ef9f232e313d9dd77d7db51379f86c150c19373344bd27b592b1a803cfe9f8f5

Analysis

max time kernel
119s
max time network
75s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
25-01-2025 02:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ef9f232e313d9dd77d7db51379f86c150c19373344bd27b592b1a803cfe9f8f5.exe
Size

2.2MB
MD5

02b4a52ec119d3cf966d70da67eb3cef
SHA1

b424858fe8871e2ca7b513f34f7568e4d04ec4cf
SHA256

ef9f232e313d9dd77d7db51379f86c150c19373344bd27b592b1a803cfe9f8f5
SHA512

3a1bedf763bb685be3d1712db82f9e201a0102956839ce3b31664b91a796eca92c41b606e2b7a6b95c5f43b0550a761b35f7458aac3f38c38b66dee621acabf7
SSDEEP

49152:GeZM+VKH/ZKhwqQtUWzpDMnOmB7ebA5rOYiZnS:7GWwvtt1jmxebSivZnS

Score

7^/10

adware discovery persistence privilege_escalation stealer

Malware Config

Signatures

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 4 IoCs

pid	Process
2228	ef9f232e313d9dd77d7db51379f86c150c19373344bd27b592b1a803cfe9f8f5.tmp
332	Inbox.exe
2452	Inbox.exe
2104	Inbox.exe

Loads dropped DLL 10 IoCs

pid	Process
2120	ef9f232e313d9dd77d7db51379f86c150c19373344bd27b592b1a803cfe9f8f5.exe
2228	ef9f232e313d9dd77d7db51379f86c150c19373344bd27b592b1a803cfe9f8f5.tmp
2228	ef9f232e313d9dd77d7db51379f86c150c19373344bd27b592b1a803cfe9f8f5.tmp
2228	ef9f232e313d9dd77d7db51379f86c150c19373344bd27b592b1a803cfe9f8f5.tmp
2228	ef9f232e313d9dd77d7db51379f86c150c19373344bd27b592b1a803cfe9f8f5.tmp
2452	Inbox.exe
2452	Inbox.exe
600	regsvr32.exe
1148	regsvr32.exe
2228	ef9f232e313d9dd77d7db51379f86c150c19373344bd27b592b1a803cfe9f8f5.tmp

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\InboxToolbar = "\"C:\\Program Files (x86)\\Inbox Toolbar\\Inbox.exe\" /STARTUP"	Inbox.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Installs/modifies Browser Helper Object 2 TTPs 6 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{D3D233D5-9F6D-436C-B6C7-E63F77503B30}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{D3D233D5-9F6D-436C-B6C7-E63F77503B30}\	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{D3D233D5-9F6D-436C-B6C7-E63F77503B30}\NoExplorer = "1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{D3D233D5-9F6D-436C-B6C7-E63F77503B30}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D3D233D5-9F6D-436C-B6C7-E63F77503B30}\	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D3D233D5-9F6D-436C-B6C7-E63F77503B30}\NoExplorer = "1"	regsvr32.exe

Drops file in Program Files directory 22 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Inbox Toolbar\unins000.dat	ef9f232e313d9dd77d7db51379f86c150c19373344bd27b592b1a803cfe9f8f5.tmp
File opened for modification	C:\Program Files (x86)\Inbox Toolbar\Buttons\blue_green.xml	Inbox.exe
File opened for modification	C:\Program Files (x86)\Inbox Toolbar\Buttons\converter_calculator_fr.xml	Inbox.exe
File created	C:\Program Files (x86)\Inbox Toolbar\Buttons\is-J3H9C.tmp	ef9f232e313d9dd77d7db51379f86c150c19373344bd27b592b1a803cfe9f8f5.tmp
File created	C:\Program Files (x86)\Inbox Toolbar\is-32HC3.tmp	ef9f232e313d9dd77d7db51379f86c150c19373344bd27b592b1a803cfe9f8f5.tmp
File created	C:\Program Files (x86)\Inbox Toolbar\Buttons\is-N8NUN.tmp	ef9f232e313d9dd77d7db51379f86c150c19373344bd27b592b1a803cfe9f8f5.tmp
File created	C:\Program Files (x86)\Inbox Toolbar\Buttons\is-0VRAH.tmp	ef9f232e313d9dd77d7db51379f86c150c19373344bd27b592b1a803cfe9f8f5.tmp
File opened for modification	C:\Program Files (x86)\Inbox Toolbar\Buttons\converter_measures_fr.xml	Inbox.exe
File opened for modification	C:\Program Files (x86)\Inbox Toolbar\uninstall.ini	ef9f232e313d9dd77d7db51379f86c150c19373344bd27b592b1a803cfe9f8f5.tmp
File opened for modification	C:\Program Files (x86)\Inbox Toolbar\Inbox.ini	Inbox.exe
File created	C:\Program Files (x86)\Inbox Toolbar\is-P5R72.tmp	ef9f232e313d9dd77d7db51379f86c150c19373344bd27b592b1a803cfe9f8f5.tmp
File created	C:\Program Files (x86)\Inbox Toolbar\is-LCMMU.tmp	ef9f232e313d9dd77d7db51379f86c150c19373344bd27b592b1a803cfe9f8f5.tmp
File created	C:\Program Files (x86)\Inbox Toolbar\is-C1CI1.tmp	ef9f232e313d9dd77d7db51379f86c150c19373344bd27b592b1a803cfe9f8f5.tmp
File created	C:\Program Files (x86)\Inbox Toolbar\Buttons\is-429CV.tmp	ef9f232e313d9dd77d7db51379f86c150c19373344bd27b592b1a803cfe9f8f5.tmp
File created	C:\Program Files (x86)\Inbox Toolbar\unins000.msg	ef9f232e313d9dd77d7db51379f86c150c19373344bd27b592b1a803cfe9f8f5.tmp
File created	C:\Program Files (x86)\Inbox Toolbar\is-TENR5.tmp	ef9f232e313d9dd77d7db51379f86c150c19373344bd27b592b1a803cfe9f8f5.tmp
File created	C:\Program Files (x86)\Inbox Toolbar\Buttons\is-N72DK.tmp	ef9f232e313d9dd77d7db51379f86c150c19373344bd27b592b1a803cfe9f8f5.tmp
File created	C:\Program Files (x86)\Inbox Toolbar\setupcfg.ini	ef9f232e313d9dd77d7db51379f86c150c19373344bd27b592b1a803cfe9f8f5.tmp
File opened for modification	C:\Program Files (x86)\Inbox Toolbar\setupcfg.ini	ef9f232e313d9dd77d7db51379f86c150c19373344bd27b592b1a803cfe9f8f5.tmp
File opened for modification	C:\Program Files (x86)\Inbox Toolbar\Buttons\converter_currency_fr.xml	Inbox.exe
File opened for modification	C:\Program Files (x86)\Inbox Toolbar\Buttons\converter_unit_fr.xml	Inbox.exe
File created	C:\Program Files (x86)\Inbox Toolbar\unins000.dat	ef9f232e313d9dd77d7db51379f86c150c19373344bd27b592b1a803cfe9f8f5.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Inbox.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ef9f232e313d9dd77d7db51379f86c150c19373344bd27b592b1a803cfe9f8f5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ef9f232e313d9dd77d7db51379f86c150c19373344bd27b592b1a803cfe9f8f5.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Inbox.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Inbox.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe

Modifies Internet Explorer settings 1 TTPs 57 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\User Preferences	Inbox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{612AD33D-9824-4E87-8396-92374E91C4BB}\AppPath = "C:\\Program Files (x86)\\Inbox Toolbar"	Inbox.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\Policy = "3"	regsvr32.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Main	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\AppPath = "C:\\Program Files (x86)\\Inbox Toolbar"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\SearchScopes\{C04B7D22-5AEC-4561-8F49-27F6269208F6}	Inbox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\AppName = "Inbox.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar	regsvr32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\User Preferences\6256FFB019F8FDFBD36745B06F4540E9AEAF222A25 = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002a7e294e30a57c4181a3649eb9f00eb6000000000200000000001066000000010000200000008a56904bd7a33d0c9f1085d6f5bff9502fc979a38f1f90188be06ebaadd39533000000000e80000000020000200000006b16d8114b9f2f722371bfdd9a793e4e33dc7a20f949b9721f75f1ce93ea4908100000006707bd3e22156e2bd97ab15f6612802440000000651e8fe2a9f07e1c39722a1c8ad55f1c781dc4a0670b3b2e9e53346f4bbeafd6ad37a5d43a3e8889548b56739f3b19dad77eb0c65de603d2158877c99bcc4dc7	Inbox.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\Policy = "3"	regsvr32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\SearchScopes\{C04B7D22-5AEC-4561-8F49-27F6269208F6}\ShowSearchSuggestions = "1"	Inbox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\SearchScopes\{C04B7D22-5AEC-4561-8F49-27F6269208F6}\FaviconPath = "C:\\Users\\Admin\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services\\search_{C04B7D22-5AEC-4561-8F49-27F6269208F6}.ico"	Inbox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\User Preferences\6256FFB019F8FDFBD36745B06F4540E9AEAF222A25 = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002a7e294e30a57c4181a3649eb9f00eb60000000002000000000010660000000100002000000027cb6a6a018f40b8dfae2925286e516de8720727614f4b45e0825bb5437d0aa0000000000e800000000200002000000039798f93869d54c17165c490546580dcfb30793d9649d6081c1c3fe18f37da8a10000000ffc2900a50c6df18d2fd1ceed5b9692d400000002fed8aea2b592fdcfa3dcab1197cfd75b74e90ac1b1c186585ab40751ec82de39aee3b57c07add43c83a0151964e6bfbd113f1643e47ddb003300adaf5f4b766	Inbox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\User Preferences\6256FFB019F8FDFBD36745B06F4540E9AEAF222A25 = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002a7e294e30a57c4181a3649eb9f00eb600000000020000000000106600000001000020000000d77ba9938615089ceb053077c60fda3f4c3a12103ed57eef28ca1fd346415371000000000e8000000002000020000000897aa6b6f8829dcefadcba58da43c12c6f6e22f99e29b9e766fa556a7b5c695b10000000ac3c4aa263a0d6c1eb05c6ca3ebbacbb400000006c53af71d4ecf54b54b27744a8399e586776a7110dc208d3621a7bd74090b145a90ceba6a3b8a975bbcdad3f1fea331e73b9bb9c08f1b832817c7a912ba4e418	Inbox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\User Preferences\6256FFB019F8FDFBD36745B06F4540E9AEAF222A25 = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002a7e294e30a57c4181a3649eb9f00eb60000000002000000000010660000000100002000000015bfd966def0f8c3c9977708651b88ab49e83194ef484e2a658cf27a2c8e7b69000000000e8000000002000020000000c8875c00ffa03359319555de2fa386ce49510395489126a03eb6e27979dcf7fc100000008078bfce8b8a1b8f921e1609eda5a96e40000000aad561ef8b6c2d476f81f76da9efe732178c15fcb93a3f8416e699afa8954650704b58bfffee9e3fbc5f8f244b4f3a2cdd354cb9997699b09633efd6a6032b25	Inbox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\SearchScopes\{C04B7D22-5AEC-4561-8F49-27F6269208F6}\DisplayName = "Inbox Search"	Inbox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\User Preferences\6256FFB019F8FDFBD36745B06F4540E9AEAF222A25 = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002a7e294e30a57c4181a3649eb9f00eb600000000020000000000106600000001000020000000cffe8aca634e3ce937146ba1f88a1de32d4c6a6d10970ceaf37f022479dc521c000000000e8000000002000020000000d2aebfba045971b1e015d9bd55b8dedb267fcab1fd0f057a2a749e19eb4480f01000000050e6ea415e79230af4e6646dd08a9c5040000000e99c61e0c7fe2f98fa245dfb2b0f93b1749a54b5f5e74499f4da5564d75de1929ae62f76582992acf6618f15f37ccf5ede956b1eada02ce2c0a9c092c0ad5e77	Inbox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\User Preferences\6256FFB019F8FDFBD36745B06F4540E9AEAF222A25 = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002a7e294e30a57c4181a3649eb9f00eb6000000000200000000001066000000010000200000001b528f41a21bc258b2fc8cbf1b80cf557266d2729e6f9014f027ca7eb4f7f0e0000000000e800000000200002000000024889d6b34a0915625d54d48bb4a418f13fb940b243175619c8b1cd55fe755f11000000082c2b73bc26309803ef5e6ae0a5b86d640000000bbc5a02eb6be41a0e0124937bae1e7263b50e06f3177200fc35e8cb56853e5fe3317bede60f0733a80f8e17aa4b9d9801ba6a56700af53aca11644f31a262ecb	Inbox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\User Preferences\6256FFB019F8FDFBD36745B06F4540E9AEAF222A25 = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002a7e294e30a57c4181a3649eb9f00eb6000000000200000000001066000000010000200000001dffd6818fedd18079514da6a9beff9343d4728c47c55397d1293a32946816d2000000000e80000000020000200000003b5a5abc50c02388d115106570908b2bdf35c38ceedce77d1c8bf489e2825e5c10000000e2e9754d6234936c1f16ea622d28460f40000000deac90af87fb965b7e1acffb3820cae53340d91420260197fedd2d1f0745ce0cac83c4403e439b344392491cf15d2a4c24641c768053eb880137b9160503896d	Inbox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}	regsvr32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\User Preferences\6256FFB019F8FDFBD36745B06F4540E9AEAF222A25 = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002a7e294e30a57c4181a3649eb9f00eb600000000020000000000106600000001000020000000f4ee8d657b9baca275a8acb0d6a7a34b1c36e3934184e1c2e6915a690e6ca09b000000000e8000000002000020000000bda47df04ba47637c5d05bdcb27fe390e301c415a76efb7c58159d1f533a1acb100000008dc11032ae46b38cef7007b4170ed026400000002bd7fb62c09110e351db373b35fd13ace6318be31ea30a557549537713b8ebc6aae33652231a43cfd72b17dbe8aaff5a359f45cd2a010843c2d4ec49ecc79989	Inbox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\User Preferences\6256FFB019F8FDFBD36745B06F4540E9AEAF222A25 = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002a7e294e30a57c4181a3649eb9f00eb600000000020000000000106600000001000020000000c3aa0ae2f38cc0feabf2ba9f5bb92b8c4b8fed972d3034503fd8602806778d44000000000e800000000200002000000028ac48cd3bab8de55be8d7c691b02fe1a1d4fc9d346c05056683f1bb8370b71c10000000418069c35b37aaa8882cebf6ba7da8094000000047520f569953a376ceb588d1cda1c68c00b366bb5cf3830cc205f8cba5d6f00dd64ad008789ba67086c5862203e76e63466d1071d911fdad8cdd1f9cf8b8c737	Inbox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\AppPath = "C:\\Program Files (x86)\\Inbox Toolbar"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\Policy = "3"	regsvr32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{D7E97865-918F-41E4-9CD0-25AB1C574CE8} = 00	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\SearchScopes\{C04B7D22-5AEC-4561-8F49-27F6269208F6}\SuggestionsURL_JSON = "http://www.inbox.com/s.aspx?q={searchTerms}"	Inbox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\User Preferences\6256FFB019F8FDFBD36745B06F4540E9AEAF222A25 = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002a7e294e30a57c4181a3649eb9f00eb600000000020000000000106600000001000020000000a5461259f428e28fd1da320cbcb21941827f1251adbe8d01c3285f600ff5ab62000000000e8000000002000020000000f66811afeba0e517eafb41f71dc5afcf4fb1ce859e11c824a03c1a97ed34925910000000b90df728546d1e06050df49fae7af4e3400000001979c9ba2da1c92b62af1a9cb14b678f0bdb0144a4f15d17db3939b6d5342b3c501ac5350f229e94bf8f04ae23117492ef067cb617253c35f62f456767d57314	Inbox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{612AD33D-9824-4E87-8396-92374E91C4BB}	Inbox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\AppPath = "C:\\Program Files (x86)\\Inbox Toolbar"	regsvr32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\User Preferences\6256FFB019F8FDFBD36745B06F4540E9AEAF222A25 = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002a7e294e30a57c4181a3649eb9f00eb6000000000200000000001066000000010000200000004e6a5aacdf805aa46f485fb7f8340a300ee879e603a905b9e7c6c4d6b0772e5e000000000e80000000020000200000002fc8b61137cc76fa22217d4bf11f4d227ee92c706677e6dcaa3ff4b381a8c72510000000aa367bfe0195d00183ce5d38f6b4e46040000000906328ec7110417af38a6aa4623159b1a9fc2b4b82fc40cb489344c4c017d99353ac2e79b721f1970b437e661dbc2fcc04cb58aa83512b53f4a00727630858bb	Inbox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\AppPath = "C:\\Program Files (x86)\\Inbox Toolbar"	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\SearchScopes\{C04B7D22-5AEC-4561-8F49-27F6269208F6}\URL = "http://www2.inbox.com/search/dispatcher.aspx?tp=bs&qkw={searchTerms}&tbid=80792&iwk=861&lng=en"	Inbox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\User Preferences\6256FFB019F8FDFBD36745B06F4540E9AEAF222A25 = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002a7e294e30a57c4181a3649eb9f00eb600000000020000000000106600000001000020000000a110bae72713cfe72e290a43e8b6167f971fb82e64e2d20bb811a0c0ec490378000000000e80000000020000200000006ab1c6f14db0d80236e99866e3426e04bd53038c21242a511002c2aa1f2670171000000028bb08044c6df74c4b05126f500b775c4000000095c95b2cbec6267b9fbbfbc9a1de7f147d2c25c1b5717d5d095c488628393421f98a0bc2995f5ccc946c5cb85750c1780c118d91d24c1e816f3b27550a7c2da1	Inbox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}	regsvr32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\User Preferences\6256FFB019F8FDFBD36745B06F4540E9AEAF222A25 = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002a7e294e30a57c4181a3649eb9f00eb600000000020000000000106600000001000020000000b33dea15dbaf967fba3c975f343e00f136f65e3c167b7cc52b8ff0b68769c132000000000e800000000200002000000071a4f6bc755c2edea56796089f31573756b8a74923faf08cfde28fc73768bd9b100000007e1fdf083fa6500144173ff624f27c8d4000000022a93ac9ffb44d4a17d136636c20d0da5d459cea7371a781fdc281e1e8641acd9c7649ecc458490fcc928c8f934757a5aa91ad935ad9bf10377efb5b877044a3	Inbox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\User Preferences\6256FFB019F8FDFBD36745B06F4540E9AEAF222A25 = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002a7e294e30a57c4181a3649eb9f00eb600000000020000000000106600000001000020000000ede44ffa9737108abf3219df15c1f413381229ec4eb3b20373fb1289397c2827000000000e80000000020000200000001e55ea6cf2a351c4138375e56c467673b6967f67a7bcc4f53c4ab2d6b5299a72100000000d82f09af44755aaf6fa54090b066d41400000002ed1c71dc5aad03c7764772a2c7a12d539605fc508c11f028fbf54e5e5ebba8980981974a0b0d59010736c0d80336ebaabe0dfc054b696a378a1bf6c10e480b1	Inbox.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar\{D7E97865-918F-41E4-9CD0-25AB1C574CE8} = 00	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\AppName = "Inbox64.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\AppName = "Inbox64.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{612AD33D-9824-4E87-8396-92374E91C4BB}\AppName = "Inbox.exe"	Inbox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{612AD33D-9824-4E87-8396-92374E91C4BB}\AppPath = "C:\\Program Files (x86)\\Inbox Toolbar"	Inbox.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\Policy = "3"	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\SearchScopes\{C04B7D22-5AEC-4561-8F49-27F6269208F6}\FaviconURLFallback = "http://www2.inbox.com/favicon.ico"	Inbox.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{612AD33D-9824-4E87-8396-92374E91C4BB}\Policy = "3"	Inbox.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Main	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{612AD33D-9824-4E87-8396-92374E91C4BB}	Inbox.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{612AD33D-9824-4E87-8396-92374E91C4BB}\Policy = "3"	Inbox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\User Preferences\6256FFB019F8FDFBD36745B06F4540E9AEAF222A25 = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002a7e294e30a57c4181a3649eb9f00eb60000000002000000000010660000000100002000000071199724652c67c6a087e8d7792cd86a2ecbb57757e0a52a6fdec9e124e57006000000000e80000000020000200000001a3ac9758d78122912a8c63f4b534d7bad409c0a9b671efdfa8ffef9a702cd7f100000004821e2000be5f7fe3d585ce044f53e6640000000e379a22a4766f284528851e093da32cf47108393e2cd6bf623aa4e75307de3d2838416a8f40f547b920029775e0cbc8f48ebfa58f613357696270b8d23d18343	Inbox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{612AD33D-9824-4E87-8396-92374E91C4BB}\AppName = "Inbox.exe"	Inbox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\AppName = "Inbox.dll"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\IEWatsonEnabled = "0"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\IEWatsonEnabled = "0"	regsvr32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\User Preferences\6256FFB019F8FDFBD36745B06F4540E9AEAF222A25 = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002a7e294e30a57c4181a3649eb9f00eb60000000002000000000010660000000100002000000073e0a48d2ef7d96c1d9d19207b5f102c3943a61cfb5bcf460a81d3a620ffd310000000000e800000000200002000000001ae1fe64ce2520f2810b2538313dac42cc821f59d449287aa21f4f8f058fb3e100000007fbd483185d3bdc385bff6e4f23f1a9540000000b43ba78ce7a1f9204e5db16954c1ef0244744c7159afed69ac7eea4ec9c3351b9c3b6dcde6f98f5bca2a426e885c7d55bc8fc7e81b3b51fac037b03fbb42f001	Inbox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\User Preferences\6256FFB019F8FDFBD36745B06F4540E9AEAF222A25 = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002a7e294e30a57c4181a3649eb9f00eb60000000002000000000010660000000100002000000044ab56dad72ddf267abd76d4f8100c02547801d30ef47caa733b69c33ac4db26000000000e800000000200002000000020a04a413ddfc720cc1df46e5a972f0ee88b9667a2a3ebe43c83cfe28ae5117c10000000aa858f1dae1899591aaeb41197d61d3d40000000904f4c33be3f25d0274a3d5a54010db42f9495c74f026cd5357a5f6a6fbcfdd07b74e6dfb079e9bd3ffbadf71a9c1cb8f03992b966fcf43785d6c978225a11d7	Inbox.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{615E8AA1-6BB8-4A3D-A1CC-373194DB612C}\1.0\FLAGS\ = "0"	Inbox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{37540F19-DD4C-478B-B2DF-C19281BCAF27}\	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{28C3737A-32D1-492D-B76B-8D75EBBFB887}	Inbox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\inbox\ = "inbox"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{612AD33D-9824-4E87-8396-92374E91C4BB}\LocalServer32	Inbox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{042DA63B-0933-403D-9395-B49307691690}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D3D233D5-9F6D-436C-B6C7-E63F77503B30}\Implemented Categories\	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\InprocServer32\ = "C:\\PROGRA~2\\INBOXT~1\\Inbox.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{042DA63B-0933-403D-9395-B49307691690}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{28C3737A-32D1-492D-B76B-8D75EBBFB887}\TypeLib	Inbox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{612AD33D-9824-4E87-8396-92374E91C4BB}\	Inbox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Inbox.AppServer	Inbox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D3D233D5-9F6D-436C-B6C7-E63F77503B30}\ = "Inbox Toolbar"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{37540F19-DD4C-478B-B2DF-C19281BCAF27}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\inbox	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{28C3737A-32D1-492D-B76B-8D75EBBFB887}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	Inbox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{042DA63B-0933-403D-9395-B49307691690}\TypeLib\ = "{CBEF8724-D080-4737-88DA-111EEC6651AA}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{042DA63B-0933-403D-9395-B49307691690}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{37540F19-DD4C-478B-B2DF-C19281BCAF27}\ProgID\ = "Inbox.IBX404"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{615E8AA1-6BB8-4A3D-A1CC-373194DB612C}\1.0	Inbox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8FAE973C-3FE3-44BF-81F0-ADB0D42CE851}\TypeLib\ = "{615E8AA1-6BB8-4A3D-A1CC-373194DB612C}"	Inbox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8FAE973C-3FE3-44BF-81F0-ADB0D42CE851}	Inbox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CE057E0D-2D7E-4DFF-A890-07BA69B8C762}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CE057E0D-2D7E-4DFF-A890-07BA69B8C762}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{37540F19-DD4C-478B-B2DF-C19281BCAF27}\ProgID\ = "Inbox.IBX404"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8FAE973C-3FE3-44BF-81F0-ADB0D42CE851}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	Inbox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CBEF8724-D080-4737-88DA-111EEC6651AA}\1.0\ = "Inbox"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{042DA63B-0933-403D-9395-B49307691690}\Implemented Categories	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{37540F19-DD4C-478B-B2DF-C19281BCAF27}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{37540F19-DD4C-478B-B2DF-C19281BCAF27}\InprocServer32\ = "C:\\PROGRA~2\\INBOXT~1\\Inbox.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{37540F19-DD4C-478B-B2DF-C19281BCAF27}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{37540F19-DD4C-478B-B2DF-C19281BCAF27}\	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8FAE973C-3FE3-44BF-81F0-ADB0D42CE851}\TypeLib\Version = "1.0"	Inbox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CBEF8724-D080-4737-88DA-111EEC6651AA}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\Inbox Toolbar\\"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{042DA63B-0933-403D-9395-B49307691690}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Inbox.Toolbar\Clsid\ = "{D7E97865-918F-41E4-9CD0-25AB1C574CE8}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\Implemented Categories\	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8FAE973C-3FE3-44BF-81F0-ADB0D42CE851}\ = "IAppServer2"	Inbox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D3D233D5-9F6D-436C-B6C7-E63F77503B30}\InProcServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{042DA63B-0933-403D-9395-B49307691690}\Implemented Categories\	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\Implemented Categories	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}\	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{28C3737A-32D1-492D-B76B-8D75EBBFB887}\ = "IAppServer"	Inbox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{612AD33D-9824-4E87-8396-92374E91C4BB}	Inbox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CBEF8724-D080-4737-88DA-111EEC6651AA}\1.0\HELPDIR	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{042DA63B-0933-403D-9395-B49307691690}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}\	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D3D233D5-9F6D-436C-B6C7-E63F77503B30}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D3D233D5-9F6D-436C-B6C7-E63F77503B30}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\ = "&Inbox Toolbar"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{042DA63B-0933-403D-9395-B49307691690}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8FAE973C-3FE3-44BF-81F0-ADB0D42CE851}\TypeLib\ = "{615E8AA1-6BB8-4A3D-A1CC-373194DB612C}"	Inbox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{612AD33D-9824-4E87-8396-92374E91C4BB}\LocalServer32\ = "C:\\Program Files (x86)\\Inbox Toolbar\\Inbox.exe"	Inbox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{042DA63B-0933-403D-9395-B49307691690}\Version	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{042DA63B-0933-403D-9395-B49307691690}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8FAE973C-3FE3-44BF-81F0-ADB0D42CE851}\TypeLib	Inbox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8FAE973C-3FE3-44BF-81F0-ADB0D42CE851}\TypeLib\Version = "1.0"	Inbox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{042DA63B-0933-403D-9395-B49307691690}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}\	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Inbox.Toolbar\	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8FAE973C-3FE3-44BF-81F0-ADB0D42CE851}	Inbox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Inbox.JSServer\Clsid	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{28C3737A-32D1-492D-B76B-8D75EBBFB887}\TypeLib	Inbox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{28C3737A-32D1-492D-B76B-8D75EBBFB887}\TypeLib\ = "{615E8AA1-6BB8-4A3D-A1CC-373194DB612C}"	Inbox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CBEF8724-D080-4737-88DA-111EEC6651AA}\1.0\0\win32\ = "C:\\Program Files (x86)\\Inbox Toolbar\\Inbox.dll"	regsvr32.exe

Modifies system certificate store 2 TTPs 4 IoCs

defense_evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\627F8D7827656399D27D7F9044C9FEB3F33EFA9A	Inbox.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\627F8D7827656399D27D7F9044C9FEB3F33EFA9A\Blob = 0f00000001000000100000005f3d1aa6f471a760663eb7ef254281ef53000000010000002500000030233021060b6086480186f8450107300130123010060a2b0601040182373c0101030200c0090000000100000016000000301406082b0601050507030106082b060105050703031400000001000000140000005ff3246c8f9124af9b5f3eb0346af42d5ca85dcc1d0000000100000010000000d4803ac36c256817d4ec5936f29bc4e70b000000010000000e0000007400680061007700740065000000030000000100000014000000627f8d7827656399d27d7f9044c9feb3f33efa9a20000000010000002b0300003082032730820290a003020102020101300d06092a864886f70d01010405003081ce310b3009060355040613025a41311530130603550408130c5765737465726e204361706531123010060355040713094361706520546f776e311d301b060355040a131454686177746520436f6e73756c74696e6720636331283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e3121301f06035504031318546861777465205072656d69756d205365727665722043413128302606092a864886f70d01090116197072656d69756d2d736572766572407468617774652e636f6d301e170d3936303830313030303030305a170d3230313233313233353935395a3081ce310b3009060355040613025a41311530130603550408130c5765737465726e204361706531123010060355040713094361706520546f776e311d301b060355040a131454686177746520436f6e73756c74696e6720636331283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e3121301f06035504031318546861777465205072656d69756d205365727665722043413128302606092a864886f70d01090116197072656d69756d2d736572766572407468617774652e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100d236366a8bd7c25b9eda8141628f38ee490455d6d0ef1c1b951647ef1848353a52f42b6a068f3b2fea56e3af868d9e17f79eb46575024defcb09a22151d89bd067d0ba0d92061473d493cb972a009c5c4e0cbcfa1552fcf2446eda114a6e089f2f2de3f9aa3a8673b6465358c88905bd8311b8733faa078df4424de7409d1c370203010001a3133011300f0603551d130101ff040530030101ff300d06092a864886f70d01010405000381810026482c16c258fae816740caaaa5f543ff2d7c978605e5e6e37632277367eb217c434b9f50885fcc90138ff4dbef2164243e7bb5a46fbc1c6111ff14ab02846c9c3c4427dbcfaab596ed5b7518811e3a485196b824ca40c12ade9a4ae3ff1c349659a8cc5c83e25b79499bb92327107f0865eed5027a60da623f9bbcba6071442	Inbox.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\627F8D7827656399D27D7F9044C9FEB3F33EFA9A\Blob = 1900000001000000100000005dc45e2cd1845791bdde7600050af510030000000100000014000000627f8d7827656399d27d7f9044c9feb3f33efa9a0b000000010000000e00000074006800610077007400650000001d0000000100000010000000d4803ac36c256817d4ec5936f29bc4e71400000001000000140000005ff3246c8f9124af9b5f3eb0346af42d5ca85dcc090000000100000016000000301406082b0601050507030106082b0601050507030353000000010000002500000030233021060b6086480186f8450107300130123010060a2b0601040182373c0101030200c00f00000001000000100000005f3d1aa6f471a760663eb7ef254281ef20000000010000002b0300003082032730820290a003020102020101300d06092a864886f70d01010405003081ce310b3009060355040613025a41311530130603550408130c5765737465726e204361706531123010060355040713094361706520546f776e311d301b060355040a131454686177746520436f6e73756c74696e6720636331283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e3121301f06035504031318546861777465205072656d69756d205365727665722043413128302606092a864886f70d01090116197072656d69756d2d736572766572407468617774652e636f6d301e170d3936303830313030303030305a170d3230313233313233353935395a3081ce310b3009060355040613025a41311530130603550408130c5765737465726e204361706531123010060355040713094361706520546f776e311d301b060355040a131454686177746520436f6e73756c74696e6720636331283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e3121301f06035504031318546861777465205072656d69756d205365727665722043413128302606092a864886f70d01090116197072656d69756d2d736572766572407468617774652e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100d236366a8bd7c25b9eda8141628f38ee490455d6d0ef1c1b951647ef1848353a52f42b6a068f3b2fea56e3af868d9e17f79eb46575024defcb09a22151d89bd067d0ba0d92061473d493cb972a009c5c4e0cbcfa1552fcf2446eda114a6e089f2f2de3f9aa3a8673b6465358c88905bd8311b8733faa078df4424de7409d1c370203010001a3133011300f0603551d130101ff040530030101ff300d06092a864886f70d01010405000381810026482c16c258fae816740caaaa5f543ff2d7c978605e5e6e37632277367eb217c434b9f50885fcc90138ff4dbef2164243e7bb5a46fbc1c6111ff14ab02846c9c3c4427dbcfaab596ed5b7518811e3a485196b824ca40c12ade9a4ae3ff1c349659a8cc5c83e25b79499bb92327107f0865eed5027a60da623f9bbcba6071442	Inbox.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\627F8D7827656399D27D7F9044C9FEB3F33EFA9A\Blob = 040000000100000010000000069f6979166690021b8c8ca2c3076f3a0f00000001000000100000005f3d1aa6f471a760663eb7ef254281ef53000000010000002500000030233021060b6086480186f8450107300130123010060a2b0601040182373c0101030200c0090000000100000016000000301406082b0601050507030106082b060105050703031400000001000000140000005ff3246c8f9124af9b5f3eb0346af42d5ca85dcc1d0000000100000010000000d4803ac36c256817d4ec5936f29bc4e70b000000010000000e0000007400680061007700740065000000030000000100000014000000627f8d7827656399d27d7f9044c9feb3f33efa9a1900000001000000100000005dc45e2cd1845791bdde7600050af51020000000010000002b0300003082032730820290a003020102020101300d06092a864886f70d01010405003081ce310b3009060355040613025a41311530130603550408130c5765737465726e204361706531123010060355040713094361706520546f776e311d301b060355040a131454686177746520436f6e73756c74696e6720636331283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e3121301f06035504031318546861777465205072656d69756d205365727665722043413128302606092a864886f70d01090116197072656d69756d2d736572766572407468617774652e636f6d301e170d3936303830313030303030305a170d3230313233313233353935395a3081ce310b3009060355040613025a41311530130603550408130c5765737465726e204361706531123010060355040713094361706520546f776e311d301b060355040a131454686177746520436f6e73756c74696e6720636331283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e3121301f06035504031318546861777465205072656d69756d205365727665722043413128302606092a864886f70d01090116197072656d69756d2d736572766572407468617774652e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100d236366a8bd7c25b9eda8141628f38ee490455d6d0ef1c1b951647ef1848353a52f42b6a068f3b2fea56e3af868d9e17f79eb46575024defcb09a22151d89bd067d0ba0d92061473d493cb972a009c5c4e0cbcfa1552fcf2446eda114a6e089f2f2de3f9aa3a8673b6465358c88905bd8311b8733faa078df4424de7409d1c370203010001a3133011300f0603551d130101ff040530030101ff300d06092a864886f70d01010405000381810026482c16c258fae816740caaaa5f543ff2d7c978605e5e6e37632277367eb217c434b9f50885fcc90138ff4dbef2164243e7bb5a46fbc1c6111ff14ab02846c9c3c4427dbcfaab596ed5b7518811e3a485196b824ca40c12ade9a4ae3ff1c349659a8cc5c83e25b79499bb92327107f0865eed5027a60da623f9bbcba6071442	Inbox.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2228	ef9f232e313d9dd77d7db51379f86c150c19373344bd27b592b1a803cfe9f8f5.tmp
2228	ef9f232e313d9dd77d7db51379f86c150c19373344bd27b592b1a803cfe9f8f5.tmp
2228	ef9f232e313d9dd77d7db51379f86c150c19373344bd27b592b1a803cfe9f8f5.tmp
2228	ef9f232e313d9dd77d7db51379f86c150c19373344bd27b592b1a803cfe9f8f5.tmp

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2228	ef9f232e313d9dd77d7db51379f86c150c19373344bd27b592b1a803cfe9f8f5.tmp

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2228	ef9f232e313d9dd77d7db51379f86c150c19373344bd27b592b1a803cfe9f8f5.tmp

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 2120 wrote to memory of 2228	2120	ef9f232e313d9dd77d7db51379f86c150c19373344bd27b592b1a803cfe9f8f5.exe	30
PID 2120 wrote to memory of 2228	2120	ef9f232e313d9dd77d7db51379f86c150c19373344bd27b592b1a803cfe9f8f5.exe	30
PID 2120 wrote to memory of 2228	2120	ef9f232e313d9dd77d7db51379f86c150c19373344bd27b592b1a803cfe9f8f5.exe	30
PID 2120 wrote to memory of 2228	2120	ef9f232e313d9dd77d7db51379f86c150c19373344bd27b592b1a803cfe9f8f5.exe	30
PID 2120 wrote to memory of 2228	2120	ef9f232e313d9dd77d7db51379f86c150c19373344bd27b592b1a803cfe9f8f5.exe	30
PID 2120 wrote to memory of 2228	2120	ef9f232e313d9dd77d7db51379f86c150c19373344bd27b592b1a803cfe9f8f5.exe	30
PID 2120 wrote to memory of 2228	2120	ef9f232e313d9dd77d7db51379f86c150c19373344bd27b592b1a803cfe9f8f5.exe	30
PID 2228 wrote to memory of 332	2228	ef9f232e313d9dd77d7db51379f86c150c19373344bd27b592b1a803cfe9f8f5.tmp	31
PID 2228 wrote to memory of 332	2228	ef9f232e313d9dd77d7db51379f86c150c19373344bd27b592b1a803cfe9f8f5.tmp	31
PID 2228 wrote to memory of 332	2228	ef9f232e313d9dd77d7db51379f86c150c19373344bd27b592b1a803cfe9f8f5.tmp	31
PID 2228 wrote to memory of 332	2228	ef9f232e313d9dd77d7db51379f86c150c19373344bd27b592b1a803cfe9f8f5.tmp	31
PID 2228 wrote to memory of 2452	2228	ef9f232e313d9dd77d7db51379f86c150c19373344bd27b592b1a803cfe9f8f5.tmp	32
PID 2228 wrote to memory of 2452	2228	ef9f232e313d9dd77d7db51379f86c150c19373344bd27b592b1a803cfe9f8f5.tmp	32
PID 2228 wrote to memory of 2452	2228	ef9f232e313d9dd77d7db51379f86c150c19373344bd27b592b1a803cfe9f8f5.tmp	32
PID 2228 wrote to memory of 2452	2228	ef9f232e313d9dd77d7db51379f86c150c19373344bd27b592b1a803cfe9f8f5.tmp	32
PID 2228 wrote to memory of 600	2228	ef9f232e313d9dd77d7db51379f86c150c19373344bd27b592b1a803cfe9f8f5.tmp	33
PID 2228 wrote to memory of 600	2228	ef9f232e313d9dd77d7db51379f86c150c19373344bd27b592b1a803cfe9f8f5.tmp	33
PID 2228 wrote to memory of 600	2228	ef9f232e313d9dd77d7db51379f86c150c19373344bd27b592b1a803cfe9f8f5.tmp	33
PID 2228 wrote to memory of 600	2228	ef9f232e313d9dd77d7db51379f86c150c19373344bd27b592b1a803cfe9f8f5.tmp	33
PID 2228 wrote to memory of 600	2228	ef9f232e313d9dd77d7db51379f86c150c19373344bd27b592b1a803cfe9f8f5.tmp	33
PID 2228 wrote to memory of 600	2228	ef9f232e313d9dd77d7db51379f86c150c19373344bd27b592b1a803cfe9f8f5.tmp	33
PID 2228 wrote to memory of 600	2228	ef9f232e313d9dd77d7db51379f86c150c19373344bd27b592b1a803cfe9f8f5.tmp	33
PID 2228 wrote to memory of 1148	2228	ef9f232e313d9dd77d7db51379f86c150c19373344bd27b592b1a803cfe9f8f5.tmp	34
PID 2228 wrote to memory of 1148	2228	ef9f232e313d9dd77d7db51379f86c150c19373344bd27b592b1a803cfe9f8f5.tmp	34
PID 2228 wrote to memory of 1148	2228	ef9f232e313d9dd77d7db51379f86c150c19373344bd27b592b1a803cfe9f8f5.tmp	34
PID 2228 wrote to memory of 1148	2228	ef9f232e313d9dd77d7db51379f86c150c19373344bd27b592b1a803cfe9f8f5.tmp	34
PID 2228 wrote to memory of 1148	2228	ef9f232e313d9dd77d7db51379f86c150c19373344bd27b592b1a803cfe9f8f5.tmp	34
PID 2228 wrote to memory of 1148	2228	ef9f232e313d9dd77d7db51379f86c150c19373344bd27b592b1a803cfe9f8f5.tmp	34
PID 2228 wrote to memory of 1148	2228	ef9f232e313d9dd77d7db51379f86c150c19373344bd27b592b1a803cfe9f8f5.tmp	34
PID 2228 wrote to memory of 2104	2228	ef9f232e313d9dd77d7db51379f86c150c19373344bd27b592b1a803cfe9f8f5.tmp	35
PID 2228 wrote to memory of 2104	2228	ef9f232e313d9dd77d7db51379f86c150c19373344bd27b592b1a803cfe9f8f5.tmp	35
PID 2228 wrote to memory of 2104	2228	ef9f232e313d9dd77d7db51379f86c150c19373344bd27b592b1a803cfe9f8f5.tmp	35
PID 2228 wrote to memory of 2104	2228	ef9f232e313d9dd77d7db51379f86c150c19373344bd27b592b1a803cfe9f8f5.tmp	35

C:\Users\Admin\AppData\Local\Temp\ef9f232e313d9dd77d7db51379f86c150c19373344bd27b592b1a803cfe9f8f5.exe
"C:\Users\Admin\AppData\Local\Temp\ef9f232e313d9dd77d7db51379f86c150c19373344bd27b592b1a803cfe9f8f5.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2120
- C:\Users\Admin\AppData\Local\Temp\is-2GC3K.tmp\ef9f232e313d9dd77d7db51379f86c150c19373344bd27b592b1a803cfe9f8f5.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-2GC3K.tmp\ef9f232e313d9dd77d7db51379f86c150c19373344bd27b592b1a803cfe9f8f5.tmp" /SL5="$400F8,1666168,70144,C:\Users\Admin\AppData\Local\Temp\ef9f232e313d9dd77d7db51379f86c150c19373344bd27b592b1a803cfe9f8f5.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2228
- - C:\Program Files (x86)\Inbox Toolbar\Inbox.exe
    "C:\Program Files (x86)\Inbox Toolbar\Inbox.exe" /regserver
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Modifies registry class
    PID:332
- - C:\Program Files (x86)\Inbox Toolbar\Inbox.exe
    "C:\Program Files (x86)\Inbox Toolbar\Inbox.exe" /install
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    PID:2452
- - C:\Windows\SysWOW64\regsvr32.exe
    "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\Inbox Toolbar\Inbox.dll"
    3⤵
    - Loads dropped DLL
    - Installs/modifies Browser Helper Object
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Modifies registry class
    PID:600
- - C:\Windows\system32\regsvr32.exe
    "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\Inbox Toolbar\Inbox64.dll"
    3⤵
    - Loads dropped DLL
    - Installs/modifies Browser Helper Object
    - Modifies Internet Explorer settings
    - Modifies registry class
    PID:1148
- - C:\Program Files (x86)\Inbox Toolbar\Inbox.exe
    "C:\Program Files (x86)\Inbox Toolbar\Inbox.exe" /afterinstall
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Modifies system certificate store
    PID:2104

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Browser Extensions

T1176

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Inbox Toolbar\Buttons\blue_green.xml

Filesize
52KB

MD5
73ae8ec141d41888f4f4efc96e3158aa

SHA1
ed00518da7d76b725af71e493026e1645f33a9f9

SHA256
3b18558a9b1f02bc5724b37c128389804f89a6aee5f9b9b484e94d0548057110

SHA512
95adef46aef2529a9f33050a88dde6a8217e88f4ae6246ffc2f9fbdf985bd1bef1b505561a8bf10ddef376ecb340e632994be127f5a7b36f60bc0b4642cd0108

Download Submit
C:\Program Files (x86)\Inbox Toolbar\Buttons\converter_calculator_fr.xml

Filesize
5KB

MD5
399a73749278980e95ce700b63df5fe7

SHA1
70d422373678cd28595b833220604c2c87fe91eb

SHA256
0722786036cff066f462926dfc0c111666ca828641a6002743a05b4d8a94a6f1

SHA512
9cacf2e2fcaa80a2e05d41e4c08f683a71eae7a6e34f8ecf239fadfb019c814bb4783f60307c2de4efc974cf5d42f4ce0c3fd155cab33635f4474da2a24dd7dd

Download Submit
C:\Program Files (x86)\Inbox Toolbar\Buttons\converter_currency_fr.xml

Filesize
5KB

MD5
32b33bfcbc9c1e3824a9f85b824bf014

SHA1
71a9518c7dc16a058f2fac5a1550e51fcf4b7a6b

SHA256
01e7740dc4ce754aa12eb4ed8ffb3bd143c86c972007728bf48e5d125c948066

SHA512
e4338811a934a5f669be46b82a26e7d6daa2436cf461b0163a68e84c09360e5ca60012c9424aa913d83bc4989f92621c44c37829514f1782a85d4824c2bacee0

Download Submit
C:\Program Files (x86)\Inbox Toolbar\Buttons\converter_measures_fr.xml

Filesize
5KB

MD5
3768bdfb68565925cece53689dbc5f55

SHA1
810033ee9d466dba9a8d01bc87f0098202c56fb6

SHA256
a904b7a2a89a01409fddc8b76062d61e420f450cbae25a51918d6cc64d41c320

SHA512
845131ea94b1b714f16d895ba6abee3a5d85cf45ff923005ea0647a9b2f014b738dadb3da6e3972972c121c0b0a646dd20b41117a5265a1ca65bb61d883fc9a8

Download Submit
C:\Program Files (x86)\Inbox Toolbar\Buttons\converter_unit_fr.xml

Filesize
5KB

MD5
641bb69a98502dc4c69aa74569e982bf

SHA1
e0ca90f45ab0be5514ed47554b14b430b8492619

SHA256
21ede483f4db58c9a871e816de2a5e609e24363356aae5431225893a126fe9ae

SHA512
527ee5a12706500c20e2aa6659cdaac2eadeb7310869a50efcc3000cf2d4454b2a1a334ed87f99ab4b7efbd5c963c8c68329b3cde75baae2eb8436aaf3aed3e8

Download Submit
C:\Program Files (x86)\Inbox Toolbar\Inbox.dll

Filesize
1.0MB

MD5
2a4e801ff572a6090416229da357a453

SHA1
79f786edd3b590f017916527af27220bf944cd0b

SHA256
dff29dcf0d005b1c86362027f5e916a3acc804b0193f802fbecdb9b3aeba191a

SHA512
b227e511b2981840bf051adec34e89b1c3a8369d0e28c923e4302f300570bc91153e899c7dc9b60692e6fe675ae0c1106baa2efdcfbbd002694308970ccd1b29

Download Submit
C:\Program Files (x86)\Inbox Toolbar\Inbox.ini

Filesize
2KB

MD5
4933891732a3eb9ee44a5abebf8c84ad

SHA1
5f95c4cc04ad57277231d223c4c3798691dd313a

SHA256
93502ac1feb805ae8075a7235814b9f5014c6f0138a7ff88afef04f6a0526951

SHA512
6dc43eac8623cd4f719453fe1199d89b7e19ba13566e91eb0b1c4f902c0cb52a8175cac80c413b335cd162c395d3cbef19bdf0beaa16bfc830e33800a2639a8c

Download Submit
C:\Program Files (x86)\Inbox Toolbar\Inbox.ini

Filesize
2KB

MD5
8f0d4ab82c5be4a95f01a743ad5a383e

SHA1
b242084a38b997eabc51c37f23316abd25b7ea04

SHA256
e46bc5159440ab1b3aac00317f2815a8159f823b8509de43454536ee6b725fe5

SHA512
39a7b13551a55444e5306ed7bb54490222d94eaae9de5e6d5631bdd0c0d4461ec80edeca53aa95d366f8d0a00fa9bd3fed8e52498823122ba7c7ba6c969bc99c

Download Submit
C:\Program Files (x86)\Inbox Toolbar\Inbox64.dll

Filesize
1.5MB

MD5
7e248eee50e58cb6ce8fe84679e22916

SHA1
a193272ffe368f83bd3e0c58ddbe59bfb03ccbeb

SHA256
49be722168c360177d98607927ea7b3d9d5753fd5a4a6757fa1d5d15bd4a1ab5

SHA512
fefa6e9070a19c3d6f79944c70d7800ceac3a0c70129cd946f01dc64ec5a35a08077ea1ce9f6bf6d2bcefc2f8fde1cf14f16c6e234df45b9b19527cf140d85b0

Download Submit
C:\Users\Admin\AppData\LocalLow\Inbox Toolbar\config.ini

Filesize
29B

MD5
3ae883e8a3e0272e3b0844d35a05fd87

SHA1
45b5ad9ea39c60ee61d6ad5776b82975c27191c5

SHA256
c37f72f8519621289d97d31889959c508ecd8ee7a18dd04462fcce53b74719c1

SHA512
5dbcd8f6ed1891f9099723934f46955f90d9219dc07ba468ab1cd286f9b96154365f4ada2515639a8f0710b98fa01451d01e02482ba334905d9443782eb2ed0d

Download Submit
C:\Users\Admin\AppData\LocalLow\Inbox Toolbar\translate.ini

Filesize
89KB

MD5
6b72fbdc939dffb3c9d268d521459f91

SHA1
948023c34ddd35bab4b83d80cabf6b7fb06eb5f2

SHA256
9b1c3b8a08541289d360526f37a4647a59fa40f474d2288ea6a5c3a947364fff

SHA512
f8948e0cc24361f361886a4f9467b8316ed093e0def78df860ed221e345a69a8cae785f57d08cfd3ac54741ea9dbde97f035eb88aa8d35b5529c32cf50b1d8e3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{C04B7D22-5AEC-4561-8F49-27F6269208F6}.ico

Filesize
1KB

MD5
34f4618666b7e80e687b25b82a7da5e2

SHA1
ab543a8992b71891139d608d77403a59bfabd501

SHA256
fa975f7a7a854a7730b1c92d1567706dce2eab80d78cf131eb1cec40e88cb7e3

SHA512
b7e4eeccdd9d84d9a352e9490f19d08c06c54554ac52e3ba9aa1a81de2181a6a185387a323122021303afe32da21ceb3f1f6aa3524c45a6c8d9abac4144237eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab517C.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar5556.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-G0HOS.tmp\RI_AfterDot.bmp

Filesize
84B

MD5
7ccd5a0af4da51cf4962f184fcf9456a

SHA1
de37f4521fa7fee49b37898f4136728e8971ee0f

SHA256
8f2374b30622dfae1fd0b9706520de34c5e1597c1531fddbff65bc0201132ac7

SHA512
d7c4fbc6a4413dc457400fa2e026dea5d639a5b413164cc6939284c46bb46b6ae8ff10184ba2da4f32ace89646b026400db2a49dd9894d71e88d003a91c8267a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-G0HOS.tmp\setupcfg.ini

Filesize
44B

MD5
07352ba73699fdaef6e2f996b9aa8f74

SHA1
512b73da0a2645a123835777327864bd72d3fbed

SHA256
30b91bc9116288231a2c574e4f78c678a049c08867d56e7b280b6e569449f01a

SHA512
b3ce3222ead04c4bf4b0252def84f6b19c950fc012ca97ef7faa3185df35c4375490b15035ae06b3fc709c76c7e7cd4e9a5ffa7851773fcc7ed4c45270e05671

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-G0HOS.tmp\tbr_dots.bmp

Filesize
164B

MD5
adc799ec79eeaef366ea4dddf099c3ae

SHA1
556c915615a34a2499604b7b732ab304b20fdd4e

SHA256
7e7f18c73560f9c020abe1ab1f22705083281e2ea16ab0030fc927901b5b5d1e

SHA512
76962a17cc26d3f9886828be4e43373ac530165e1c627272ed7c0bc731133e97608e55d2e31f44592aad0d0974352155f41a0718aa0666ec128406b1050c1d6c

Download Submit
\Program Files (x86)\Inbox Toolbar\Inbox.exe

Filesize
1.3MB

MD5
4f5e181c0b6744c28c2baf7e06fc3693

SHA1
3b757aba2cd2f1ee9d5b5d87095bffc3222667fa

SHA256
5a22ff570d2cef55533c32e31d50d60daaf93ef98c853046b95ce4240b2574d9

SHA512
3a523ee2e6ed46cbce048a995611a401f74364fbf4ec90739f2406febf274b850fb1dd4785ee9fe66a53b760b7ea6001acc9e323556ed05fe360e904beb6ecc0

Download Submit
\Users\Admin\AppData\Local\Temp\is-2GC3K.tmp\ef9f232e313d9dd77d7db51379f86c150c19373344bd27b592b1a803cfe9f8f5.tmp

Filesize
1.2MB

MD5
e7106fbf42fbc6d5b08a18ada4f781b4

SHA1
36d4a629f79d772c0b0df8bd2ae2ea09108d239d

SHA256
64e1f1fa7d91920b17bc7bc679a4cd8d87ff5b104318b6921bb6bf6a19055635

SHA512
adf876296a952aadeb4f25211c0939bf5a278809b5d3007ad7e26c5d4975e7684d242c1b3de796efd474a47cb7ecdb80f9047935924a1108bf0e4d7c973d1845

Download Submit
\Users\Admin\AppData\Local\Temp\is-G0HOS.tmp\DownLib.dll

Filesize
183KB

MD5
db25dfdd4c1f2b65c68a230881072695

SHA1
94cd6a3438041f0e61b0a1bea7b66461854efe69

SHA256
1b66aaf1e7e3c493dd96af3b7442ea60072f6e93ba45281eacd31a14ca7e7e73

SHA512
db69e4ab2218856e5184d9094e7e39705b83e3efdc15225067205c8faf6e5836145364f1d509192defa3b48864e72b9f8c0f2dc53a7adb2b86c655318b7afc2c

Download Submit
\Users\Admin\AppData\Local\Temp\is-G0HOS.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
memory/332-193-0x0000000000400000-0x000000000055A000-memory.dmp

Filesize
1.4MB

Download
memory/600-225-0x0000000002650000-0x000000000275B000-memory.dmp

Filesize
1.0MB

Download
memory/1148-228-0x0000000002340000-0x00000000024D1000-memory.dmp

Filesize
1.6MB

Download
memory/2104-349-0x0000000000400000-0x000000000055A000-memory.dmp

Filesize
1.4MB

Download
memory/2120-2-0x0000000000401000-0x000000000040D000-memory.dmp

Filesize
48KB

Download
memory/2120-0-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2120-220-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2228-231-0x00000000049F0000-0x0000000004AFB000-memory.dmp

Filesize
1.0MB

Download
memory/2228-223-0x0000000000400000-0x0000000000536000-memory.dmp

Filesize
1.2MB

Download
memory/2228-9-0x0000000000400000-0x0000000000536000-memory.dmp

Filesize
1.2MB

Download
memory/2228-22-0x0000000000620000-0x0000000000657000-memory.dmp

Filesize
220KB

Download
memory/2228-346-0x0000000000400000-0x0000000000536000-memory.dmp

Filesize
1.2MB

Download
memory/2228-348-0x00000000049F0000-0x0000000004AFB000-memory.dmp

Filesize
1.0MB

Download
memory/2228-222-0x0000000000620000-0x0000000000657000-memory.dmp

Filesize
220KB

Download
memory/2228-388-0x00000000049F0000-0x0000000004AFB000-memory.dmp

Filesize
1.0MB

Download
memory/2452-219-0x0000000000400000-0x000000000055A000-memory.dmp

Filesize
1.4MB

Download