be33af0711252d2507835a12f453b3c7e1cbfa1c8db527a074e6bb02e55c4236

Analysis

max time kernel
144s
max time network
120s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
03-10-2024 05:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0e3e925c0f21e8c9d2fe82be5fda251f_JaffaCakes118.exe
Size

2.7MB
MD5

0e3e925c0f21e8c9d2fe82be5fda251f
SHA1

00da8fd38190c27e4df1da7a289fd13d1b680436
SHA256

be33af0711252d2507835a12f453b3c7e1cbfa1c8db527a074e6bb02e55c4236
SHA512

a0c9762bc06b233e6cfacc7dff2a8b7c130ba42359c3c0a543aa64208bb7b091324d3b0dafb052a2f05ef916ebd0c73175cf4029163f66409b53159518093ed2
SSDEEP

49152:aZ74mej7s9QlRZPswbIEvSD7haUNs/NW5GsA1L5jl89ebA5rOYiZnF:aN4aKfE0IPhaUNs3XtpAebSivZnF

Score

7^/10

adware discovery persistence privilege_escalation stealer

Malware Config

Signatures

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 4 IoCs

pid	Process
2156	0e3e925c0f21e8c9d2fe82be5fda251f_JaffaCakes118.tmp
444	Inbox.exe
1496	Inbox.exe
880	Inbox.exe

Loads dropped DLL 11 IoCs

pid	Process
2432	0e3e925c0f21e8c9d2fe82be5fda251f_JaffaCakes118.exe
2156	0e3e925c0f21e8c9d2fe82be5fda251f_JaffaCakes118.tmp
2156	0e3e925c0f21e8c9d2fe82be5fda251f_JaffaCakes118.tmp
2156	0e3e925c0f21e8c9d2fe82be5fda251f_JaffaCakes118.tmp
2156	0e3e925c0f21e8c9d2fe82be5fda251f_JaffaCakes118.tmp
1496	Inbox.exe
1496	Inbox.exe
1496	Inbox.exe
928	regsvr32.exe
1976	regsvr32.exe
2156	0e3e925c0f21e8c9d2fe82be5fda251f_JaffaCakes118.tmp

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\InboxToolbar = "\"C:\\Program Files (x86)\\Inbox Toolbar\\Inbox.exe\" /STARTUP"	Inbox.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Installs/modifies Browser Helper Object 2 TTPs 6 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D3D233D5-9F6D-436C-B6C7-E63F77503B30}\NoExplorer = "1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{D3D233D5-9F6D-436C-B6C7-E63F77503B30}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{D3D233D5-9F6D-436C-B6C7-E63F77503B30}\	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{D3D233D5-9F6D-436C-B6C7-E63F77503B30}\NoExplorer = "1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{D3D233D5-9F6D-436C-B6C7-E63F77503B30}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D3D233D5-9F6D-436C-B6C7-E63F77503B30}\	regsvr32.exe

Drops file in Program Files directory 35 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Inbox Toolbar\Buttons\is-FBE2U.tmp	0e3e925c0f21e8c9d2fe82be5fda251f_JaffaCakes118.tmp
File created	C:\Program Files (x86)\Inbox Toolbar\Buttons\is-J9297.tmp	0e3e925c0f21e8c9d2fe82be5fda251f_JaffaCakes118.tmp
File created	C:\Program Files (x86)\Inbox Toolbar\Buttons\is-BP3EB.tmp	0e3e925c0f21e8c9d2fe82be5fda251f_JaffaCakes118.tmp
File opened for modification	C:\Program Files (x86)\Inbox Toolbar\Buttons\maps_navigate.xml	Inbox.exe
File created	C:\Program Files (x86)\Inbox Toolbar\Plugins\ssleay32.dll	Inbox.exe
File opened for modification	C:\Program Files (x86)\Inbox Toolbar\Inbox.ini	Inbox.exe
File created	C:\Program Files (x86)\Inbox Toolbar\is-JHT7V.tmp	0e3e925c0f21e8c9d2fe82be5fda251f_JaffaCakes118.tmp
File created	C:\Program Files (x86)\Inbox Toolbar\Buttons\is-JK6HU.tmp	0e3e925c0f21e8c9d2fe82be5fda251f_JaffaCakes118.tmp
File opened for modification	C:\Program Files (x86)\Inbox Toolbar\setupcfg.ini	0e3e925c0f21e8c9d2fe82be5fda251f_JaffaCakes118.tmp
File created	C:\Program Files (x86)\Inbox Toolbar\unins000.dat	0e3e925c0f21e8c9d2fe82be5fda251f_JaffaCakes118.tmp
File created	C:\Program Files (x86)\Inbox Toolbar\Plugins\is-JVQJL.tmp	0e3e925c0f21e8c9d2fe82be5fda251f_JaffaCakes118.tmp
File created	C:\Program Files (x86)\Inbox Toolbar\Buttons\is-JG4L9.tmp	0e3e925c0f21e8c9d2fe82be5fda251f_JaffaCakes118.tmp
File created	C:\Program Files (x86)\Inbox Toolbar\setupcfg.ini	0e3e925c0f21e8c9d2fe82be5fda251f_JaffaCakes118.tmp
File opened for modification	C:\Program Files (x86)\Inbox Toolbar\Buttons\black_green.xml	Inbox.exe
File opened for modification	C:\Program Files (x86)\Inbox Toolbar\Buttons\BTN_1967.xml	Inbox.exe
File opened for modification	C:\Program Files (x86)\Inbox Toolbar\Buttons\maps_weather_plugin.xml	Inbox.exe
File created	C:\Program Files (x86)\Inbox Toolbar\is-1KJO3.tmp	0e3e925c0f21e8c9d2fe82be5fda251f_JaffaCakes118.tmp
File created	C:\Program Files (x86)\Inbox Toolbar\Buttons\is-L3NBH.tmp	0e3e925c0f21e8c9d2fe82be5fda251f_JaffaCakes118.tmp
File created	C:\Program Files (x86)\Inbox Toolbar\Buttons\is-CTMED.tmp	0e3e925c0f21e8c9d2fe82be5fda251f_JaffaCakes118.tmp
File created	C:\Program Files (x86)\Inbox Toolbar\unins000.msg	0e3e925c0f21e8c9d2fe82be5fda251f_JaffaCakes118.tmp
File opened for modification	C:\Program Files (x86)\Inbox Toolbar\Buttons\mail_plugin.xml	Inbox.exe
File opened for modification	C:\Program Files (x86)\Inbox Toolbar\Buttons\news_newser.xml	Inbox.exe
File opened for modification	C:\Program Files (x86)\Inbox Toolbar\Plugins\plugins.ini	Inbox.exe
File created	C:\Program Files (x86)\Inbox Toolbar\is-P01TR.tmp	0e3e925c0f21e8c9d2fe82be5fda251f_JaffaCakes118.tmp
File created	C:\Program Files (x86)\Inbox Toolbar\Buttons\is-TGCPV.tmp	0e3e925c0f21e8c9d2fe82be5fda251f_JaffaCakes118.tmp
File created	C:\Program Files (x86)\Inbox Toolbar\Plugins\libeay32.dll	Inbox.exe
File created	C:\Program Files (x86)\Inbox Toolbar\is-TFATJ.tmp	0e3e925c0f21e8c9d2fe82be5fda251f_JaffaCakes118.tmp
File created	C:\Program Files (x86)\Inbox Toolbar\Buttons\is-RO2TB.tmp	0e3e925c0f21e8c9d2fe82be5fda251f_JaffaCakes118.tmp
File created	C:\Program Files (x86)\Inbox Toolbar\Buttons\is-SFFQJ.tmp	0e3e925c0f21e8c9d2fe82be5fda251f_JaffaCakes118.tmp
File opened for modification	C:\Program Files (x86)\Inbox Toolbar\unins000.dat	0e3e925c0f21e8c9d2fe82be5fda251f_JaffaCakes118.tmp
File opened for modification	C:\Program Files (x86)\Inbox Toolbar\Buttons\general_youtube2.xml	Inbox.exe
File created	C:\Program Files (x86)\Inbox Toolbar\is-97E8U.tmp	0e3e925c0f21e8c9d2fe82be5fda251f_JaffaCakes118.tmp
File opened for modification	C:\Program Files (x86)\Inbox Toolbar\Buttons\general_facebook2.xml	Inbox.exe
File opened for modification	C:\Program Files (x86)\Inbox Toolbar\Buttons\reference_search.xml	Inbox.exe
File opened for modification	C:\Program Files (x86)\Inbox Toolbar\uninstall.ini	0e3e925c0f21e8c9d2fe82be5fda251f_JaffaCakes118.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0e3e925c0f21e8c9d2fe82be5fda251f_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0e3e925c0f21e8c9d2fe82be5fda251f_JaffaCakes118.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Inbox.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Inbox.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Inbox.exe

Modifies Internet Explorer settings 1 TTPs 61 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\User Preferences\6256FFB019F8FDFBD36745B06F4540E9AEAF222A25 = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a3d5a058b71c4645a1a6b8b9d2c7fb470000000002000000000010660000000100002000000040585afb74d6597d8aea6d0c005308be5191363a7c8b6a43f601dcb2da555d5e000000000e80000000020000200000008fe0817ee03704f605714b581a12af84b8ac4638054d527789657989c53098af100000001f3d60fc7fef0b2b698c3c2858db56034000000049107425af0450b71a5f783255b0dd59ed4a7d126f01179d62ff4f01f277f7bc1b3b84c8fb22d2bb0aa57357cf2e64ca6da9d71adbc6a302a47b165b92e7504b	Inbox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{612AD33D-9824-4E87-8396-92374E91C4BB}	Inbox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\SearchScopes\{C04B7D22-5AEC-4561-8F49-27F6269208F6}\URL = "http://www2.inbox.com/search/dispatcher.aspx?tp=bs&qkw={searchTerms}&tbid=82845&iwk=845&lng=en"	Inbox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\SearchScopes\{C04B7D22-5AEC-4561-8F49-27F6269208F6}\FaviconURLFallback = "http://www2.inbox.com/favicon.ico"	Inbox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\User Preferences\6256FFB019F8FDFBD36745B06F4540E9AEAF222A25 = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a3d5a058b71c4645a1a6b8b9d2c7fb47000000000200000000001066000000010000200000002caac3c6bf7bc90a5c70731f2ce524ac913a945d6228f90bd2c169e6ecacea55000000000e80000000020000200000004e0b05747dbb55a784269737f7e5fca6e648daba06ad12108041b2b56cec03c610000000ee38c7636eb83b6ba106495e6485207040000000effad09b32857ac208b54576abfca61906a5ad61b79069d641dcea2ac78ce7af836bee3e355fac2a04bc2d551a11a884aefddbb11860a467553f1574621f46a6	Inbox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{612AD33D-9824-4E87-8396-92374E91C4BB}\AppName = "Inbox.exe"	Inbox.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{612AD33D-9824-4E87-8396-92374E91C4BB}\Policy = "3"	Inbox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}	regsvr32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\User Preferences\6256FFB019F8FDFBD36745B06F4540E9AEAF222A25 = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a3d5a058b71c4645a1a6b8b9d2c7fb47000000000200000000001066000000010000200000006896e5c5c3f8544bedf22e82d759c975a154ef191dd2f8197fbd62aed55f1395000000000e8000000002000020000000da07af81c491ec722b7d18306eb6c61f89ef2504ee38ae01e6bfabe413ed269010000000094cc438c11a89f1b9a41bece7c1f37d4000000034bb53e0e9f2a34cc56774995bf5da96243e86cf749c92dbaf29399934fd37b8da3d9843009c7bedcbd70b063fc7e5ca2d3683d92f852ee361d30d4d10b10594	Inbox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\User Preferences\6256FFB019F8FDFBD36745B06F4540E9AEAF222A25 = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a3d5a058b71c4645a1a6b8b9d2c7fb47000000000200000000001066000000010000200000005851c4776d819c6e4f1c4359467389dd91e861020c8ed9974fb26f3c49cdd0f1000000000e800000000200002000000095fdfd17e24f7e9cc7c7851c8fe771b0ba07f587dfe64ae53e9241fdde578f0f100000008cbd476914bb662a140317012ba2f90b40000000489c84d20762959c98b46830791a849f93368e3378e72ca23d5aadf02dd490f93587365228ad4d05be80fa425967aea293eb7a5f5cbd1905bf334dce7d741874	Inbox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\AppPath = "C:\\Program Files (x86)\\Inbox Toolbar"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\Policy = "3"	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\SearchScopes\{C04B7D22-5AEC-4561-8F49-27F6269208F6}\DisplayName = "Inbox Search"	Inbox.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\User Preferences	Inbox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\User Preferences\6256FFB019F8FDFBD36745B06F4540E9AEAF222A25 = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a3d5a058b71c4645a1a6b8b9d2c7fb4700000000020000000000106600000001000020000000ba5a9a6ef6ebd4ced18321ae306961fb28ae573b3fe18414d73b7990e46642c0000000000e8000000002000020000000b9a439b3dfe38123d689f5caf5b105434b2aa8f9146f22fb2fb2086fc404cf6f10000000e0c248b5a36450b96a731e1b672c783d400000007a18650eef92ba0153369dba29e412b74c137a57a0607874195af66285458781bbabf4389d91540231a2f803f143f074657d0bb231b3f469bccd3baa01b4d439	Inbox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\User Preferences\6256FFB019F8FDFBD36745B06F4540E9AEAF222A25 = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a3d5a058b71c4645a1a6b8b9d2c7fb47000000000200000000001066000000010000200000002bfd232814ce38cdf47f761d3ba4f6ec35d62ee57a75c77a1ce7721e2436d590000000000e8000000002000020000000c8d11cf5927834870bcae4f708367befe6fda293052493447018854d29f25416100000003bb41a895085720b64d635407b6e078140000000765a3de12388916361c4c10d0a3c8fae36d629fb9e6a25f3a411cfa1b2bce7e891a68133abdf66fada3c4489db638f4bf25731399bac279ff63c5643bf489037	Inbox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\User Preferences\6256FFB019F8FDFBD36745B06F4540E9AEAF222A25 = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a3d5a058b71c4645a1a6b8b9d2c7fb470000000002000000000010660000000100002000000097d48f866395a6312c34406270bb7bed4b892e883d22620ccc29a81bf5f9effd000000000e80000000020000200000000d6e42df76c45b670d0447ad4dfbacfe9cb9e5bd13e935109c3cd673adadcb7110000000ce0f0dd34093ad71837331b5d224982b400000006f6a6cf9562cad8186aa46b0a6e151eca13535faf4bb13fcf18a51a25d9a9efe32690dd481c942060302403255880d3b053e3485c0f75bcdbc1e0b3501945afc	Inbox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\User Preferences\6256FFB019F8FDFBD36745B06F4540E9AEAF222A25 = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a3d5a058b71c4645a1a6b8b9d2c7fb4700000000020000000000106600000001000020000000136e98065bf708622868f365aaa747b38a0ff59f1a0e37a65d75b0f172f3d412000000000e8000000002000020000000b04e6455239c8ca4dfc1c799293911c270454dc21c1ef9590a7c379d434dd42310000000dd8b4f1e6a464b641e1ac6b93aad5b3c400000007f7668b7b22a1a44784fda8fe081fff7f8708601dd101af357f7578b93f5ee31034348255d159b2af4863064ad5d1e80bd02a705cc782d68602bb6beac0ebb11	Inbox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{612AD33D-9824-4E87-8396-92374E91C4BB}	Inbox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\AppName = "Inbox.dll"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\Policy = "3"	regsvr32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\User Preferences\6256FFB019F8FDFBD36745B06F4540E9AEAF222A25 = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a3d5a058b71c4645a1a6b8b9d2c7fb47000000000200000000001066000000010000200000001324fb49016839778bc19f14b397ecacfa70239e5a6731cdfe8efec9f6578eb2000000000e8000000002000020000000167deaae5502cf6187fe434a68350d1e94cebcac4bb559ab0e7d0e90fe2fd0b310000000854bef882d122b55426a4934212bb8e340000000306268057b313fe62f00be44f61ee51a763e26496c221bd6b415a8c35ffd48651dcde246a0bd62389985ff8e4c4bb5274e7f25f2a5841f82035ee4b49b8c4b43	Inbox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\User Preferences\6256FFB019F8FDFBD36745B06F4540E9AEAF222A25 = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a3d5a058b71c4645a1a6b8b9d2c7fb4700000000020000000000106600000001000020000000d2d83aa45cbc443a02d764673a5757e98cef90ef52f01f4549b779a5e78e1d75000000000e80000000020000200000000eb986bd2cc6d4bc838d2feefb0a9636a9d63a1f5d0698db6aa52a06c52707401000000067321072d2ec7a338ff0c3c75ddf7e8b40000000e6e816a49955a595933477935f0db0d9c6530f5e8d47eea10ee2748ff2842a238f7efa22e6b97a29d618f84d606cc772d920f4e5d2d888c4e4f6f902595df9b8	Inbox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\User Preferences\6256FFB019F8FDFBD36745B06F4540E9AEAF222A25 = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a3d5a058b71c4645a1a6b8b9d2c7fb4700000000020000000000106600000001000020000000b2efb6c8cf2ec434067ab58f724d1dd03856fcb4af2834fb29ee64d45ff3d1a7000000000e8000000002000020000000b9474d01e62c1191a09b2b9dde46feefa5c9385a9c931a2eb62ab477800f1dfc10000000f705e75dc6bc56e91f4e5c320a97e7254000000043a5bfd1717662b1899510ab94654ba371d7cc3ebc861e9ffea273875ad6726a7a83dba2251471a977d43775aefcea79c5e03cf907f4e86a5d263884a3653fda	Inbox.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\IEWatsonEnabled = "0"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\Policy = "3"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\AppName = "Inbox64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\AppPath = "C:\\Program Files (x86)\\Inbox Toolbar"	regsvr32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{D7E97865-918F-41E4-9CD0-25AB1C574CE8} = 00	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{612AD33D-9824-4E87-8396-92374E91C4BB}\AppPath = "C:\\Program Files (x86)\\Inbox Toolbar"	Inbox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\SearchScopes\{C04B7D22-5AEC-4561-8F49-27F6269208F6}\SuggestionsURL_JSON = "http://www.inbox.com/s.aspx?q={searchTerms}"	Inbox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\User Preferences\6256FFB019F8FDFBD36745B06F4540E9AEAF222A25 = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a3d5a058b71c4645a1a6b8b9d2c7fb4700000000020000000000106600000001000020000000cdedbfa778923a424e94500071736c1699c54afc4744c616fa4a2bc9906f5c84000000000e8000000002000020000000a56e9aad72f795478cd639d51eebba9c52aef30a37fb6e47ca61c07503b5592a10000000e9dd024fdb7708b4e9cf871144a265534000000084a6cc3653c440589551631ca25dd5e9a28ffdc1d1b39d6b7d24ca8cd4678ac812672d2bc17b9cc254c909310443bea49ced11832f53d25a4904e68afe03764a	Inbox.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{612AD33D-9824-4E87-8396-92374E91C4BB}\Policy = "3"	Inbox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\AppName = "Inbox.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\Policy = "3"	regsvr32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\User Preferences\6256FFB019F8FDFBD36745B06F4540E9AEAF222A25 = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a3d5a058b71c4645a1a6b8b9d2c7fb470000000002000000000010660000000100002000000054f5bae1a250f91e8ece3d863a2817e22ce919d3378ccbde5d88372c7be650d4000000000e8000000002000020000000e9b2b77fbbd873316561356329fc6c2ed09bd0d5e105eb8d231f9bf254bc674010000000c4a7d22aa011590ffc9a82dd78dcf0ea400000000fca645b9bdbe2cd0c4cba5e8c4b7d3e83e041b94eec9b8bb311517984d97c0bf8ed2a0030115b3ab57759321cfb0e4dacd6eae0aedb63894eab349984347a9d	Inbox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar	regsvr32.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Main	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}	regsvr32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\SearchScopes\{C04B7D22-5AEC-4561-8F49-27F6269208F6}\ShowSearchSuggestions = "1"	Inbox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\SearchScopes\{C04B7D22-5AEC-4561-8F49-27F6269208F6}\FaviconPath = "C:\\Users\\Admin\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services\\search_{C04B7D22-5AEC-4561-8F49-27F6269208F6}.ico"	Inbox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\User Preferences\6256FFB019F8FDFBD36745B06F4540E9AEAF222A25 = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a3d5a058b71c4645a1a6b8b9d2c7fb4700000000020000000000106600000001000020000000ff16a2ceb29a091978dc735c883b26247559bada0834e18cf40f5fbbba9d2ef1000000000e800000000200002000000081f495b2f412f182c83e545770beb6d030230c2d822ed1cc0a9c637ba89488cd10000000a9a9395927db11b622e200db0d7b7fc040000000abe0aca63eb79825229d4beccb3b72115c656a4277500eda483b23a7d2194d5db3e3933614a5c21b649f4add189a972ad4c497713527d5b5c28118c57d4aa69e	Inbox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\User Preferences\6256FFB019F8FDFBD36745B06F4540E9AEAF222A25 = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a3d5a058b71c4645a1a6b8b9d2c7fb4700000000020000000000106600000001000020000000dc8b012aa77e92063e0363c562d0faf7f6fcff7a9d2b2f81a0661f9f04355f02000000000e8000000002000020000000c9bd70f3c68281c1a30c144599c2a81c73addb739bd6d7665d6805db89df92ae10000000702c39f77c286ae0bfb568e6b12a047e40000000e47bb0c631a2ae9de8426fe809b287d010cede591103238767ee4d0f7587ba0638b6652dc498344cfe3a32bfa0103916a1c9e3d560437274ff909c64427bccd8	Inbox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\User Preferences\6256FFB019F8FDFBD36745B06F4540E9AEAF222A25 = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a3d5a058b71c4645a1a6b8b9d2c7fb4700000000020000000000106600000001000020000000c5ce4665e0e895faa64618fdcb6d894cb68457cc262308cc789b309bd91a98b7000000000e8000000002000020000000e56bce164004101643ff373e30f77c2012dc0d6f59c2874adaa3aa09e9a77fb5100000006b3ab1a64f97a740d39265a8bd9a5a1a40000000ed0f6ffd11590776362e4b8e218e1dc10ee1b40b84549fa8e2a156a6f4be215225443bcd4a429c44b58fbb12951cf1fb6b4bab11f3885f6b66ab0b0aae3a7f61	Inbox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{612AD33D-9824-4E87-8396-92374E91C4BB}\AppPath = "C:\\Program Files (x86)\\Inbox Toolbar"	Inbox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\AppPath = "C:\\Program Files (x86)\\Inbox Toolbar"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\AppName = "Inbox64.dll"	regsvr32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\User Preferences\6256FFB019F8FDFBD36745B06F4540E9AEAF222A25 = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a3d5a058b71c4645a1a6b8b9d2c7fb47000000000200000000001066000000010000200000002be5b991cac24906441c1a10f8434f9c8999949e1704673f6b95613c507e7798000000000e80000000020000200000006c41bd95006e3a70bc4d91c8c39959ccf386345584c1203f5e8ebdcb32aaad0910000000702e63d67e9679dc69ea5d82e198b75b400000002ad2464cbb279312aa93d6c4a107b1e4817adffb9bcd3037b957a3cff1fb8d2fccc299cbda1b0cd41ed248d607d4a2374b3ef56ea9aa247ec81346d7e46a75d4	Inbox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\User Preferences\6256FFB019F8FDFBD36745B06F4540E9AEAF222A25 = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a3d5a058b71c4645a1a6b8b9d2c7fb47000000000200000000001066000000010000200000006c4811ff5ebebe32abaffa659291d90ff9019e0722fc3919a249eaf482ac126c000000000e8000000002000020000000dd78a455a8911c422b5289e05c91534159ef6eb96f0a5df12226809264b181521000000045766531e816406d863b820e77b9ac3440000000555e8be92a6f23414d245faf7bd361c949952acc47eab9da5b822c9f1eb6d3e71df26aafb82dcba7b083cc2cec2a58378c725a17468d788b53422d4bac2a5fa5	Inbox.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar\{D7E97865-918F-41E4-9CD0-25AB1C574CE8} = 00	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\AppPath = "C:\\Program Files (x86)\\Inbox Toolbar"	regsvr32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\User Preferences\6256FFB019F8FDFBD36745B06F4540E9AEAF222A25 = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a3d5a058b71c4645a1a6b8b9d2c7fb4700000000020000000000106600000001000020000000adc522608c26323ed510902b31b2e96dec0b276d8960f2cb3276bbf40332b232000000000e8000000002000020000000dac3f7bc19dcb05ee6292a1d49ee0f10a3053707a92cab377ca32523a174f44b10000000885cc0677c366d8bd9352ce0432a36f840000000deac65e3fb4b9e614b1eab4396fee7a5f963b19b79a5ec0eb870892267e46716a8b125d34a94eff1e130c164d9496b3a2922e499100ef17b7ae4119ec22c41ff	Inbox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\User Preferences\6256FFB019F8FDFBD36745B06F4540E9AEAF222A25 = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a3d5a058b71c4645a1a6b8b9d2c7fb4700000000020000000000106600000001000020000000ec87f1a6ba7341a126ae7ea8775f2a026c0d103dc7b28aea07c103ae3fb1de0c000000000e8000000002000020000000dce9402a42e0a5391a87d5e373f4a70856c3934d02707f7299aade047d30ddb5100000000ed856d0388ee23a2f30113cec916f394000000079d21a35a44b97559387268068ec9f15a2cd58efadb517a41cfbe0310c1e8593d138149ba489b93e1892e1d3b8da90c180239e1096f07880c67b87ab2da1f7ea	Inbox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{612AD33D-9824-4E87-8396-92374E91C4BB}\AppName = "Inbox.exe"	Inbox.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Main	regsvr32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\User Preferences\6256FFB019F8FDFBD36745B06F4540E9AEAF222A25 = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a3d5a058b71c4645a1a6b8b9d2c7fb4700000000020000000000106600000001000020000000486328f88cf61021e35db37c4e3fc863b5c2cd3de03bb28ea2bfecb78878a3a2000000000e8000000002000020000000e330369b59ad432b714b69ef8da9608c7026d933a7d7febfd693be9fa696d4e010000000af544eca22d5321aa5589ff79ab3e6a6400000008511d53b8bd193ee38a2c365a90c811a94e38b1d8c4b5a933a63adb3ae04f56efe2f5953fa45e681f3fbbc8b00b57373daba5d89b23ed6fdb5977f6688bd9276	Inbox.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\IEWatsonEnabled = "0"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\SearchScopes\{C04B7D22-5AEC-4561-8F49-27F6269208F6}	Inbox.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Inbox.JSServer\Clsid\ = "{042DA63B-0933-403D-9395-B49307691690}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8FAE973C-3FE3-44BF-81F0-ADB0D42CE851}\TypeLib	Inbox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{CE057E0D-2D7E-4DFF-A890-07BA69B8C762}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{37540F19-DD4C-478B-B2DF-C19281BCAF27}\InprocServer32\ = "C:\\PROGRA~2\\INBOXT~1\\Inbox.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Inbox.Toolbar	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{615E8AA1-6BB8-4A3D-A1CC-373194DB612C}\1.0\0	Inbox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{042DA63B-0933-403D-9395-B49307691690}\Implemented Categories	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Inbox.IBX404\	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{37540F19-DD4C-478B-B2DF-C19281BCAF27}\	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{615E8AA1-6BB8-4A3D-A1CC-373194DB612C}\1.0	Inbox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Inbox.AppServer\Clsid	Inbox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D3D233D5-9F6D-436C-B6C7-E63F77503B30}\InProcServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Inbox.Toolbar\	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{042DA63B-0933-403D-9395-B49307691690}\	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{042DA63B-0933-403D-9395-B49307691690}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{042DA63B-0933-403D-9395-B49307691690}\InprocServer32\ = "C:\\PROGRA~2\\INBOXT~1\\Inbox64.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D3D233D5-9F6D-436C-B6C7-E63F77503B30}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{28C3737A-32D1-492D-B76B-8D75EBBFB887}\TypeLib\ = "{615E8AA1-6BB8-4A3D-A1CC-373194DB612C}"	Inbox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CE057E0D-2D7E-4DFF-A890-07BA69B8C762}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{37540F19-DD4C-478B-B2DF-C19281BCAF27}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Inbox.JSServer\Clsid	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{28C3737A-32D1-492D-B76B-8D75EBBFB887}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	Inbox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CBEF8724-D080-4737-88DA-111EEC6651AA}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\Inbox Toolbar\\"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{042DA63B-0933-403D-9395-B49307691690}\Implemented Categories\	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{37540F19-DD4C-478B-B2DF-C19281BCAF27}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\inbox\ = "inbox"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\inbox\CLSID = "{37540F19-DD4C-478B-B2DF-C19281BCAF27}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D3D233D5-9F6D-436C-B6C7-E63F77503B30}\	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CBEF8724-D080-4737-88DA-111EEC6651AA}\1.0\0\win32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CE057E0D-2D7E-4DFF-A890-07BA69B8C762}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{042DA63B-0933-403D-9395-B49307691690}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}\	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D3D233D5-9F6D-436C-B6C7-E63F77503B30}\InprocServer32\ = "C:\\Program Files (x86)\\Inbox Toolbar\\Inbox64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{042DA63B-0933-403D-9395-B49307691690}\InprocServer32\ = "C:\\Program Files (x86)\\Inbox Toolbar\\Inbox.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{042DA63B-0933-403D-9395-B49307691690}\Implemented Categories	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D3D233D5-9F6D-436C-B6C7-E63F77503B30}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\inbox	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{042DA63B-0933-403D-9395-B49307691690}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{615E8AA1-6BB8-4A3D-A1CC-373194DB612C}\1.0\FLAGS	Inbox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{612AD33D-9824-4E87-8396-92374E91C4BB}	Inbox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D3D233D5-9F6D-436C-B6C7-E63F77503B30}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{28C3737A-32D1-492D-B76B-8D75EBBFB887}\ = "IAppServer"	Inbox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{28C3737A-32D1-492D-B76B-8D75EBBFB887}\TypeLib\ = "{615E8AA1-6BB8-4A3D-A1CC-373194DB612C}"	Inbox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8FAE973C-3FE3-44BF-81F0-ADB0D42CE851}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	Inbox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CE057E0D-2D7E-4DFF-A890-07BA69B8C762}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D3D233D5-9F6D-436C-B6C7-E63F77503B30}\Implemented Categories	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{37540F19-DD4C-478B-B2DF-C19281BCAF27}\ProgID\ = "Inbox.IBX404"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{37540F19-DD4C-478B-B2DF-C19281BCAF27}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{28C3737A-32D1-492D-B76B-8D75EBBFB887}\ProxyStubClsid32	Inbox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Inbox.JSServer\	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{042DA63B-0933-403D-9395-B49307691690}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\InprocServer32\ = "C:\\PROGRA~2\\INBOXT~1\\Inbox.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{042DA63B-0933-403D-9395-B49307691690}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D3D233D5-9F6D-436C-B6C7-E63F77503B30}\InprocServer32\ = "C:\\PROGRA~2\\INBOXT~1\\Inbox64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CE057E0D-2D7E-4DFF-A890-07BA69B8C762}\ = "IJSServer"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D3D233D5-9F6D-436C-B6C7-E63F77503B30}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}\	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D3D233D5-9F6D-436C-B6C7-E63F77503B30}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}\	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{042DA63B-0933-403D-9395-B49307691690}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}\	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{042DA63B-0933-403D-9395-B49307691690}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}\	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{37540F19-DD4C-478B-B2DF-C19281BCAF27}\	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8FAE973C-3FE3-44BF-81F0-ADB0D42CE851}\TypeLib\Version = "1.0"	Inbox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{CE057E0D-2D7E-4DFF-A890-07BA69B8C762}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{042DA63B-0933-403D-9395-B49307691690}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}\	regsvr32.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\627F8D7827656399D27D7F9044C9FEB3F33EFA9A	Inbox.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\627F8D7827656399D27D7F9044C9FEB3F33EFA9A\Blob = 0f00000001000000100000005f3d1aa6f471a760663eb7ef254281ef53000000010000002500000030233021060b6086480186f8450107300130123010060a2b0601040182373c0101030200c0090000000100000016000000301406082b0601050507030106082b060105050703031400000001000000140000005ff3246c8f9124af9b5f3eb0346af42d5ca85dcc1d0000000100000010000000d4803ac36c256817d4ec5936f29bc4e70b000000010000000e0000007400680061007700740065000000030000000100000014000000627f8d7827656399d27d7f9044c9feb3f33efa9a20000000010000002b0300003082032730820290a003020102020101300d06092a864886f70d01010405003081ce310b3009060355040613025a41311530130603550408130c5765737465726e204361706531123010060355040713094361706520546f776e311d301b060355040a131454686177746520436f6e73756c74696e6720636331283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e3121301f06035504031318546861777465205072656d69756d205365727665722043413128302606092a864886f70d01090116197072656d69756d2d736572766572407468617774652e636f6d301e170d3936303830313030303030305a170d3230313233313233353935395a3081ce310b3009060355040613025a41311530130603550408130c5765737465726e204361706531123010060355040713094361706520546f776e311d301b060355040a131454686177746520436f6e73756c74696e6720636331283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e3121301f06035504031318546861777465205072656d69756d205365727665722043413128302606092a864886f70d01090116197072656d69756d2d736572766572407468617774652e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100d236366a8bd7c25b9eda8141628f38ee490455d6d0ef1c1b951647ef1848353a52f42b6a068f3b2fea56e3af868d9e17f79eb46575024defcb09a22151d89bd067d0ba0d92061473d493cb972a009c5c4e0cbcfa1552fcf2446eda114a6e089f2f2de3f9aa3a8673b6465358c88905bd8311b8733faa078df4424de7409d1c370203010001a3133011300f0603551d130101ff040530030101ff300d06092a864886f70d01010405000381810026482c16c258fae816740caaaa5f543ff2d7c978605e5e6e37632277367eb217c434b9f50885fcc90138ff4dbef2164243e7bb5a46fbc1c6111ff14ab02846c9c3c4427dbcfaab596ed5b7518811e3a485196b824ca40c12ade9a4ae3ff1c349659a8cc5c83e25b79499bb92327107f0865eed5027a60da623f9bbcba6071442	Inbox.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\627F8D7827656399D27D7F9044C9FEB3F33EFA9A\Blob = 1900000001000000100000005dc45e2cd1845791bdde7600050af510030000000100000014000000627f8d7827656399d27d7f9044c9feb3f33efa9a0b000000010000000e00000074006800610077007400650000001d0000000100000010000000d4803ac36c256817d4ec5936f29bc4e71400000001000000140000005ff3246c8f9124af9b5f3eb0346af42d5ca85dcc090000000100000016000000301406082b0601050507030106082b0601050507030353000000010000002500000030233021060b6086480186f8450107300130123010060a2b0601040182373c0101030200c00f00000001000000100000005f3d1aa6f471a760663eb7ef254281ef20000000010000002b0300003082032730820290a003020102020101300d06092a864886f70d01010405003081ce310b3009060355040613025a41311530130603550408130c5765737465726e204361706531123010060355040713094361706520546f776e311d301b060355040a131454686177746520436f6e73756c74696e6720636331283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e3121301f06035504031318546861777465205072656d69756d205365727665722043413128302606092a864886f70d01090116197072656d69756d2d736572766572407468617774652e636f6d301e170d3936303830313030303030305a170d3230313233313233353935395a3081ce310b3009060355040613025a41311530130603550408130c5765737465726e204361706531123010060355040713094361706520546f776e311d301b060355040a131454686177746520436f6e73756c74696e6720636331283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e3121301f06035504031318546861777465205072656d69756d205365727665722043413128302606092a864886f70d01090116197072656d69756d2d736572766572407468617774652e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100d236366a8bd7c25b9eda8141628f38ee490455d6d0ef1c1b951647ef1848353a52f42b6a068f3b2fea56e3af868d9e17f79eb46575024defcb09a22151d89bd067d0ba0d92061473d493cb972a009c5c4e0cbcfa1552fcf2446eda114a6e089f2f2de3f9aa3a8673b6465358c88905bd8311b8733faa078df4424de7409d1c370203010001a3133011300f0603551d130101ff040530030101ff300d06092a864886f70d01010405000381810026482c16c258fae816740caaaa5f543ff2d7c978605e5e6e37632277367eb217c434b9f50885fcc90138ff4dbef2164243e7bb5a46fbc1c6111ff14ab02846c9c3c4427dbcfaab596ed5b7518811e3a485196b824ca40c12ade9a4ae3ff1c349659a8cc5c83e25b79499bb92327107f0865eed5027a60da623f9bbcba6071442	Inbox.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\627F8D7827656399D27D7F9044C9FEB3F33EFA9A\Blob = 040000000100000010000000069f6979166690021b8c8ca2c3076f3a0f00000001000000100000005f3d1aa6f471a760663eb7ef254281ef53000000010000002500000030233021060b6086480186f8450107300130123010060a2b0601040182373c0101030200c0090000000100000016000000301406082b0601050507030106082b060105050703031400000001000000140000005ff3246c8f9124af9b5f3eb0346af42d5ca85dcc1d0000000100000010000000d4803ac36c256817d4ec5936f29bc4e70b000000010000000e0000007400680061007700740065000000030000000100000014000000627f8d7827656399d27d7f9044c9feb3f33efa9a1900000001000000100000005dc45e2cd1845791bdde7600050af51020000000010000002b0300003082032730820290a003020102020101300d06092a864886f70d01010405003081ce310b3009060355040613025a41311530130603550408130c5765737465726e204361706531123010060355040713094361706520546f776e311d301b060355040a131454686177746520436f6e73756c74696e6720636331283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e3121301f06035504031318546861777465205072656d69756d205365727665722043413128302606092a864886f70d01090116197072656d69756d2d736572766572407468617774652e636f6d301e170d3936303830313030303030305a170d3230313233313233353935395a3081ce310b3009060355040613025a41311530130603550408130c5765737465726e204361706531123010060355040713094361706520546f776e311d301b060355040a131454686177746520436f6e73756c74696e6720636331283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e3121301f06035504031318546861777465205072656d69756d205365727665722043413128302606092a864886f70d01090116197072656d69756d2d736572766572407468617774652e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100d236366a8bd7c25b9eda8141628f38ee490455d6d0ef1c1b951647ef1848353a52f42b6a068f3b2fea56e3af868d9e17f79eb46575024defcb09a22151d89bd067d0ba0d92061473d493cb972a009c5c4e0cbcfa1552fcf2446eda114a6e089f2f2de3f9aa3a8673b6465358c88905bd8311b8733faa078df4424de7409d1c370203010001a3133011300f0603551d130101ff040530030101ff300d06092a864886f70d01010405000381810026482c16c258fae816740caaaa5f543ff2d7c978605e5e6e37632277367eb217c434b9f50885fcc90138ff4dbef2164243e7bb5a46fbc1c6111ff14ab02846c9c3c4427dbcfaab596ed5b7518811e3a485196b824ca40c12ade9a4ae3ff1c349659a8cc5c83e25b79499bb92327107f0865eed5027a60da623f9bbcba6071442	Inbox.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2156	0e3e925c0f21e8c9d2fe82be5fda251f_JaffaCakes118.tmp
2156	0e3e925c0f21e8c9d2fe82be5fda251f_JaffaCakes118.tmp
2156	0e3e925c0f21e8c9d2fe82be5fda251f_JaffaCakes118.tmp
2156	0e3e925c0f21e8c9d2fe82be5fda251f_JaffaCakes118.tmp

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2156	0e3e925c0f21e8c9d2fe82be5fda251f_JaffaCakes118.tmp

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2156	0e3e925c0f21e8c9d2fe82be5fda251f_JaffaCakes118.tmp

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 2432 wrote to memory of 2156	2432	0e3e925c0f21e8c9d2fe82be5fda251f_JaffaCakes118.exe	30
PID 2432 wrote to memory of 2156	2432	0e3e925c0f21e8c9d2fe82be5fda251f_JaffaCakes118.exe	30
PID 2432 wrote to memory of 2156	2432	0e3e925c0f21e8c9d2fe82be5fda251f_JaffaCakes118.exe	30
PID 2432 wrote to memory of 2156	2432	0e3e925c0f21e8c9d2fe82be5fda251f_JaffaCakes118.exe	30
PID 2432 wrote to memory of 2156	2432	0e3e925c0f21e8c9d2fe82be5fda251f_JaffaCakes118.exe	30
PID 2432 wrote to memory of 2156	2432	0e3e925c0f21e8c9d2fe82be5fda251f_JaffaCakes118.exe	30
PID 2432 wrote to memory of 2156	2432	0e3e925c0f21e8c9d2fe82be5fda251f_JaffaCakes118.exe	30
PID 2156 wrote to memory of 444	2156	0e3e925c0f21e8c9d2fe82be5fda251f_JaffaCakes118.tmp	31
PID 2156 wrote to memory of 444	2156	0e3e925c0f21e8c9d2fe82be5fda251f_JaffaCakes118.tmp	31
PID 2156 wrote to memory of 444	2156	0e3e925c0f21e8c9d2fe82be5fda251f_JaffaCakes118.tmp	31
PID 2156 wrote to memory of 444	2156	0e3e925c0f21e8c9d2fe82be5fda251f_JaffaCakes118.tmp	31
PID 2156 wrote to memory of 1496	2156	0e3e925c0f21e8c9d2fe82be5fda251f_JaffaCakes118.tmp	32
PID 2156 wrote to memory of 1496	2156	0e3e925c0f21e8c9d2fe82be5fda251f_JaffaCakes118.tmp	32
PID 2156 wrote to memory of 1496	2156	0e3e925c0f21e8c9d2fe82be5fda251f_JaffaCakes118.tmp	32
PID 2156 wrote to memory of 1496	2156	0e3e925c0f21e8c9d2fe82be5fda251f_JaffaCakes118.tmp	32
PID 2156 wrote to memory of 928	2156	0e3e925c0f21e8c9d2fe82be5fda251f_JaffaCakes118.tmp	34
PID 2156 wrote to memory of 928	2156	0e3e925c0f21e8c9d2fe82be5fda251f_JaffaCakes118.tmp	34
PID 2156 wrote to memory of 928	2156	0e3e925c0f21e8c9d2fe82be5fda251f_JaffaCakes118.tmp	34
PID 2156 wrote to memory of 928	2156	0e3e925c0f21e8c9d2fe82be5fda251f_JaffaCakes118.tmp	34
PID 2156 wrote to memory of 928	2156	0e3e925c0f21e8c9d2fe82be5fda251f_JaffaCakes118.tmp	34
PID 2156 wrote to memory of 928	2156	0e3e925c0f21e8c9d2fe82be5fda251f_JaffaCakes118.tmp	34
PID 2156 wrote to memory of 928	2156	0e3e925c0f21e8c9d2fe82be5fda251f_JaffaCakes118.tmp	34
PID 2156 wrote to memory of 1976	2156	0e3e925c0f21e8c9d2fe82be5fda251f_JaffaCakes118.tmp	35
PID 2156 wrote to memory of 1976	2156	0e3e925c0f21e8c9d2fe82be5fda251f_JaffaCakes118.tmp	35
PID 2156 wrote to memory of 1976	2156	0e3e925c0f21e8c9d2fe82be5fda251f_JaffaCakes118.tmp	35
PID 2156 wrote to memory of 1976	2156	0e3e925c0f21e8c9d2fe82be5fda251f_JaffaCakes118.tmp	35
PID 2156 wrote to memory of 1976	2156	0e3e925c0f21e8c9d2fe82be5fda251f_JaffaCakes118.tmp	35
PID 2156 wrote to memory of 1976	2156	0e3e925c0f21e8c9d2fe82be5fda251f_JaffaCakes118.tmp	35
PID 2156 wrote to memory of 1976	2156	0e3e925c0f21e8c9d2fe82be5fda251f_JaffaCakes118.tmp	35
PID 2156 wrote to memory of 880	2156	0e3e925c0f21e8c9d2fe82be5fda251f_JaffaCakes118.tmp	36
PID 2156 wrote to memory of 880	2156	0e3e925c0f21e8c9d2fe82be5fda251f_JaffaCakes118.tmp	36
PID 2156 wrote to memory of 880	2156	0e3e925c0f21e8c9d2fe82be5fda251f_JaffaCakes118.tmp	36
PID 2156 wrote to memory of 880	2156	0e3e925c0f21e8c9d2fe82be5fda251f_JaffaCakes118.tmp	36

C:\Users\Admin\AppData\Local\Temp\0e3e925c0f21e8c9d2fe82be5fda251f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0e3e925c0f21e8c9d2fe82be5fda251f_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2432
- C:\Users\Admin\AppData\Local\Temp\is-CS803.tmp\0e3e925c0f21e8c9d2fe82be5fda251f_JaffaCakes118.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-CS803.tmp\0e3e925c0f21e8c9d2fe82be5fda251f_JaffaCakes118.tmp" /SL5="$400E0,2132727,70144,C:\Users\Admin\AppData\Local\Temp\0e3e925c0f21e8c9d2fe82be5fda251f_JaffaCakes118.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2156
- - C:\Program Files (x86)\Inbox Toolbar\Inbox.exe
    "C:\Program Files (x86)\Inbox Toolbar\Inbox.exe" /regserver
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Modifies registry class
    PID:444
- - C:\Program Files (x86)\Inbox Toolbar\Inbox.exe
    "C:\Program Files (x86)\Inbox Toolbar\Inbox.exe" /install
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    PID:1496
- - C:\Windows\SysWOW64\regsvr32.exe
    "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\Inbox Toolbar\Inbox.dll"
    3⤵
    - Loads dropped DLL
    - Installs/modifies Browser Helper Object
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Modifies registry class
    PID:928
- - C:\Windows\system32\regsvr32.exe
    "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\Inbox Toolbar\Inbox64.dll"
    3⤵
    - Loads dropped DLL
    - Installs/modifies Browser Helper Object
    - Modifies Internet Explorer settings
    - Modifies registry class
    PID:1976
- - C:\Program Files (x86)\Inbox Toolbar\Inbox.exe
    "C:\Program Files (x86)\Inbox Toolbar\Inbox.exe" /afterinstall
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Modifies system certificate store
    PID:880

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Browser Extensions

T1176

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Inbox Toolbar\Buttons\BTN_1967.xml

Filesize
4KB

MD5
641c15fa465fd213fbafe0a08807960c

SHA1
1a10e799d2d680b457ac2a506e6ce9e1eb639885

SHA256
91bff6c4186deda12939e3b4c51c91a85b83a7d4d7524c8fa4b8c97091fec449

SHA512
84815869e1268bd2cccb4d5fce5112aa3467aee9e869d987a2a19768a8a7ea293fdaa9bc8edafc97998df1d8962f07b5b4cfd1f32c16843acde8d3b558507d66

Download Submit
C:\Program Files (x86)\Inbox Toolbar\Buttons\black_green.xml

Filesize
51KB

MD5
01116f926b28cb3442473d8b47a6dd8f

SHA1
5303b4976d13bc6f3ffa0e3c443a0d36ea55fff4

SHA256
01f5b90e46c63749261d30ab669b55b581ae0c41912b54b38f71c7dc2c454511

SHA512
df6debe9debe900ff5338aa9d8637a6c887b9905a1fc77b6e2a50d3f8067cfa806e9fceb3d8d2a57b5b859346267048bca60c5f19d2bd9092f9c08a2d2859271

Download Submit
C:\Program Files (x86)\Inbox Toolbar\Buttons\general_facebook2.xml

Filesize
3KB

MD5
45dc0a638701a1d267778029e7b9439f

SHA1
1a9c21d34cb68498df1687db258a3302d19d10a1

SHA256
8ec30fbed691aaa6aba5f74429b94a7f3b03011347d2179dded2b2a7439d7639

SHA512
0593dab63f4f9a064705531627fdc20977d9afe842f5cd9103a389d1633ee1251f54d5477194a5087e037f0dd075d44ee7fb881104a25ee10988d838148af270

Download Submit
C:\Program Files (x86)\Inbox Toolbar\Buttons\general_youtube2.xml

Filesize
5KB

MD5
1b4bb1996fe1d1607c402b5b9b46bf49

SHA1
fdbfd8bac0cbb53b49c672cce3a995ab74b48bec

SHA256
fd3585fc0affdb6e46591fcd3122b8f3a3e59ee949c7677ec1ba966191b49b6a

SHA512
5aa61fba5d3c7de01040ce72d2956fea8f2f61df13148f0c164c8a7f66d95422e29e986c1b1719985ef98ffc808d4e1a51344b7900c50711c33d8e691c133830

Download Submit
C:\Program Files (x86)\Inbox Toolbar\Buttons\mail_plugin.xml

Filesize
6KB

MD5
d5932b3157fc5d33bf1c2ee608a9cc4e

SHA1
d5c4a96bca0bd1b7de94a0c9b046c0827ec44126

SHA256
2e1f499961575b0d45f4ab87392c21ad9fad77accccb3dff0d6cd7ced17c610b

SHA512
0fcf2edbaee396d543b7a217d6a92804ce82393c7548152693a9a9f4d4bfbb4c44ccbdf388d576c0991b0eaca7c3df894183152392c9c4f07caa85cbac23cdec

Download Submit
C:\Program Files (x86)\Inbox Toolbar\Buttons\maps_navigate.xml

Filesize
4KB

MD5
8e87fe8044e1ba16964d3622a24ce383

SHA1
cf3fc71ca76523e160ba06942c1189035f1a7540

SHA256
fd96c083b5ebbf8d84c24fb45e61a5785d7c56a9a9508e4dae109f02230c8f60

SHA512
c426226546317ff99b9fe61b9b773fbd9be043a58edd1369ef2c305ddd47e66d8e1884726672d1c9d2abf11aa4a1d835b27ea176fd90d0ba9f16958e10e052b8

Download Submit
C:\Program Files (x86)\Inbox Toolbar\Buttons\maps_weather_plugin.xml

Filesize
4KB

MD5
6541f47f14d00caf3a5afd2c400728c5

SHA1
bb0f66eb5dbf1b87b7c22c1ffb73aea9044c2792

SHA256
9e5a228bbf6689e00de5676b10a69b1a131ae9b5ecf72274a5cb141026be75d3

SHA512
3f57a699cc299a0a8a309a4fb6f59cde886024f82dbd427dd14c38d149bd484edb280873d4b5e34f56c0126c9638e93f1ec12c34a4cd63cfb024488770ddeb2e

Download Submit
C:\Program Files (x86)\Inbox Toolbar\Buttons\news_newser.xml

Filesize
4KB

MD5
eed5c90550189bc440bc01a26d26e044

SHA1
fd0a62fb40eb99d267d79e59c32cd0cfbc4b0256

SHA256
402332dd03543861b5290a1994ec97bcbfacc8a9e5d7bc730e363390bf742790

SHA512
6bc13dc9a0e3387b8baa0325812ad2af3641d3cca7dc9fdf6412ceca9f68b29881ab2100bfa9b63744074254fce7e20e38203dcf2f25aacf14dfedfb306c0522

Download Submit
C:\Program Files (x86)\Inbox Toolbar\Buttons\reference_search.xml

Filesize
4KB

MD5
10ccbc4db5529074d66f938af67a0689

SHA1
28ebcb68e41425f8c226e6cda9781df70ddbd087

SHA256
424c44e549be79e027bcf4ed93978ad3c515bb9632d3610d69f94e16d1ed2144

SHA512
f6e33503abb9df68554136ea4c156d70ebf77199e3e8a18d5e7fed056c2d28e581f7db39567f88662f9705a4da5990b070d99d4ff0ce28e91ef5b0eca3e8a8b6

Download Submit
C:\Program Files (x86)\Inbox Toolbar\Inbox.dll

Filesize
1.0MB

MD5
abebbb5e520dcdbad18a67989ce96b60

SHA1
75d8f52df3139e7ff93d8528059ac8be93ae6d1f

SHA256
46fa173e57779f42f71eb2df45a742e05cbf2daa9977f4ecc3f77823894e98f1

SHA512
cbf7047331297ea8ea53b5534d4f965ae9c4a32fb7033919047c27258d90c23ba33c45759be40c2047a8d629cde732466fb409d9ca15449b28673a35b909e0b7

Download Submit
C:\Program Files (x86)\Inbox Toolbar\Inbox.ini

Filesize
2KB

MD5
421d88d9225bdaeaf58eee12b525616a

SHA1
00884ae0ff662eb19b467fc4bdc781bce3ad6450

SHA256
e526ec11e494dfaf3d3027f43ad545b9f740e9872c2477a61efd7e5aa178dc68

SHA512
3adc47f6494eadd5e2d50bd3d1f9efd8ad13f9f78cf9ce81efd8094da23817407a475f7345d8148f06cb08cee225989881211ec19dd042d6f19bc5dd5541ff25

Download Submit
C:\Program Files (x86)\Inbox Toolbar\Inbox.ini

Filesize
2KB

MD5
dc81f4b39be87df72f28edaf1dc73bb4

SHA1
c0d1253b34fe9bc49bb26dd79aa9c341d8983daf

SHA256
18773282289fd8c3eabeb019caf72e5f080261dd6bfb74c05fe2e83a1cce1c50

SHA512
018ca7100d1c6844d42bde2b8cfd98b13ec2e230ab52199aa2e683297029bf88e5cc56a3ef1d360eda4b360bc00d047d593af96d0c62448994729b753cb3fb3d

Download Submit
C:\Program Files (x86)\Inbox Toolbar\Inbox64.dll

Filesize
1.5MB

MD5
5b26b6a64937976b7e686f4ecd469751

SHA1
3740a577d0ac3650fa9781058cc0059c9974020e

SHA256
f27935bdf97c39b18efdb1480e3549e8320c7e80098f7653e3c07298204be59e

SHA512
0b9e8c6c4d38276121a5f112bf561a7593a6ed95eba941a9eaace1ea0a2e817ff4f254f5acc2411b2231e4657adf9632974cb9b0257a4ed274ff6db6a0971c50

Download Submit
C:\Program Files (x86)\Inbox Toolbar\Plugins\mail.dll

Filesize
1.2MB

MD5
80b1af63d2de40628b1b5f0bf86e827a

SHA1
f7267eb35f8b499c91a6e69db74f9c686286b621

SHA256
7bb3fb17dcc23245d734870b6c2c2cd0f472467a70f32342e08526796f0258ac

SHA512
d5081a83c7df32f20a00e4ec39570fc034e99c9a79f47cab5189a27910b2b25b9c98b65a878211ca2945a2753fb8f37ead2de5daf095ad3317c40b84b539a6f2

Download Submit
C:\Users\Admin\AppData\LocalLow\Inbox Toolbar\config.ini

Filesize
30B

MD5
129a4ce81f9a7b3dc2d98e090a069f05

SHA1
a266de9a5f3fea40e7de85ddfde49f4b6c515c96

SHA256
9ec3cb3f9a5f238ab518e7b57bcad1ca765c429fb37be15057da7eb9170541f7

SHA512
3d15c7ddf93e944ed5ce634f35050f95989b1f1f35b4b8233e10658508f07953579c6dd62cced8efd22cf783c7e9565f39270e5bb46d2959a1312148af6414f2

Download Submit
C:\Users\Admin\AppData\LocalLow\Inbox Toolbar\translate.ini

Filesize
89KB

MD5
6b72fbdc939dffb3c9d268d521459f91

SHA1
948023c34ddd35bab4b83d80cabf6b7fb06eb5f2

SHA256
9b1c3b8a08541289d360526f37a4647a59fa40f474d2288ea6a5c3a947364fff

SHA512
f8948e0cc24361f361886a4f9467b8316ed093e0def78df860ed221e345a69a8cae785f57d08cfd3ac54741ea9dbde97f035eb88aa8d35b5529c32cf50b1d8e3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{C04B7D22-5AEC-4561-8F49-27F6269208F6}.ico

Filesize
1KB

MD5
34f4618666b7e80e687b25b82a7da5e2

SHA1
ab543a8992b71891139d608d77403a59bfabd501

SHA256
fa975f7a7a854a7730b1c92d1567706dce2eab80d78cf131eb1cec40e88cb7e3

SHA512
b7e4eeccdd9d84d9a352e9490f19d08c06c54554ac52e3ba9aa1a81de2181a6a185387a323122021303afe32da21ceb3f1f6aa3524c45a6c8d9abac4144237eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabC45A.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarC8C0.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-POBFH.tmp\RI_AfterDot.bmp

Filesize
84B

MD5
7ccd5a0af4da51cf4962f184fcf9456a

SHA1
de37f4521fa7fee49b37898f4136728e8971ee0f

SHA256
8f2374b30622dfae1fd0b9706520de34c5e1597c1531fddbff65bc0201132ac7

SHA512
d7c4fbc6a4413dc457400fa2e026dea5d639a5b413164cc6939284c46bb46b6ae8ff10184ba2da4f32ace89646b026400db2a49dd9894d71e88d003a91c8267a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-POBFH.tmp\setupcfg.ini

Filesize
44B

MD5
866da2aa5e52c6c9924b4f2336486abc

SHA1
f66e44ef2c676ae98e1bebd0a3dc7a5fc53151c1

SHA256
3abf00b9009b703ebf0af45becf2e02697a39b59c063d7ab23e71e597e7ae596

SHA512
fbff64fb5fe598944f9511c0e7ba539da86c33967e692fc51789a8dcbfbc814ad3c4a1a96108cf7f9702a02b16a661d73d4c5b848203a0290ee255f0b27bf509

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-POBFH.tmp\tbr_dots.bmp

Filesize
164B

MD5
adc799ec79eeaef366ea4dddf099c3ae

SHA1
556c915615a34a2499604b7b732ab304b20fdd4e

SHA256
7e7f18c73560f9c020abe1ab1f22705083281e2ea16ab0030fc927901b5b5d1e

SHA512
76962a17cc26d3f9886828be4e43373ac530165e1c627272ed7c0bc731133e97608e55d2e31f44592aad0d0974352155f41a0718aa0666ec128406b1050c1d6c

Download Submit
\Program Files (x86)\Inbox Toolbar\Inbox.exe

Filesize
1.3MB

MD5
53723b9af00bbd8d2576c75278098e89

SHA1
1608f02f75a5fe00cacd2b8b513bd0c836af77c1

SHA256
464d440bb9d5fc57daaf4d14596cf2bd3f2c4ce209438135604e24635a3d7d86

SHA512
100917f2d5fb447097c3bd87d3a373d8b799ef8f6e061bf3c1663c4508699db107c0a2a88eac8879a171f7173de8e6fbd8ecf0141d862a21ebb672f9fb8d5fde

Download Submit
\Users\Admin\AppData\Local\Temp\is-CS803.tmp\0e3e925c0f21e8c9d2fe82be5fda251f_JaffaCakes118.tmp

Filesize
1.2MB

MD5
e7106fbf42fbc6d5b08a18ada4f781b4

SHA1
36d4a629f79d772c0b0df8bd2ae2ea09108d239d

SHA256
64e1f1fa7d91920b17bc7bc679a4cd8d87ff5b104318b6921bb6bf6a19055635

SHA512
adf876296a952aadeb4f25211c0939bf5a278809b5d3007ad7e26c5d4975e7684d242c1b3de796efd474a47cb7ecdb80f9047935924a1108bf0e4d7c973d1845

Download Submit
\Users\Admin\AppData\Local\Temp\is-POBFH.tmp\DownLib.dll

Filesize
183KB

MD5
db25dfdd4c1f2b65c68a230881072695

SHA1
94cd6a3438041f0e61b0a1bea7b66461854efe69

SHA256
1b66aaf1e7e3c493dd96af3b7442ea60072f6e93ba45281eacd31a14ca7e7e73

SHA512
db69e4ab2218856e5184d9094e7e39705b83e3efdc15225067205c8faf6e5836145364f1d509192defa3b48864e72b9f8c0f2dc53a7adb2b86c655318b7afc2c

Download Submit
\Users\Admin\AppData\Local\Temp\is-POBFH.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
memory/444-205-0x0000000000400000-0x000000000055A000-memory.dmp

Filesize
1.4MB

Download
memory/880-395-0x0000000000400000-0x000000000055A000-memory.dmp

Filesize
1.4MB

Download
memory/928-270-0x0000000002210000-0x000000000231B000-memory.dmp

Filesize
1.0MB

Download
memory/1496-241-0x00000000033F0000-0x0000000003530000-memory.dmp

Filesize
1.2MB

Download
memory/1496-291-0x0000000000400000-0x000000000055A000-memory.dmp

Filesize
1.4MB

Download
memory/1976-273-0x0000000001F60000-0x00000000020F1000-memory.dmp

Filesize
1.6MB

Download
memory/2156-392-0x0000000000400000-0x0000000000536000-memory.dmp

Filesize
1.2MB

Download
memory/2156-266-0x0000000000970000-0x00000000009A7000-memory.dmp

Filesize
220KB

Download
memory/2156-267-0x0000000000400000-0x0000000000536000-memory.dmp

Filesize
1.2MB

Download
memory/2156-9-0x0000000000400000-0x0000000000536000-memory.dmp

Filesize
1.2MB

Download
memory/2156-22-0x0000000000970000-0x00000000009A7000-memory.dmp

Filesize
220KB

Download
memory/2156-276-0x00000000045B0000-0x00000000046BB000-memory.dmp

Filesize
1.0MB

Download
memory/2156-394-0x00000000045B0000-0x00000000046BB000-memory.dmp

Filesize
1.0MB

Download
memory/2156-434-0x00000000045B0000-0x00000000046BB000-memory.dmp

Filesize
1.0MB

Download
memory/2432-264-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2432-2-0x0000000000401000-0x000000000040D000-memory.dmp

Filesize
48KB

Download
memory/2432-0-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download