1d6f287103dd35a6da945fe2d6_JaffaCakes118.tmp
2976	Inbox.exe
1436	Inbox.exe
2296	Inbox.exe
1068	Inbox.exe
4560	AGupdate.exe
3092	AGupdate.exe
1836	AGupdate.exe
3088	Inbox.exe

Loads dropped DLL 7 IoCs

pid	Process
4644	b4ec0d1d6f287103dd35a6da945fe2d6_JaffaCakes118.tmp
4644	b4ec0d1d6f287103dd35a6da945fe2d6_JaffaCakes118.tmp
1952	regsvr32.exe
1952	regsvr32.exe
4528	regsvr32.exe
4644	b4ec0d1d6f287103dd35a6da945fe2d6_JaffaCakes118.tmp
4644	b4ec0d1d6f287103dd35a6da945fe2d6_JaffaCakes118.tmp

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\InboxToolbar = "\"C:\\Program Files (x86)\\Inbox Toolbar\\Inbox.exe\" /STARTUP"	Inbox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\GrpConv = "grpconv -o"	RUNDLL32.EXE

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Installs/modifies Browser Helper Object 2 TTPs 6 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{D3D233D5-9F6D-436C-B6C7-E63F77503B30}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D3D233D5-9F6D-436C-B6C7-E63F77503B30}\	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D3D233D5-9F6D-436C-B6C7-E63F77503B30}\NoExplorer = "1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{D3D233D5-9F6D-436C-B6C7-E63F77503B30}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D3D233D5-9F6D-436C-B6C7-E63F77503B30}\	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D3D233D5-9F6D-436C-B6C7-E63F77503B30}\NoExplorer = "1"	regsvr32.exe

Drops file in Program Files directory 25 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Inbox Toolbar\is-F94TC.tmp	b4ec0d1d6f287103dd35a6da945fe2d6_JaffaCakes118.tmp
File created	C:\Program Files (x86)\Inbox Toolbar\Buttons\is-S7MPD.tmp	b4ec0d1d6f287103dd35a6da945fe2d6_JaffaCakes118.tmp
File created	C:\Program Files (x86)\Inbox Toolbar\Buttons\is-5IIRE.tmp	b4ec0d1d6f287103dd35a6da945fe2d6_JaffaCakes118.tmp
File created	C:\Program Files (x86)\Inbox Toolbar\Buttons\is-ANAPM.tmp	b4ec0d1d6f287103dd35a6da945fe2d6_JaffaCakes118.tmp
File opened for modification	C:\Program Files (x86)\Inbox Toolbar\uninstall.ini	b4ec0d1d6f287103dd35a6da945fe2d6_JaffaCakes118.tmp
File opened for modification	C:\Program Files (x86)\Inbox Toolbar\Driver\tbrdrv.inf	Inbox.exe
File opened for modification	C:\Program Files (x86)\Inbox Toolbar\Driver\tbrdrv.sys	Inbox.exe
File opened for modification	C:\Program Files (x86)\Inbox Toolbar\uninstall.ini	Inbox.exe
File created	C:\Program Files (x86)\Inbox Toolbar\is-2KI1R.tmp	b4ec0d1d6f287103dd35a6da945fe2d6_JaffaCakes118.tmp
File created	C:\Program Files (x86)\Inbox Toolbar\is-MVO6R.tmp	b4ec0d1d6f287103dd35a6da945fe2d6_JaffaCakes118.tmp
File created	C:\Program Files (x86)\Inbox Toolbar\Buttons\is-S5MVU.tmp	b4ec0d1d6f287103dd35a6da945fe2d6_JaffaCakes118.tmp
File created	C:\Program Files (x86)\Inbox Toolbar\setupcfg.ini	b4ec0d1d6f287103dd35a6da945fe2d6_JaffaCakes118.tmp
File opened for modification	C:\Program Files (x86)\Inbox Toolbar\Buttons\games_portals_gb.xml	Inbox.exe
File created	C:\Program Files (x86)\Inbox Toolbar\Driver\driver.cab	Inbox.exe
File opened for modification	C:\Program Files (x86)\Inbox Toolbar\Buttons\games_search.xml	Inbox.exe
File opened for modification	C:\Program Files (x86)\Inbox Toolbar\Inbox.ini	Inbox.exe
File created	C:\Program Files (x86)\Inbox Toolbar\unins000.dat	b4ec0d1d6f287103dd35a6da945fe2d6_JaffaCakes118.tmp
File created	C:\Program Files (x86)\Inbox Toolbar\is-QLQ0C.tmp	b4ec0d1d6f287103dd35a6da945fe2d6_JaffaCakes118.tmp
File opened for modification	C:\Program Files (x86)\Inbox Toolbar\unins000.dat	b4ec0d1d6f287103dd35a6da945fe2d6_JaffaCakes118.tmp
File opened for modification	C:\Program Files (x86)\Inbox Toolbar\setupcfg.ini	b4ec0d1d6f287103dd35a6da945fe2d6_JaffaCakes118.tmp
File opened for modification	C:\Program Files (x86)\Inbox Toolbar\Buttons\black_green.xml	Inbox.exe
File opened for modification	C:\Program Files (x86)\Inbox Toolbar\Buttons\games_online_gb.xml	Inbox.exe
File opened for modification	C:\Program Files (x86)\Inbox Toolbar\Driver\tbrdrv.cat	Inbox.exe
File created	C:\Program Files (x86)\Inbox Toolbar\is-KITDJ.tmp	b4ec0d1d6f287103dd35a6da945fe2d6_JaffaCakes118.tmp
File created	C:\Program Files (x86)\Inbox Toolbar\unins000.msg	b4ec0d1d6f287103dd35a6da945fe2d6_JaffaCakes118.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AGupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Inbox.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Inbox.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Inbox.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AGupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AGupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Inbox.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b4ec0d1d6f287103dd35a6da945fe2d6_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b4ec0d1d6f287103dd35a6da945fe2d6_JaffaCakes118.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Inbox.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	runonce.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	runonce.exe

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{C04B7D22-5AEC-4561-8F49-27F6269208F6}\URL = "http://www2.inbox.com/search/dispatcher.aspx?tp=bs&qkw={searchTerms}&tbid=80139&iwk=853&lng=en"	Inbox.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\Policy = "3"	regsvr32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000042e7dba96731da408b68fe0ed5b0a2460000000002000000000010660000000100002000000048679b4b4ea13e687910e326c16db7b01f4b1932d4d13fad1fecc0f9c5b6a07c000000000e8000000002000020000000a0b337d7954e9ca37803219a1fd6730b4429a8ffb6b236f4e262d8e0c479f3a740010000a3876fe6d6ee91e12f22c9d9be8362618ea4609ba4c261504a1bb4cbc4d9f35da6fc51cd214a34ef9a8fd0be625184cb2f05ef76530554706d73b15e5998c0cdbfbfb6b2d8748d6521aafc32b2cd9b004e67c180ffc628e583a8241752b975af2b93d2934e5f52b6739cdf71bc4b6c6daa52eea9e55a99c62a6b25b0d51e2620adb59473395cc1b6537d64b4eb30f3cb3297fb34350ce72993fd782ea042751439482156648f31d0deed1c1c75644fe08b0418fe98e46125b1972e97e43c9a06a11648af5491a6a4a12dbc3d849837f58be04a0fd0d5c0d6eb9a41534e3073d61048f4d77de327a3033b19fd21120ecabb1f9a3c11f8276f277014ed65f44fff5bd4e73929a5440055bec033dea861fb8940557e3cb52eab001352000f68c41d55610e84d5358e387928b6b595242748332ab2a936ba533ea179bee6237224bb40000000cd5ee651eafb68a07744e2fcb4c297aa7d939b911af7addf4afd17b17730c861bdc30f588ba447b9523d429a8a8de44cc74a2e2e56f0d01e8383b696ec112f79	iexplore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\IEWatsonEnabled = "0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\AppPath = "C:\\Program Files (x86)\\Inbox Toolbar"	regsvr32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000042e7dba96731da408b68fe0ed5b0a246000000000200000000001066000000010000200000001581d1b114cafc85d5d12b8f84dc6a5956b4e76c0cbf354cca0df3c76ff6661e000000000e800000000200002000000033568d22f0e0d2e5e099d4584e1f39efb3d9771367d1783bdb2de5b61092ab222000000017660ec5e95d88dfee4c9de406178fd2099a82b1163cb6e6af452f10c3989d7b400000000b74c420ebbf577a0805a53eb741cdc2e738eb5dc090977ba74ced51262a2263166feb2a9292afd0665f933cd91acf90d9439db46067ba90cf1da426b56d9b3b	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{612AD33D-9824-4E87-8396-92374E91C4BB}\AppPath = "C:\\Program Files (x86)\\Inbox Toolbar"	Inbox.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\Policy = "3"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{612AD33D-9824-4E87-8396-92374E91C4BB}\Policy = "3"	Inbox.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Internet Explorer\SearchScopes\	Inbox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31146726"	IEXPLORE.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{612AD33D-9824-4E87-8396-92374E91C4BB}	Inbox.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\IEWatsonEnabled = "0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\AppName = "Inbox.dll"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Internet Explorer\Approved Extensions	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Internet Explorer\Approved Extensions	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{612AD33D-9824-4E87-8396-92374E91C4BB}\Policy = "3"	Inbox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\Approved Extensions\{D7E97865-918F-41E4-9CD0-25AB1C574CE8} = 51667a6c4c1d3b35756fffceb1c28a0f86d97af51a1401fc	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\AppName = "Inbox.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Toolbar	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\AppName = "Inbox64.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{612AD33D-9824-4E87-8396-92374E91C4BB}	Inbox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{612AD33D-9824-4E87-8396-92374E91C4BB}\AppName = "Inbox.exe"	Inbox.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\Inbox.exe = "11000"	Inbox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\AppPath = "C:\\Program Files (x86)\\Inbox Toolbar"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{D7E97865-918F-41E4-9CD0-25AB1C574CE8} = 00	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\User Preferences\3DB9590C4C4C26C4CCBDD94ECAD790359708C3267B = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000042e7dba96731da408b68fe0ed5b0a24600000000020000000000106600000001000020000000663d39585526ee737f3d9cc8e3b1b89ff1f169edb04aef348c3894fa91207aee000000000e80000000020000200000007678961de51ef7113e3818083870994c5736f93c7dbe606e28a1b8de745265bd500000001401e2f8ba3784f6953ee245e4d6789d60a950d5de0263c22bdd3c692eaeb608df6ce341d352db68bae3187a2c490831b73172b229f8acd978dd5006baa2d0611c81fa699e1b8c35db8de8aa1f92d9144000000023b896a32a3b146241e034c0dd2c21f74967ad16f6561c287912bc9184916b508ab83fff66e47286689fc7e7c9da116cdfbc0e42119ef56d33dad79e5ad63564	iexplore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{C04B7D22-5AEC-4561-8F49-27F6269208F6}\SuggestionsURL_JSON = "http://www.inbox.com/s.aspx?q={searchTerms}"	Inbox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks\{D3D233D5-9F6D-436C-B6C7-E63F77503B30}	Inbox.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\User Preferences\2BB20B33B4171CDAAB6469225AE6A582ED33D7B488 = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000042e7dba96731da408b68fe0ed5b0a24600000000020000000000106600000001000020000000f9d95383f6493d2b419282bb7900407a7e809b254f262025ecfcf860b5f00be9000000000e8000000002000020000000fdcea9a6e01dde05e78e83bbb07a98c8abbe8e8dcde84ebb6182823b587ee9e910000000003f1bd95414fa60d12a31dd5170b84a40000000e16daabf23bc84fdd30f7ab45b763fe7e23c2ac349cb1adfe80124ee4d9ae67781280f3fb762a5f357b029d1c2aa15316d44c06c8e244b3b4c5d3c34da27f551	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d0fbbe32e642db01	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Internet Explorer\IESettingSync	IEXPLORE.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}	regsvr32.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Main	regsvr32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "832002547"	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{612AD33D-9824-4E87-8396-92374E91C4BB}\AppName = "Inbox.exe"	Inbox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{C04B7D22-5AEC-4561-8F49-27F6269208F6}\ShowSearchSuggestions = "1"	Inbox.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31146726"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "832002547"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "832783724"	IEXPLORE.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{612AD33D-9824-4E87-8396-92374E91C4BB}\AppPath = "C:\\Program Files (x86)\\Inbox Toolbar"	Inbox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\Approved Extensions\{D3D233D5-9F6D-436C-B6C7-E63F77503B30} = 51667a6c4c1d3b35c524c4ca53cc020dacceb96171137624	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\Policy = "3"	regsvr32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Main	regsvr32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\Approved Extensions\{D7E97865-918F-41E4-9CD0-25AB1C574CE8} = 51667a6c4c1d3b35756fffceb1c28a0f86d97af51a1401fc	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\AppName = "Inbox64.dll"	regsvr32.exe

Modifies Internet Explorer start page 1 TTPs 1 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.inbox.com/homepage.aspx?tbid=80139&iwk=853&lng=en"	Inbox.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{CE057E0D-2D7E-4DFF-A890-07BA69B8C762}\ = "IJSServer"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D3D233D5-9F6D-436C-B6C7-E63F77503B30}\Implemented Categories	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{37540F19-DD4C-478B-B2DF-C19281BCAF27}\	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8FAE973C-3FE3-44BF-81F0-ADB0D42CE851}	Inbox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{042DA63B-0933-403D-9395-B49307691690}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{042DA63B-0933-403D-9395-B49307691690}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8FAE973C-3FE3-44BF-81F0-ADB0D42CE851}\TypeLib\ = "{615E8AA1-6BB8-4A3D-A1CC-373194DB612C}"	Inbox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8FAE973C-3FE3-44BF-81F0-ADB0D42CE851}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	Inbox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8FAE973C-3FE3-44BF-81F0-ADB0D42CE851}\TypeLib	Inbox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{612AD33D-9824-4E87-8396-92374E91C4BB}\LocalServer32\ = "C:\\Program Files (x86)\\Inbox Toolbar\\Inbox.exe"	Inbox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0E56FAFA-1B09-480E-B653-4B23918DC58A}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C7C55C60-F5B5-40A3-A2E9-EC00E1FE08F3}\	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C7C55C60-F5B5-40A3-A2E9-EC00E1FE08F3}\TypeLib\ = "{CBEF8724-D080-4737-88DA-111EEC6651AA}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{28C3737A-32D1-492D-B76B-8D75EBBFB887}\TypeLib\Version = "1.0"	Inbox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{612AD33D-9824-4E87-8396-92374E91C4BB}\Version\ = "1.0"	Inbox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C7C55C60-F5B5-40A3-A2E9-EC00E1FE08F3}\InProcServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Inbox.JSServer2\	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C7C55C60-F5B5-40A3-A2E9-EC00E1FE08F3}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}\	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\ = "&Inbox Toolbar"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C7C55C60-F5B5-40A3-A2E9-EC00E1FE08F3}\ = "Inbox Toolbar"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{042DA63B-0933-403D-9395-B49307691690}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C7C55C60-F5B5-40A3-A2E9-EC00E1FE08F3}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C7C55C60-F5B5-40A3-A2E9-EC00E1FE08F3}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Inbox.JSServer\Clsid	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{37540F19-DD4C-478B-B2DF-C19281BCAF27}\ProgID\ = "Inbox.IBX404"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0E56FAFA-1B09-480E-B653-4B23918DC58A}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\Implemented Categories\	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{37540F19-DD4C-478B-B2DF-C19281BCAF27}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{612AD33D-9824-4E87-8396-92374E91C4BB}\ProgID	Inbox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{042DA63B-0933-403D-9395-B49307691690}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{042DA63B-0933-403D-9395-B49307691690}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{615E8AA1-6BB8-4A3D-A1CC-373194DB612C}\1.0\FLAGS\ = "0"	Inbox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CE057E0D-2D7E-4DFF-A890-07BA69B8C762}\ = "IJSServer"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D3D233D5-9F6D-436C-B6C7-E63F77503B30}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C7C55C60-F5B5-40A3-A2E9-EC00E1FE08F3}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\inbox\ = "inbox"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{37540F19-DD4C-478B-B2DF-C19281BCAF27}\	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{615E8AA1-6BB8-4A3D-A1CC-373194DB612C}\1.0	Inbox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{28C3737A-32D1-492D-B76B-8D75EBBFB887}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	Inbox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{042DA63B-0933-403D-9395-B49307691690}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}\	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\inbox\CLSID = "{37540F19-DD4C-478B-B2DF-C19281BCAF27}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D3D233D5-9F6D-436C-B6C7-E63F77503B30}\InprocServer32\ = "C:\\Program Files (x86)\\Inbox Toolbar\\Inbox64.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Inbox.Toolbar\Clsid	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{37540F19-DD4C-478B-B2DF-C19281BCAF27}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8FAE973C-3FE3-44BF-81F0-ADB0D42CE851}\ProxyStubClsid32	Inbox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{612AD33D-9824-4E87-8396-92374E91C4BB}\	Inbox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{CE057E0D-2D7E-4DFF-A890-07BA69B8C762}\TypeLib\ = "{CBEF8724-D080-4737-88DA-111EEC6651AA}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0E56FAFA-1B09-480E-B653-4B23918DC58A}\ = "IJSServer2"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{37540F19-DD4C-478B-B2DF-C19281BCAF27}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{615E8AA1-6BB8-4A3D-A1CC-373194DB612C}	Inbox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{615E8AA1-6BB8-4A3D-A1CC-373194DB612C}\1.0\0	Inbox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0E56FAFA-1B09-480E-B653-4B23918DC58A}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D3D233D5-9F6D-436C-B6C7-E63F77503B30}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Inbox.Toolbar\	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Inbox.IBX404\Clsid\ = "{37540F19-DD4C-478B-B2DF-C19281BCAF27}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C7C55C60-F5B5-40A3-A2E9-EC00E1FE08F3}\Implemented Categories	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Inbox.Toolbar	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}\	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Inbox.IBX404	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Inbox.JSServer2	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{042DA63B-0933-403D-9395-B49307691690}\Version\ = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\ProgID\ = "Inbox.Toolbar"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{37540F19-DD4C-478B-B2DF-C19281BCAF27}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
4644	b4ec0d1d6f287103dd35a6da945fe2d6_JaffaCakes118.tmp
4644	b4ec0d1d6f287103dd35a6da945fe2d6_JaffaCakes118.tmp
4644	b4ec0d1d6f287103dd35a6da945fe2d6_JaffaCakes118.tmp
4644	b4ec0d1d6f287103dd35a6da945fe2d6_JaffaCakes118.tmp
4644	b4ec0d1d6f287103dd35a6da945fe2d6_JaffaCakes118.tmp
4644	b4ec0d1d6f287103dd35a6da945fe2d6_JaffaCakes118.tmp
4644	b4ec0d1d6f287103dd35a6da945fe2d6_JaffaCakes118.tmp
4644	b4ec0d1d6f287103dd35a6da945fe2d6_JaffaCakes118.tmp

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
664	Process not Found

Suspicious use of FindShellTrayWindow 6 IoCs

pid	Process
4644	b4ec0d1d6f287103dd35a6da945fe2d6_JaffaCakes118.tmp
1068	Inbox.exe
1068	Inbox.exe
4644	b4ec0d1d6f287103dd35a6da945fe2d6_JaffaCakes118.tmp
1068	Inbox.exe
1632	iexplore.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
1068	Inbox.exe
1068	Inbox.exe
1068	Inbox.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1632	iexplore.exe
1632	iexplore.exe
2708	IEXPLORE.EXE
2708	IEXPLORE.EXE
2708	IEXPLORE.EXE
2708	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 43 IoCs

description	pid	Process	procid_target
PID 520 wrote to memory of 4644	520	b4ec0d1d6f287103dd35a6da945fe2d6_JaffaCakes118.exe	84
PID 520 wrote to memory of 4644	520	b4ec0d1d6f287103dd35a6da945fe2d6_JaffaCakes118.exe	84
PID 520 wrote to memory of 4644	520	b4ec0d1d6f287103dd35a6da945fe2d6_JaffaCakes118.exe	84
PID 4644 wrote to memory of 2976	4644	b4ec0d1d6f287103dd35a6da945fe2d6_JaffaCakes118.tmp	92
PID 4644 wrote to memory of 2976	4644	b4ec0d1d6f287103dd35a6da945fe2d6_JaffaCakes118.tmp	92
PID 4644 wrote to memory of 2976	4644	b4ec0d1d6f287103dd35a6da945fe2d6_JaffaCakes118.tmp	92
PID 4644 wrote to memory of 1436	4644	b4ec0d1d6f287103dd35a6da945fe2d6_JaffaCakes118.tmp	93
PID 4644 wrote to memory of 1436	4644	b4ec0d1d6f287103dd35a6da945fe2d6_JaffaCakes118.tmp	93
PID 4644 wrote to memory of 1436	4644	b4ec0d1d6f287103dd35a6da945fe2d6_JaffaCakes118.tmp	93
PID 4644 wrote to memory of 1952	4644	b4ec0d1d6f287103dd35a6da945fe2d6_JaffaCakes118.tmp	97
PID 4644 wrote to memory of 1952	4644	b4ec0d1d6f287103dd35a6da945fe2d6_JaffaCakes118.tmp	97
PID 4644 wrote to memory of 1952	4644	b4ec0d1d6f287103dd35a6da945fe2d6_JaffaCakes118.tmp	97
PID 4644 wrote to memory of 4528	4644	b4ec0d1d6f287103dd35a6da945fe2d6_JaffaCakes118.tmp	98
PID 4644 wrote to memory of 4528	4644	b4ec0d1d6f287103dd35a6da945fe2d6_JaffaCakes118.tmp	98
PID 4644 wrote to memory of 2296	4644	b4ec0d1d6f287103dd35a6da945fe2d6_JaffaCakes118.tmp	105
PID 4644 wrote to memory of 2296	4644	b4ec0d1d6f287103dd35a6da945fe2d6_JaffaCakes118.tmp	105
PID 4644 wrote to memory of 2296	4644	b4ec0d1d6f287103dd35a6da945fe2d6_JaffaCakes118.tmp	105
PID 2296 wrote to memory of 3068	2296	Inbox.exe	106
PID 2296 wrote to memory of 3068	2296	Inbox.exe	106
PID 3068 wrote to memory of 1200	3068	RUNDLL32.EXE	109
PID 3068 wrote to memory of 1200	3068	RUNDLL32.EXE	109
PID 1200 wrote to memory of 4348	1200	runonce.exe	110
PID 1200 wrote to memory of 4348	1200	runonce.exe	110
PID 2296 wrote to memory of 1068	2296	Inbox.exe	112
PID 2296 wrote to memory of 1068	2296	Inbox.exe	112
PID 2296 wrote to memory of 1068	2296	Inbox.exe	112
PID 4644 wrote to memory of 4560	4644	b4ec0d1d6f287103dd35a6da945fe2d6_JaffaCakes118.tmp	115
PID 4644 wrote to memory of 4560	4644	b4ec0d1d6f287103dd35a6da945fe2d6_JaffaCakes118.tmp	115
PID 4644 wrote to memory of 4560	4644	b4ec0d1d6f287103dd35a6da945fe2d6_JaffaCakes118.tmp	115
PID 4644 wrote to memory of 3092	4644	b4ec0d1d6f287103dd35a6da945fe2d6_JaffaCakes118.tmp	116
PID 4644 wrote to memory of 3092	4644	b4ec0d1d6f287103dd35a6da945fe2d6_JaffaCakes118.tmp	116
PID 4644 wrote to memory of 3092	4644	b4ec0d1d6f287103dd35a6da945fe2d6_JaffaCakes118.tmp	116
PID 4644 wrote to memory of 1836	4644	b4ec0d1d6f287103dd35a6da945fe2d6_JaffaCakes118.tmp	117
PID 4644 wrote to memory of 1836	4644	b4ec0d1d6f287103dd35a6da945fe2d6_JaffaCakes118.tmp	117
PID 4644 wrote to memory of 1836	4644	b4ec0d1d6f287103dd35a6da945fe2d6_JaffaCakes118.tmp	117
PID 4644 wrote to memory of 3088	4644	b4ec0d1d6f287103dd35a6da945fe2d6_JaffaCakes118.tmp	118
PID 4644 wrote to memory of 3088	4644	b4ec0d1d6f287103dd35a6da945fe2d6_JaffaCakes118.tmp	118
PID 4644 wrote to memory of 3088	4644	b4ec0d1d6f287103dd35a6da945fe2d6_JaffaCakes118.tmp	118
PID 3088 wrote to memory of 1632	3088	Inbox.exe	119
PID 3088 wrote to memory of 1632	3088	Inbox.exe	119
PID 1632 wrote to memory of 2708	1632	iexplore.exe	121
PID 1632 wrote to memory of 2708	1632	iexplore.exe	121
PID 1632 wrote to memory of 2708	1632	iexplore.exe	121

C:\Users\Admin\AppData\Local\Temp\b4ec0d1d6f287103dd35a6da945fe2d6_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b4ec0d1d6f287103dd35a6da945fe2d6_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:520
- C:\Users\Admin\AppData\Local\Temp\is-4ASP3.tmp\b4ec0d1d6f287103dd35a6da945fe2d6_JaffaCakes118.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-4ASP3.tmp\b4ec0d1d6f287103dd35a6da945fe2d6_JaffaCakes118.tmp" /SL5="$5026A,1888839,70144,C:\Users\Admin\AppData\Local\Temp\b4ec0d1d6f287103dd35a6da945fe2d6_JaffaCakes118.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:4644
- - C:\Program Files (x86)\Inbox Toolbar\Inbox.exe
    "C:\Program Files (x86)\Inbox Toolbar\Inbox.exe" /regserver
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Modifies registry class
    PID:2976
- - C:\Program Files (x86)\Inbox Toolbar\Inbox.exe
    "C:\Program Files (x86)\Inbox Toolbar\Inbox.exe" /install
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    PID:1436
- - C:\Windows\SysWOW64\regsvr32.exe
    "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\Inbox Toolbar\Inbox.dll"
    3⤵
    - Loads dropped DLL
    - Installs/modifies Browser Helper Object
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Modifies registry class
    PID:1952
- - C:\Windows\system32\regsvr32.exe
    "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\Inbox Toolbar\Inbox64.dll"
    3⤵
    - Loads dropped DLL
    - Installs/modifies Browser Helper Object
    - Modifies Internet Explorer settings
    - Modifies registry class
    PID:4528
- - C:\Program Files (x86)\Inbox Toolbar\Inbox.exe
    "C:\Program Files (x86)\Inbox Toolbar\Inbox.exe" /afterinstall
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Modifies Internet Explorer start page
    - Suspicious use of WriteProcessMemory
    PID:2296
  - - C:\Windows\system32\RUNDLL32.EXE
      "C:\Windows\sysnative\RUNDLL32.EXE" SETUPAPI.DLL,InstallHinfSection DefaultInstall 128 C:\PROGRA~2\INBOXT~1\Driver\tbrdrv.inf
      4⤵
      Drops file in Drivers directory
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:3068
    - - C:\Windows\system32\runonce.exe
        
        "C:\Windows\system32\runonce.exe" -r
        5⤵
        Checks processor information in registry
        Suspicious use of WriteProcessMemory
        
        PID:1200
      - C:\Windows\System32\grpconv.exe
        
        "C:\Windows\System32\grpconv.exe" -o
        6⤵
        
        PID:4348
  - - C:\Program Files (x86)\Inbox Toolbar\Inbox.exe
      "C:\Program Files (x86)\Inbox Toolbar\Inbox.exe" /TRAY 0
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:1068
- - C:\Users\Admin\AppData\Local\Temp\is-9I7C8.tmp\AGupdate.exe
    "C:\Users\Admin\AppData\Local\Temp\is-9I7C8.tmp\AGupdate.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4560
- - C:\Users\Admin\AppData\Local\Temp\is-9I7C8.tmp\AGupdate.exe
    "C:\Users\Admin\AppData\Local\Temp\is-9I7C8.tmp\AGupdate.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3092
- - C:\Users\Admin\AppData\Local\Temp\is-9I7C8.tmp\AGupdate.exe
    "C:\Users\Admin\AppData\Local\Temp\is-9I7C8.tmp\AGupdate.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1836
- - C:\Program Files (x86)\Inbox Toolbar\Inbox.exe
    "C:\Program Files (x86)\Inbox Toolbar\Inbox.exe" /postinstall
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3088
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -noframemerging "http://toolbar.inbox.com/lp/inst.aspx?tname=Games&c=4&tbid=80139&iwk=853&addons=1&addonlist=&afa=3&lng=en"
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1632
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1632 CREDAT:17410 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Browser Extensions

T1176

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Inbox Toolbar\Buttons\black_green.xml

Filesize
51KB

MD5
01116f926b28cb3442473d8b47a6dd8f

SHA1
5303b4976d13bc6f3ffa0e3c443a0d36ea55fff4

SHA256
01f5b90e46c63749261d30ab669b55b581ae0c41912b54b38f71c7dc2c454511

SHA512
df6debe9debe900ff5338aa9d8637a6c887b9905a1fc77b6e2a50d3f8067cfa806e9fceb3d8d2a57b5b859346267048bca60c5f19d2bd9092f9c08a2d2859271

Download Submit
C:\Program Files (x86)\Inbox Toolbar\Buttons\games_online_gb.xml

Filesize
4KB

MD5
04e1df757b9b5a6418d79d072db000ce

SHA1
f118b45fa1092a7d473886b05984580dfa5eb5b8

SHA256
20ddca93499bb0a82627577b4cac56b6bb4c0ccb2c10ad92d16bac8b09a96864

SHA512
380eeaa2bd01629c7128a0971d6855f30d4e99bb9347d465a670419d8684585b1f7d52c6ea6e30d12bd7b0101ea1c9399c7e4f1f781db35c225f97a5e0d8d871

Download Submit
C:\Program Files (x86)\Inbox Toolbar\Buttons\games_portals_gb.xml

Filesize
4KB

MD5
4b3274899a510ce0a0eaa6427bfd2869

SHA1
bbc6075fd32dbb95a254ceec0083f008113f7dc3

SHA256
1799d52866f0579798e7817e9168017bfd5a0a6e452af848e1dbe7311324c0f6

SHA512
4e9ebb12d5e6fa334bf7cb3dd4424036b3493958b9d6755fcaa5b61af9cc2898c588e6914b16298012b385cd0e890c024a607f120332c677f7b7d521952d4059

Download Submit
C:\Program Files (x86)\Inbox Toolbar\Buttons\games_search.xml

Filesize
3KB

MD5
ccd6e298e340f9adc0e7359e9e924441

SHA1
87a1a8110e60fe6e0322e253170fb07c64dfc97b

SHA256
81857ce2a92da97d87e489612c6b5a82fb37f2a5856a36b772764f7072452701

SHA512
2bd078aaf07ece5a21c7353bd1843f9be60615775f19d1f14e0551c688b63bd21ac8c158230669f719180a724d64de9665720ba593323b87a638e3163ace5d17

Download Submit
C:\Program Files (x86)\Inbox Toolbar\Driver\tbrdrv.cat

Filesize
7KB

MD5
dacf44f0b690f4c0053d31535fef87f2

SHA1
d2318c6c771a4adddd507c2fa6aa7d81ebc7aca6

SHA256
9175d7ad0f699049214a066e3b7672036a64354fbd88b002fb34f1d8c583d334

SHA512
60c7e1f3fa5c5515907b4e2702b0ffc1f32129fc92c75653ab7591745d78f7fa59b0a6c505b21cedb36151d4ca4a0fa1b90f09f8d267f7c9bd91a9605a87b7ce

Download Submit
C:\Program Files (x86)\Inbox Toolbar\Driver\tbrdrv.inf

Filesize
1KB

MD5
c84b4baaa44b8989b2e76b42c1ab5301

SHA1
36ee3212aec954e82fd73c914717c7ad32cfc367

SHA256
94ecff1e1ce8d5d5ef349769ee4236d230a7f58dfbd0a7d32ebf84c2b41fcec8

SHA512
230bab43937d5ec8600882b2ca6249b07fc580fea5b1c8817ede28fae6566bc78fb8f2088dc4dea0997e217c94659063dc3d2adff0405944b427d325ebe373a7

Download Submit
C:\Program Files (x86)\Inbox Toolbar\Driver\tbrdrv.sys

Filesize
35KB

MD5
e7c0aac166d688ab41dff2f17e420a3a

SHA1
00b70a50af14b497cebd100344fafbd3a564fd5b

SHA256
babb144ed6471079b6922914646a110f9fe5588ca3d94deeeda584c484e4ed26

SHA512
fe539d89e28204b1d09607e9f0450ae619ff71efdfccb4597641a27cb3234fce1a2061e273bd8490c9bf15d19871aa93c1bf98c909b6c252549c40915d62721e

Download Submit
C:\Program Files (x86)\Inbox Toolbar\Inbox.dll

Filesize
1014KB

MD5
cef98a42f1f86652b0ca1c31fdc2e288

SHA1
39d597dffab6d36bc47f21fe20f2eedba864a5ba

SHA256
39490eab802f21e6d00ef5eef0e1532b69a64dbed537c39f6c6129c14b6406bb

SHA512
498fe3191d3d9852c5d7ccd960847f24dc41af43cd2d4d05569b11a2b2f0b5b1c74d66ce520b58a7a6759bbc729d11dccfe5d0a1e6c5b2422ddd083adffae5e6

Download Submit
C:\Program Files (x86)\Inbox Toolbar\Inbox.exe

Filesize
2.3MB

MD5
7bfb9bd61a69e7a4717f34f22dae8b4e

SHA1
a8b1ba82ee7172e9e5f184fef35bd41bdd373906

SHA256
f8404bd34230c1db313e2659ea483e7640c10987917e2cebdd4dd9c4ae67a19d

SHA512
19e6a0c065b1f6980b6927c6af5accf7b5d29f450daf37e57feb9ec901f3105cedd34e2129f2c5c320b516bd6a709a3b8a6885f4ee032e12dbae0dfd4b9a3273

Download Submit
C:\Program Files (x86)\Inbox Toolbar\Inbox.ini

Filesize
2KB

MD5
7e2839c0e98367690b3af21d6408aa17

SHA1
99d41f4b0c57b5e6ef1efa2350038e10d4188035

SHA256
8cec384377ada9c4f9bfa6d03b8e6a2ed0dc650cad45b82594e11338458271ba

SHA512
d637ad72dd205f47ba4a163a88eb503dfb24f03a4f0b0c01aef8c29dc49942679eb5db47a1c63ed042f1f1fecd06d8ca6121972f33360cce5b956c0fc530286a

Download Submit
C:\Program Files (x86)\Inbox Toolbar\Inbox.ini

Filesize
2KB

MD5
565371d1e7f731b426c5e36e61d9f003

SHA1
c7752a54f5ad38002ed6452c19570adc833f9e89

SHA256
ac43b254a21613bce70efc92a047cec6c5b9d5c4d6a2ab231ca5fd3b3665520e

SHA512
f498bfb9dc3016cf8be350b837d668441e0a4fd0611c1f28dff72f87d305ebbbf5656a8521245b7d388cff8a19d57ba1eb747f50d140beaab6a1902f66af0e92

Download Submit
C:\Program Files (x86)\Inbox Toolbar\Inbox64.dll

Filesize
1.5MB

MD5
5c2c888c50585ade35e03fa261e6c7a3

SHA1
228f8b2423945596d44892fff79cee851e725d89

SHA256
b88171732c2054dbc64a1649430646eeaf7b5d63c491e515a66736aacbb7aba9

SHA512
af463a375586f7a07f29c5855146be05ad74bd18fc90d46c653bc6911761b911472ab5bd7eab75a7bd8b9533704118d2d756368c74ccca7b88c4de294e8ee3d1

Download Submit
C:\Program Files (x86)\Inbox Toolbar\unins000.exe

Filesize
1.2MB

MD5
67e866dbad2c21354f585086d3f3e5b2

SHA1
6b0ccd164c9108b01a81f249a2d9c05ed3b5f67b

SHA256
6d7c851b4dc1acb135aa18ef28c5921472ca46d555358fc97bf2b10fc82ad8da

SHA512
ff0945ec265d3c04335e3a0ab08737ae68ba893455ffa3fa9e45e73ae2d58df737d247827e6b110f904fb18dd40e0d45882655f43b17c6bccd88265ad2aa494e

Download Submit
C:\Program Files (x86)\Inbox Toolbar\uninstall.ini

Filesize
66B

MD5
b084e06a7f942ae74c984674b59ab286

SHA1
6e5316501f88e432d7144b176f18202072146677

SHA256
806847b184ad90a37e734caf5cddd9e9eff80099f24810312e666f49a060a83a

SHA512
ab3194d6522f6592a28c3e583fc4cf63f3875287efbd9dafcb68be90239982b76b398569121a0317942b39956c28d8e93dd2a1c1f2bf568a9c3c88cc3ef2d04a

Download Submit
C:\Users\Admin\AppData\LocalLow\Inbox Toolbar\config.ini

Filesize
30B

MD5
129a4ce81f9a7b3dc2d98e090a069f05

SHA1
a266de9a5f3fea40e7de85ddfde49f4b6c515c96

SHA256
9ec3cb3f9a5f238ab518e7b57bcad1ca765c429fb37be15057da7eb9170541f7

SHA512
3d15c7ddf93e944ed5ce634f35050f95989b1f1f35b4b8233e10658508f07953579c6dd62cced8efd22cf783c7e9565f39270e5bb46d2959a1312148af6414f2

Download Submit
C:\Users\Admin\AppData\LocalLow\Inbox Toolbar\config.ini

Filesize
89B

MD5
96339d98a30c58ee7785f4f3d87b695f

SHA1
4c16cc8ecac6a5eb9f6e9df5ec120e49bf36e493

SHA256
1002a24d46b6a7a6fd8a1c007e18bcd8c3126d7b61143cc995d1c05262f349ed

SHA512
0f4a0cd146092218ca32eac7427173ab2aaaf52c22b5c1c6fcfda21e9b76ae1c3984da132e3a2363bba9de125c920740a908b7f8865f147898e7249ba63b737b

Download Submit
C:\Users\Admin\AppData\LocalLow\Inbox Toolbar\config.ini

Filesize
119B

MD5
8ed0f33758e83f41443df65ffc614f9c

SHA1
f865889a4bd5da514bcc7a689a9785268451e29e

SHA256
f27e521eddd77cdf261cbec81d0db38b64e7358fc94fd87327543e888433275b

SHA512
e9585968b0651e1ef042578fe19ab73e24c413732d34c5ebe3bd9a7fbf99394c7ae4767151ba25be1b03b258f09bc2913d56220a5489578c4470b847d1e48058

Download Submit
C:\Users\Admin\AppData\LocalLow\Inbox Toolbar\config.ini

Filesize
173B

MD5
d5451cd7f7aa5094ccd22e5130ba9047

SHA1
bbc7c08546a92404ca515b28413a39dee080f3a3

SHA256
f14d5cbe903369ed4ce4c14f409413000aa7c04ceffeb204604ee6a812eb2efb

SHA512
fe60a0a4075ebecadeeb8f862cd4a9ee870d21edac65e456c021cbd572d6cbdcf1e739dc8dc2017c14cbdc9b3a9ee83c701ac7e854e3f23514de15fe4e2d86d3

Download Submit
C:\Users\Admin\AppData\LocalLow\Inbox Toolbar\config.ini

Filesize
210B

MD5
da4c75cecc2fc2aa105a95f4cf0af508

SHA1
089b4df0334027c9bb9bbbbf9751719aec28b82c

SHA256
b330d1b2d56d0c8137271978c88b32ec17ee2212c563889d6e2ee95256809dc6

SHA512
23096436fba295cba09c07767d78e2383b166001ea4a51821f1296bae137c30a70459384997303c1e7dec935ea37891a17a0b5aa154137afa698fee3f7d3144c

Download Submit
C:\Users\Admin\AppData\LocalLow\Inbox Toolbar\config.ini

Filesize
243B

MD5
7db029ac4089936e5da1d134ee8ad88e

SHA1
c58cb33d2fa7fc4c6dc147af262d3905dbf31877

SHA256
d4d632b8dc7dd5e05871cb33f0fc965264bdaf540e9066e594d268c218acd8f7

SHA512
57da530c60b881634d999cbff6367a9855b801a5777849778e3c4ad63d6a7fe42f7ca3ff77ac3d195d5fe01e799447bae74368d57edcbe7015d47f94325d8bc4

Download Submit
C:\Users\Admin\AppData\LocalLow\Inbox Toolbar\translate.ini

Filesize
93KB

MD5
6aa650efb4605f4bb39bdcfd8a2198ba

SHA1
da12240ffb9984e3f3d8e93a859bc8d768a242a4

SHA256
8729058fc0a109bfaf82d84abdc954805cd46ed499ff235d5181ff3facdaf2cf

SHA512
6893a2f796546c859c1a9ab2a8c1960f2606fe779a07bbe3cf3c0ebdb9579defa87c3b1d4dbb7e4934839a0cd5062255fb6d019bee11cf57e09b0cf350ce2819

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\0016A74D31092857A59EFFD39DCA657B

Filesize
504B

MD5
7908f2e15b32fc9b103a3a41ba9b98f0

SHA1
296d1fbd4eac64bd1c1a66a7f9b6ffbb75588d08

SHA256
28bf3d226044bde4b751d640166fae1b3663fb0f6cf12dd2b600aa02ef8cd089

SHA512
eaf9077dbdc41728ef4b5dbb3931d1f505e05b1823981c0a2dd038aed37c377fbd9a4b7ba25b25c86666ae52e085c30f26c1f667f784043e517bc8bcf9d57b29

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751

Filesize
717B

MD5
822467b728b7a66b081c91795373789a

SHA1
d8f2f02e1eef62485a9feffd59ce837511749865

SHA256
af2343382b88335eea72251ad84949e244ff54b6995063e24459a7216e9576b9

SHA512
bacea07d92c32078ca6a0161549b4e18edab745dd44947e5f181d28cc24468e07769d6835816cdfb944fd3d0099bde5e21b48f4966824c5c16c1801712303eb6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
471B

MD5
549aeb864011f0c57644853ec90cbab9

SHA1
fd63ad25ed0824b3aa6c9bce49f55d85d0a88e3e

SHA256
8c2c91480d44c8881a3cde343916de69bcddf67dff17588e9640c4d7b01437ea

SHA512
6d6cacc4c938ff1cc53d4504fc8faa8ca2c4ddab8c0edfddfaee6039a12b9f845dca85b0ef06cad8b6a2a7f02c0b6cb47cf6ea0dda333ae21bb59d222247be7e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CFA29970976BD94BE95852DBE7C2A72A

Filesize
504B

MD5
5bbf9917fd20328b8bbf1223394f5e09

SHA1
b01567217b9b1c9827ffbae04bb43604d0cd8adf

SHA256
823cc005cd56b35fa4ee6eca63f8e13f57200f0a1c6089d0a5497e9dccaafed2

SHA512
60661b56066ecdc8cdd957e9d1a1f9ce63fe639ed3a3a56fe54ae1b1f00a113c52b51e187b96aa28e1aafcbf5b81e72a4d829a7dfcb9bbbfd416146827a3e9cd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\0016A74D31092857A59EFFD39DCA657B

Filesize
550B

MD5
ad3f3741f40eb3e9c06968bf065d9f60

SHA1
a4a7465288ba0d32f135ea975b9fca34399b887e

SHA256
b63a5875fb998ae419217a4ddc4c7b55b83f4c9039220e5d52ba080be5fc686a

SHA512
a6bcbc20701ebed0b86825c7d593d4fee569d1e412281a295a2c31f899479d1cec25b5506107fc377aa2ac1ec40b00d1239e2ff1060528c85af1a9d02c834865

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751

Filesize
192B

MD5
cf44ee26082549d81aa522d89296d4bc

SHA1
b297910b24fd6d0f18a06f7627a0faec5373c07c

SHA256
352aec78e2adeb5696d0b41246bff625d187c984a4c35ec298a549542f50f20e

SHA512
9c6c504707bebfc4714f01737f5eec4dc8f51584d1d3bdf80616ce99631993781671a658eceacc5940f4b210f3575623b0ba74e49275e8defab8d1d39c87b72e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
404B

MD5
ad927adf196b800b1bd35b99b4515a4d

SHA1
1ee22102c5f49d6994860d6604a326716c3b7cf9

SHA256
923187044f1fd5226154a7d471ed1c2bb400f067b083323d6c8b5fd930c911ca

SHA512
8e895a0b531af03b18017ea498d4fcf91edced3befa32f5a9879dd08fbdccb5903d3d130afe7b96aaea7cf7f53d24b61c716c0763ec4c9de681543d6a2697641

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CFA29970976BD94BE95852DBE7C2A72A

Filesize
546B

MD5
68f1d634b30c1a82bff6a07052899e47

SHA1
0cab79b25c5533fd0ce4ab8e5391319bf621a52e

SHA256
f9b3f6acf0e9bfcb4f2c380af95bd9a62b2aa29c3b7d8defe07725f38d53a3ae

SHA512
e74ef4a6431e513757c13f5139f84d20636a865b08f9bf16063d2742045daae4b31c6b9c94a4d9a419a30d4418e2f57cfd656e0a00903dfc993a143a676e2129

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\verDFCC.tmp

Filesize
15KB

MD5
1a545d0052b581fbb2ab4c52133846bc

SHA1
62f3266a9b9925cd6d98658b92adec673cbe3dd3

SHA256
557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1

SHA512
bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\l5q765j\imagestore.dat

Filesize
15KB

MD5
84d8d131065f6e62d30c3bc7dbf2a817

SHA1
14f847804830665d7a4c2a62a72cd8b088ae0e36

SHA256
4a9cad7d0bd538c40f93b722c35355fec54d1411ddb3b6d21e54d2e9f101f0ab

SHA512
26a139b5822163a4acb09b76fd5e5bda9ab1d802b22c6a41052f0c57a35060f5379cbe76e522560409929be092cb1c220d217ecb2dec4d1416ca4ac984ab24f8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\FMGLWGAG\favicon[1].ico

Filesize
14KB

MD5
de4c71e881f03193bb0884185b51bbdf

SHA1
8f51bb36b81298f9fb57824716539520553b77fe

SHA256
1f8e952702b912ccb4326c9bfd76f4cb49459787a2955924798792c20ed45580

SHA512
cf91b32ff05ce6fab615d727c6a1e25c9f4f08d51af5cadbba74650921333b0f0f3a0444a36c4c4ae77abd3ea54c846c8248af7cc0256c06ca4aabac457eced0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\XH3Z2ZON\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-4ASP3.tmp\b4ec0d1d6f287103dd35a6da945fe2d6_JaffaCakes118.tmp

Filesize
1.2MB

MD5
e7106fbf42fbc6d5b08a18ada4f781b4

SHA1
36d4a629f79d772c0b0df8bd2ae2ea09108d239d

SHA256
64e1f1fa7d91920b17bc7bc679a4cd8d87ff5b104318b6921bb6bf6a19055635

SHA512
adf876296a952aadeb4f25211c0939bf5a278809b5d3007ad7e26c5d4975e7684d242c1b3de796efd474a47cb7ecdb80f9047935924a1108bf0e4d7c973d1845

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-9I7C8.tmp\AGupdate.exe

Filesize
873KB

MD5
a3ccbbb0735800b89931b73ccb69f9b1

SHA1
53c70f80017eff22ad88a53fdb3ffc518354af59

SHA256
97d0684ab1ecb2f89a3c8e53dc383aede506a1f9367aa283c0b9992a19854d43

SHA512
e4461a7cf5e8b8e655a2985be672af25e44276b018b7b532a665f26c1a44032bbada7e5a071a78827020c3f18d9d5c79bd0f59fe97876b1eb4279ec4094f3704

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-9I7C8.tmp\DownLib.dll

Filesize
183KB

MD5
db25dfdd4c1f2b65c68a230881072695

SHA1
94cd6a3438041f0e61b0a1bea7b66461854efe69

SHA256
1b66aaf1e7e3c493dd96af3b7442ea60072f6e93ba45281eacd31a14ca7e7e73

SHA512
db69e4ab2218856e5184d9094e7e39705b83e3efdc15225067205c8faf6e5836145364f1d509192defa3b48864e72b9f8c0f2dc53a7adb2b86c655318b7afc2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-9I7C8.tmp\setupcfg.ini

Filesize
85B

MD5
a9882935f747e7c636ad1f7ea95a5a73

SHA1
ced04ff02aabe433e6f8460a17937fad9a3e2cbe

SHA256
f5351091ef531ee6df7e1fac655baa82cdc2e66ddb9004284f29d013c531ca1d

SHA512
c964b8ff55d0fc35b9fc86c085f6e40f5541b4116bc429873c26dbd8d93e6a34ef5fb679a7ceee7d4648fb65bd473fa9c418a4da94a1490525ed206a62bd7286

Download Submit
memory/520-424-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/520-0-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/520-62-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/520-2-0x0000000000401000-0x000000000040D000-memory.dmp

Filesize
48KB

Download
memory/1068-374-0x0000000000400000-0x0000000000660000-memory.dmp

Filesize
2.4MB

Download
memory/1068-502-0x0000000000400000-0x0000000000660000-memory.dmp

Filesize
2.4MB

Download
memory/1436-123-0x0000000000400000-0x0000000000660000-memory.dmp

Filesize
2.4MB

Download
memory/1836-413-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download
memory/1952-126-0x0000000000AD0000-0x0000000000BD7000-memory.dmp

Filesize
1.0MB

Download
memory/2296-300-0x0000000000400000-0x0000000000660000-memory.dmp

Filesize
2.4MB

Download
memory/2976-93-0x0000000000400000-0x0000000000660000-memory.dmp

Filesize
2.4MB

Download
memory/3088-425-0x0000000000400000-0x0000000000660000-memory.dmp

Filesize
2.4MB

Download
memory/3092-397-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download
memory/4560-386-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download
memory/4644-165-0x0000000000400000-0x0000000000536000-memory.dmp

Filesize
1.2MB

Download
memory/4644-401-0x00000000047D0000-0x00000000048D7000-memory.dmp

Filesize
1.0MB

Download
memory/4644-423-0x0000000000400000-0x0000000000536000-memory.dmp

Filesize
1.2MB

Download
memory/4644-371-0x0000000000400000-0x0000000000536000-memory.dmp

Filesize
1.2MB

Download
memory/4644-399-0x0000000000400000-0x0000000000536000-memory.dmp

Filesize
1.2MB

Download
memory/4644-152-0x00000000047D0000-0x00000000048D7000-memory.dmp

Filesize
1.0MB

Download
memory/4644-150-0x0000000000400000-0x0000000000536000-memory.dmp

Filesize
1.2MB

Download
memory/4644-132-0x00000000047D0000-0x00000000048D7000-memory.dmp

Filesize
1.0MB

Download
memory/4644-7-0x0000000000400000-0x0000000000536000-memory.dmp

Filesize
1.2MB

Download
memory/4644-23-0x0000000003C20000-0x0000000003C57000-memory.dmp

Filesize
220KB

Download
memory/4644-64-0x0000000003C20000-0x0000000003C57000-memory.dmp

Filesize
220KB

Download
memory/4644-63-0x0000000000400000-0x0000000000536000-memory.dmp

Filesize
1.2MB

Download