ef9f232e313d9dd77d7db51379f86c150c19373344bd27b592b1a803cfe9f8f5

Analysis

max time kernel
119s
max time network
115s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
25-01-2025 02:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ef9f232e313d9dd77d7db51379f86c150c19373344bd27b592b1a803cfe9f8f5.exe
Size

2.2MB
MD5

02b4a52ec119d3cf966d70da67eb3cef
SHA1

b424858fe8871e2ca7b513f34f7568e4d04ec4cf
SHA256

ef9f232e313d9dd77d7db51379f86c150c19373344bd27b592b1a803cfe9f8f5
SHA512

3a1bedf763bb685be3d1712db82f9e201a0102956839ce3b31664b91a796eca92c41b606e2b7a6b95c5f43b0550a761b35f7458aac3f38c38b66dee621acabf7
SSDEEP

49152:GeZM+VKH/ZKhwqQtUWzpDMnOmB7ebA5rOYiZnS:7GWwvtt1jmxebSivZnS

Score

7^/10

adware discovery persistence privilege_escalation stealer

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	Inbox.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 5 IoCs

pid	Process
4808	ef9f232e313d9dd77d7db51379f86c150c19373344bd27b592b1a803cfe9f8f5.tmp
704	Inbox.exe
2376	Inbox.exe
4968	Inbox.exe
4660	Inbox.exe

Loads dropped DLL 7 IoCs

pid	Process
4808	ef9f232e313d9dd77d7db51379f86c150c19373344bd27b592b1a803cfe9f8f5.tmp
4808	ef9f232e313d9dd77d7db51379f86c150c19373344bd27b592b1a803cfe9f8f5.tmp
3720	regsvr32.exe
2064	regsvr32.exe
2064	regsvr32.exe
4808	ef9f232e313d9dd77d7db51379f86c150c19373344bd27b592b1a803cfe9f8f5.tmp
4808	ef9f232e313d9dd77d7db51379f86c150c19373344bd27b592b1a803cfe9f8f5.tmp

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\InboxToolbar = "\"C:\\Program Files (x86)\\Inbox Toolbar\\Inbox.exe\" /STARTUP"	Inbox.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Installs/modifies Browser Helper Object 2 TTPs 6 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{D3D233D5-9F6D-436C-B6C7-E63F77503B30}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D3D233D5-9F6D-436C-B6C7-E63F77503B30}\	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D3D233D5-9F6D-436C-B6C7-E63F77503B30}\NoExplorer = "1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{D3D233D5-9F6D-436C-B6C7-E63F77503B30}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D3D233D5-9F6D-436C-B6C7-E63F77503B30}\	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D3D233D5-9F6D-436C-B6C7-E63F77503B30}\NoExplorer = "1"	regsvr32.exe

Drops file in Program Files directory 23 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Inbox Toolbar\Buttons\is-NG5B1.tmp	ef9f232e313d9dd77d7db51379f86c150c19373344bd27b592b1a803cfe9f8f5.tmp
File created	C:\Program Files (x86)\Inbox Toolbar\Buttons\is-NVBO6.tmp	ef9f232e313d9dd77d7db51379f86c150c19373344bd27b592b1a803cfe9f8f5.tmp
File created	C:\Program Files (x86)\Inbox Toolbar\setupcfg.ini	ef9f232e313d9dd77d7db51379f86c150c19373344bd27b592b1a803cfe9f8f5.tmp
File opened for modification	C:\Program Files (x86)\Inbox Toolbar\uninstall.ini	Inbox.exe
File created	C:\Program Files (x86)\Inbox Toolbar\unins000.dat	ef9f232e313d9dd77d7db51379f86c150c19373344bd27b592b1a803cfe9f8f5.tmp
File created	C:\Program Files (x86)\Inbox Toolbar\Buttons\is-K4RSD.tmp	ef9f232e313d9dd77d7db51379f86c150c19373344bd27b592b1a803cfe9f8f5.tmp
File created	C:\Program Files (x86)\Inbox Toolbar\Buttons\is-R50GB.tmp	ef9f232e313d9dd77d7db51379f86c150c19373344bd27b592b1a803cfe9f8f5.tmp
File created	C:\Program Files (x86)\Inbox Toolbar\unins000.msg	ef9f232e313d9dd77d7db51379f86c150c19373344bd27b592b1a803cfe9f8f5.tmp
File opened for modification	C:\Program Files (x86)\Inbox Toolbar\Buttons\converter_calculator_fr.xml	Inbox.exe
File opened for modification	C:\Program Files (x86)\Inbox Toolbar\uninstall.ini	ef9f232e313d9dd77d7db51379f86c150c19373344bd27b592b1a803cfe9f8f5.tmp
File opened for modification	C:\Program Files (x86)\Inbox Toolbar\Inbox.ini	Inbox.exe
File created	C:\Program Files (x86)\Inbox Toolbar\is-S65OA.tmp	ef9f232e313d9dd77d7db51379f86c150c19373344bd27b592b1a803cfe9f8f5.tmp
File created	C:\Program Files (x86)\Inbox Toolbar\Buttons\is-DHH65.tmp	ef9f232e313d9dd77d7db51379f86c150c19373344bd27b592b1a803cfe9f8f5.tmp
File opened for modification	C:\Program Files (x86)\Inbox Toolbar\unins000.dat	ef9f232e313d9dd77d7db51379f86c150c19373344bd27b592b1a803cfe9f8f5.tmp
File opened for modification	C:\Program Files (x86)\Inbox Toolbar\Buttons\blue_green.xml	Inbox.exe
File created	C:\Program Files (x86)\Inbox Toolbar\is-M8SR1.tmp	ef9f232e313d9dd77d7db51379f86c150c19373344bd27b592b1a803cfe9f8f5.tmp
File created	C:\Program Files (x86)\Inbox Toolbar\is-32D0F.tmp	ef9f232e313d9dd77d7db51379f86c150c19373344bd27b592b1a803cfe9f8f5.tmp
File opened for modification	C:\Program Files (x86)\Inbox Toolbar\setupcfg.ini	ef9f232e313d9dd77d7db51379f86c150c19373344bd27b592b1a803cfe9f8f5.tmp
File opened for modification	C:\Program Files (x86)\Inbox Toolbar\Buttons\converter_currency_fr.xml	Inbox.exe
File opened for modification	C:\Program Files (x86)\Inbox Toolbar\Buttons\converter_measures_fr.xml	Inbox.exe
File opened for modification	C:\Program Files (x86)\Inbox Toolbar\Buttons\converter_unit_fr.xml	Inbox.exe
File created	C:\Program Files (x86)\Inbox Toolbar\is-PC0VI.tmp	ef9f232e313d9dd77d7db51379f86c150c19373344bd27b592b1a803cfe9f8f5.tmp
File created	C:\Program Files (x86)\Inbox Toolbar\is-8NOFO.tmp	ef9f232e313d9dd77d7db51379f86c150c19373344bd27b592b1a803cfe9f8f5.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ef9f232e313d9dd77d7db51379f86c150c19373344bd27b592b1a803cfe9f8f5.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Inbox.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Inbox.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Inbox.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Inbox.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ef9f232e313d9dd77d7db51379f86c150c19373344bd27b592b1a803cfe9f8f5.exe

Modifies Internet Explorer settings 1 TTPs 40 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\AppName = "Inbox64.dll"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\Policy = "3"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\Policy = "3"	regsvr32.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Main	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{612AD33D-9824-4E87-8396-92374E91C4BB}\Policy = "3"	Inbox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\AppName = "Inbox.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\AppPath = "C:\\Program Files (x86)\\Inbox Toolbar"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\Policy = "3"	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{C04B7D22-5AEC-4561-8F49-27F6269208F6}\SuggestionsURL_JSON = "http://www.inbox.com/s.aspx?q={searchTerms}"	Inbox.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Internet Explorer\Main	Inbox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Toolbar	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\IEWatsonEnabled = "0"	regsvr32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Toolbar\{D7E97865-918F-41E4-9CD0-25AB1C574CE8} = 00	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\AppName = "Inbox64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\AppPath = "C:\\Program Files (x86)\\Inbox Toolbar"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\IEWatsonEnabled = "0"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\Policy = "3"	regsvr32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{D7E97865-918F-41E4-9CD0-25AB1C574CE8} = 00	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{C04B7D22-5AEC-4561-8F49-27F6269208F6}\FaviconURLFallback = "http://www2.inbox.com/favicon.ico"	Inbox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{612AD33D-9824-4E87-8396-92374E91C4BB}\AppPath = "C:\\Program Files (x86)\\Inbox Toolbar"	Inbox.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{612AD33D-9824-4E87-8396-92374E91C4BB}\Policy = "3"	Inbox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\AppPath = "C:\\Program Files (x86)\\Inbox Toolbar"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\AppPath = "C:\\Program Files (x86)\\Inbox Toolbar"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{C04B7D22-5AEC-4561-8F49-27F6269208F6}\URL = "http://www2.inbox.com/search/dispatcher.aspx?tp=bs&qkw={searchTerms}&tbid=80792&iwk=861&lng=en"	Inbox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{C04B7D22-5AEC-4561-8F49-27F6269208F6}\ShowSearchSuggestions = "1"	Inbox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{612AD33D-9824-4E87-8396-92374E91C4BB}\AppName = "Inbox.exe"	Inbox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{612AD33D-9824-4E87-8396-92374E91C4BB}\AppPath = "C:\\Program Files (x86)\\Inbox Toolbar"	Inbox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{C04B7D22-5AEC-4561-8F49-27F6269208F6}\FaviconPath = "C:\\Users\\Admin\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services\\search_{C04B7D22-5AEC-4561-8F49-27F6269208F6}.ico"	Inbox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{612AD33D-9824-4E87-8396-92374E91C4BB}	Inbox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}	regsvr32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Main	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\AppName = "Inbox.dll"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Internet Explorer\SearchScopes\{C04B7D22-5AEC-4561-8F49-27F6269208F6}	Inbox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{C04B7D22-5AEC-4561-8F49-27F6269208F6}\DisplayName = "Inbox Search"	Inbox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{612AD33D-9824-4E87-8396-92374E91C4BB}	Inbox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{612AD33D-9824-4E87-8396-92374E91C4BB}\AppName = "Inbox.exe"	Inbox.exe

Modifies Internet Explorer start page 1 TTPs 1 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.inbox.com/homepage.aspx?tbid=80792&iwk=861&lng=en"	Inbox.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{37540F19-DD4C-478B-B2DF-C19281BCAF27}\	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8FAE973C-3FE3-44BF-81F0-ADB0D42CE851}\TypeLib	Inbox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{612AD33D-9824-4E87-8396-92374E91C4BB}\ProgID	Inbox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{612AD33D-9824-4E87-8396-92374E91C4BB}\Version\ = "1.0"	Inbox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Inbox.AppServer\Clsid	Inbox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{042DA63B-0933-403D-9395-B49307691690}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\inbox\ = "inbox"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CBEF8724-D080-4737-88DA-111EEC6651AA}\1.0\0\win32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{042DA63B-0933-403D-9395-B49307691690}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D3D233D5-9F6D-436C-B6C7-E63F77503B30}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{042DA63B-0933-403D-9395-B49307691690}\InprocServer32\ = "C:\\Program Files (x86)\\Inbox Toolbar\\Inbox.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Inbox.Toolbar\	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{28C3737A-32D1-492D-B76B-8D75EBBFB887}\TypeLib	Inbox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{28C3737A-32D1-492D-B76B-8D75EBBFB887}\TypeLib\Version = "1.0"	Inbox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{28C3737A-32D1-492D-B76B-8D75EBBFB887}	Inbox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{042DA63B-0933-403D-9395-B49307691690}\ProgID\ = "Inbox.JSServer"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{042DA63B-0933-403D-9395-B49307691690}\ProgID\ = "Inbox.JSServer"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{042DA63B-0933-403D-9395-B49307691690}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{615E8AA1-6BB8-4A3D-A1CC-373194DB612C}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\Inbox Toolbar\\"	Inbox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CE057E0D-2D7E-4DFF-A890-07BA69B8C762}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Inbox.JSServer	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Inbox.JSServer\Clsid\ = "{042DA63B-0933-403D-9395-B49307691690}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Inbox.IBX404	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8FAE973C-3FE3-44BF-81F0-ADB0D42CE851}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	Inbox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8FAE973C-3FE3-44BF-81F0-ADB0D42CE851}\TypeLib\Version = "1.0"	Inbox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{042DA63B-0933-403D-9395-B49307691690}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D3D233D5-9F6D-436C-B6C7-E63F77503B30}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{28C3737A-32D1-492D-B76B-8D75EBBFB887}\ProxyStubClsid32	Inbox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CBEF8724-D080-4737-88DA-111EEC6651AA}\1.0\0\win32\ = "C:\\Program Files (x86)\\Inbox Toolbar\\Inbox64.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{615E8AA1-6BB8-4A3D-A1CC-373194DB612C}\1.0\FLAGS	Inbox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{CE057E0D-2D7E-4DFF-A890-07BA69B8C762}\ = "IJSServer"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8FAE973C-3FE3-44BF-81F0-ADB0D42CE851}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	Inbox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{37540F19-DD4C-478B-B2DF-C19281BCAF27}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\InprocServer32\ = "C:\\Program Files (x86)\\Inbox Toolbar\\Inbox.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Inbox.IBX404	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{612AD33D-9824-4E87-8396-92374E91C4BB}\TypeLib\ = "{615E8AA1-6BB8-4A3D-A1CC-373194DB612C}"	Inbox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{042DA63B-0933-403D-9395-B49307691690}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D3D233D5-9F6D-436C-B6C7-E63F77503B30}\ = "Inbox Toolbar"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\InprocServer32\ = "C:\\PROGRA~2\\INBOXT~1\\Inbox.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CE057E0D-2D7E-4DFF-A890-07BA69B8C762}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{042DA63B-0933-403D-9395-B49307691690}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Inbox.AppServer	Inbox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{042DA63B-0933-403D-9395-B49307691690}\InprocServer32\ = "C:\\PROGRA~2\\INBOXT~1\\Inbox.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D3D233D5-9F6D-436C-B6C7-E63F77503B30}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D3D233D5-9F6D-436C-B6C7-E63F77503B30}\InprocServer32\ = "C:\\Program Files (x86)\\Inbox Toolbar\\Inbox.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D3D233D5-9F6D-436C-B6C7-E63F77503B30}\ = "Inbox Toolbar"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\ = "&Inbox Toolbar"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{612AD33D-9824-4E87-8396-92374E91C4BB}\TypeLib	Inbox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{612AD33D-9824-4E87-8396-92374E91C4BB}\LocalServer32\ = "C:\\Program Files (x86)\\Inbox Toolbar\\Inbox.exe"	Inbox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Inbox.IBX404\	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{042DA63B-0933-403D-9395-B49307691690}\Implemented Categories\	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Inbox.JSServer\Clsid	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Inbox.JSServer	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}\InProcServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{612AD33D-9824-4E87-8396-92374E91C4BB}\	Inbox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{612AD33D-9824-4E87-8396-92374E91C4BB}\ProgID\ = "Inbox.AppServer"	Inbox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CBEF8724-D080-4737-88DA-111EEC6651AA}\1.0\0\win32\ = "C:\\Program Files (x86)\\Inbox Toolbar\\Inbox.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{CE057E0D-2D7E-4DFF-A890-07BA69B8C762}	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
4808	ef9f232e313d9dd77d7db51379f86c150c19373344bd27b592b1a803cfe9f8f5.tmp
4808	ef9f232e313d9dd77d7db51379f86c150c19373344bd27b592b1a803cfe9f8f5.tmp
4808	ef9f232e313d9dd77d7db51379f86c150c19373344bd27b592b1a803cfe9f8f5.tmp
4808	ef9f232e313d9dd77d7db51379f86c150c19373344bd27b592b1a803cfe9f8f5.tmp
4808	ef9f232e313d9dd77d7db51379f86c150c19373344bd27b592b1a803cfe9f8f5.tmp
4808	ef9f232e313d9dd77d7db51379f86c150c19373344bd27b592b1a803cfe9f8f5.tmp
4808	ef9f232e313d9dd77d7db51379f86c150c19373344bd27b592b1a803cfe9f8f5.tmp
4808	ef9f232e313d9dd77d7db51379f86c150c19373344bd27b592b1a803cfe9f8f5.tmp

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
4808	ef9f232e313d9dd77d7db51379f86c150c19373344bd27b592b1a803cfe9f8f5.tmp
4660	Inbox.exe
4660	Inbox.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
4660	Inbox.exe
4660	Inbox.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 4004 wrote to memory of 4808	4004	ef9f232e313d9dd77d7db51379f86c150c19373344bd27b592b1a803cfe9f8f5.exe	83
PID 4004 wrote to memory of 4808	4004	ef9f232e313d9dd77d7db51379f86c150c19373344bd27b592b1a803cfe9f8f5.exe	83
PID 4004 wrote to memory of 4808	4004	ef9f232e313d9dd77d7db51379f86c150c19373344bd27b592b1a803cfe9f8f5.exe	83
PID 4808 wrote to memory of 704	4808	ef9f232e313d9dd77d7db51379f86c150c19373344bd27b592b1a803cfe9f8f5.tmp	86
PID 4808 wrote to memory of 704	4808	ef9f232e313d9dd77d7db51379f86c150c19373344bd27b592b1a803cfe9f8f5.tmp	86
PID 4808 wrote to memory of 704	4808	ef9f232e313d9dd77d7db51379f86c150c19373344bd27b592b1a803cfe9f8f5.tmp	86
PID 4808 wrote to memory of 2376	4808	ef9f232e313d9dd77d7db51379f86c150c19373344bd27b592b1a803cfe9f8f5.tmp	87
PID 4808 wrote to memory of 2376	4808	ef9f232e313d9dd77d7db51379f86c150c19373344bd27b592b1a803cfe9f8f5.tmp	87
PID 4808 wrote to memory of 2376	4808	ef9f232e313d9dd77d7db51379f86c150c19373344bd27b592b1a803cfe9f8f5.tmp	87
PID 4808 wrote to memory of 3720	4808	ef9f232e313d9dd77d7db51379f86c150c19373344bd27b592b1a803cfe9f8f5.tmp	93
PID 4808 wrote to memory of 3720	4808	ef9f232e313d9dd77d7db51379f86c150c19373344bd27b592b1a803cfe9f8f5.tmp	93
PID 4808 wrote to memory of 3720	4808	ef9f232e313d9dd77d7db51379f86c150c19373344bd27b592b1a803cfe9f8f5.tmp	93
PID 4808 wrote to memory of 2064	4808	ef9f232e313d9dd77d7db51379f86c150c19373344bd27b592b1a803cfe9f8f5.tmp	94
PID 4808 wrote to memory of 2064	4808	ef9f232e313d9dd77d7db51379f86c150c19373344bd27b592b1a803cfe9f8f5.tmp	94
PID 4808 wrote to memory of 4968	4808	ef9f232e313d9dd77d7db51379f86c150c19373344bd27b592b1a803cfe9f8f5.tmp	103
PID 4808 wrote to memory of 4968	4808	ef9f232e313d9dd77d7db51379f86c150c19373344bd27b592b1a803cfe9f8f5.tmp	103
PID 4808 wrote to memory of 4968	4808	ef9f232e313d9dd77d7db51379f86c150c19373344bd27b592b1a803cfe9f8f5.tmp	103
PID 4968 wrote to memory of 4660	4968	Inbox.exe	104
PID 4968 wrote to memory of 4660	4968	Inbox.exe	104
PID 4968 wrote to memory of 4660	4968	Inbox.exe	104

C:\Users\Admin\AppData\Local\Temp\ef9f232e313d9dd77d7db51379f86c150c19373344bd27b592b1a803cfe9f8f5.exe
"C:\Users\Admin\AppData\Local\Temp\ef9f232e313d9dd77d7db51379f86c150c19373344bd27b592b1a803cfe9f8f5.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4004
- C:\Users\Admin\AppData\Local\Temp\is-AGS5I.tmp\ef9f232e313d9dd77d7db51379f86c150c19373344bd27b592b1a803cfe9f8f5.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-AGS5I.tmp\ef9f232e313d9dd77d7db51379f86c150c19373344bd27b592b1a803cfe9f8f5.tmp" /SL5="$80060,1666168,70144,C:\Users\Admin\AppData\Local\Temp\ef9f232e313d9dd77d7db51379f86c150c19373344bd27b592b1a803cfe9f8f5.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:4808
- - C:\Program Files (x86)\Inbox Toolbar\Inbox.exe
    "C:\Program Files (x86)\Inbox Toolbar\Inbox.exe" /regserver
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Modifies registry class
    PID:704
- - C:\Program Files (x86)\Inbox Toolbar\Inbox.exe
    "C:\Program Files (x86)\Inbox Toolbar\Inbox.exe" /install
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    PID:2376
- - C:\Windows\SysWOW64\regsvr32.exe
    "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\Inbox Toolbar\Inbox.dll"
    3⤵
    - Loads dropped DLL
    - Installs/modifies Browser Helper Object
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Modifies registry class
    PID:3720
- - C:\Windows\system32\regsvr32.exe
    "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\Inbox Toolbar\Inbox64.dll"
    3⤵
    - Loads dropped DLL
    - Installs/modifies Browser Helper Object
    - Modifies Internet Explorer settings
    - Modifies registry class
    PID:2064
- - C:\Program Files (x86)\Inbox Toolbar\Inbox.exe
    "C:\Program Files (x86)\Inbox Toolbar\Inbox.exe" /afterinstall
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Modifies Internet Explorer start page
    - Suspicious use of WriteProcessMemory
    PID:4968
  - - C:\Program Files (x86)\Inbox Toolbar\Inbox.exe
      "C:\Program Files (x86)\Inbox Toolbar\Inbox.exe" /TRAY 0
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:4660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Browser Extensions

T1176

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Inbox Toolbar\Buttons\blue_green.xml

Filesize
52KB

MD5
73ae8ec141d41888f4f4efc96e3158aa

SHA1
ed00518da7d76b725af71e493026e1645f33a9f9

SHA256
3b18558a9b1f02bc5724b37c128389804f89a6aee5f9b9b484e94d0548057110

SHA512
95adef46aef2529a9f33050a88dde6a8217e88f4ae6246ffc2f9fbdf985bd1bef1b505561a8bf10ddef376ecb340e632994be127f5a7b36f60bc0b4642cd0108

Download Submit
C:\Program Files (x86)\Inbox Toolbar\Buttons\converter_calculator_fr.xml

Filesize
5KB

MD5
399a73749278980e95ce700b63df5fe7

SHA1
70d422373678cd28595b833220604c2c87fe91eb

SHA256
0722786036cff066f462926dfc0c111666ca828641a6002743a05b4d8a94a6f1

SHA512
9cacf2e2fcaa80a2e05d41e4c08f683a71eae7a6e34f8ecf239fadfb019c814bb4783f60307c2de4efc974cf5d42f4ce0c3fd155cab33635f4474da2a24dd7dd

Download Submit
C:\Program Files (x86)\Inbox Toolbar\Buttons\converter_currency_fr.xml

Filesize
5KB

MD5
32b33bfcbc9c1e3824a9f85b824bf014

SHA1
71a9518c7dc16a058f2fac5a1550e51fcf4b7a6b

SHA256
01e7740dc4ce754aa12eb4ed8ffb3bd143c86c972007728bf48e5d125c948066

SHA512
e4338811a934a5f669be46b82a26e7d6daa2436cf461b0163a68e84c09360e5ca60012c9424aa913d83bc4989f92621c44c37829514f1782a85d4824c2bacee0

Download Submit
C:\Program Files (x86)\Inbox Toolbar\Buttons\converter_measures_fr.xml

Filesize
5KB

MD5
3768bdfb68565925cece53689dbc5f55

SHA1
810033ee9d466dba9a8d01bc87f0098202c56fb6

SHA256
a904b7a2a89a01409fddc8b76062d61e420f450cbae25a51918d6cc64d41c320

SHA512
845131ea94b1b714f16d895ba6abee3a5d85cf45ff923005ea0647a9b2f014b738dadb3da6e3972972c121c0b0a646dd20b41117a5265a1ca65bb61d883fc9a8

Download Submit
C:\Program Files (x86)\Inbox Toolbar\Buttons\converter_unit_fr.xml

Filesize
5KB

MD5
641bb69a98502dc4c69aa74569e982bf

SHA1
e0ca90f45ab0be5514ed47554b14b430b8492619

SHA256
21ede483f4db58c9a871e816de2a5e609e24363356aae5431225893a126fe9ae

SHA512
527ee5a12706500c20e2aa6659cdaac2eadeb7310869a50efcc3000cf2d4454b2a1a334ed87f99ab4b7efbd5c963c8c68329b3cde75baae2eb8436aaf3aed3e8

Download Submit
C:\Program Files (x86)\Inbox Toolbar\Inbox.dll

Filesize
1.0MB

MD5
2a4e801ff572a6090416229da357a453

SHA1
79f786edd3b590f017916527af27220bf944cd0b

SHA256
dff29dcf0d005b1c86362027f5e916a3acc804b0193f802fbecdb9b3aeba191a

SHA512
b227e511b2981840bf051adec34e89b1c3a8369d0e28c923e4302f300570bc91153e899c7dc9b60692e6fe675ae0c1106baa2efdcfbbd002694308970ccd1b29

Download Submit
C:\Program Files (x86)\Inbox Toolbar\Inbox.exe

Filesize
1.3MB

MD5
4f5e181c0b6744c28c2baf7e06fc3693

SHA1
3b757aba2cd2f1ee9d5b5d87095bffc3222667fa

SHA256
5a22ff570d2cef55533c32e31d50d60daaf93ef98c853046b95ce4240b2574d9

SHA512
3a523ee2e6ed46cbce048a995611a401f74364fbf4ec90739f2406febf274b850fb1dd4785ee9fe66a53b760b7ea6001acc9e323556ed05fe360e904beb6ecc0

Download Submit
C:\Program Files (x86)\Inbox Toolbar\Inbox.ini

Filesize
2KB

MD5
4933891732a3eb9ee44a5abebf8c84ad

SHA1
5f95c4cc04ad57277231d223c4c3798691dd313a

SHA256
93502ac1feb805ae8075a7235814b9f5014c6f0138a7ff88afef04f6a0526951

SHA512
6dc43eac8623cd4f719453fe1199d89b7e19ba13566e91eb0b1c4f902c0cb52a8175cac80c413b335cd162c395d3cbef19bdf0beaa16bfc830e33800a2639a8c

Download Submit
C:\Program Files (x86)\Inbox Toolbar\Inbox.ini

Filesize
2KB

MD5
8f0d4ab82c5be4a95f01a743ad5a383e

SHA1
b242084a38b997eabc51c37f23316abd25b7ea04

SHA256
e46bc5159440ab1b3aac00317f2815a8159f823b8509de43454536ee6b725fe5

SHA512
39a7b13551a55444e5306ed7bb54490222d94eaae9de5e6d5631bdd0c0d4461ec80edeca53aa95d366f8d0a00fa9bd3fed8e52498823122ba7c7ba6c969bc99c

Download Submit
C:\Program Files (x86)\Inbox Toolbar\Inbox64.dll

Filesize
1.5MB

MD5
7e248eee50e58cb6ce8fe84679e22916

SHA1
a193272ffe368f83bd3e0c58ddbe59bfb03ccbeb

SHA256
49be722168c360177d98607927ea7b3d9d5753fd5a4a6757fa1d5d15bd4a1ab5

SHA512
fefa6e9070a19c3d6f79944c70d7800ceac3a0c70129cd946f01dc64ec5a35a08077ea1ce9f6bf6d2bcefc2f8fde1cf14f16c6e234df45b9b19527cf140d85b0

Download Submit
C:\Program Files (x86)\Inbox Toolbar\unins000.exe

Filesize
1.2MB

MD5
7dee68a0d798456ae7ffea8f4f0bc15c

SHA1
bdb85e11809ed912207cb9112f3bc9111a9c5214

SHA256
71ae22ed26dc839b3e4161742a32b8808227e78e3a510abcd849b53bd8cd3dff

SHA512
d3351337b558098ad017baf5af14a890c5724a1c70bf2632a9ad85bd5b21dee3fa639b78b03bcaa2efa77d54d40ba09c52cebd5aa2774c296b86fdf9f0e49caf

Download Submit
C:\Program Files (x86)\Inbox Toolbar\uninstall.ini

Filesize
61B

MD5
b99972609f3062ad9ff7147691392937

SHA1
6eb8b945e71a971fa93c808c2c4837fcb0d06a46

SHA256
77f725343da76769d0efb7c56bc2204f5c85240c9c3b558f0ebd68a7d59e308e

SHA512
23ab130cb447fcb1745e98454c63ca3a5797b312c05f309b7d264aceb8fd47ee63c7989c55ce92b552dbb3394b90bbaae1b5d8136b28bbce69c73998e6c79cd8

Download Submit
C:\Users\Admin\AppData\LocalLow\Inbox Toolbar\config.ini

Filesize
29B

MD5
3ae883e8a3e0272e3b0844d35a05fd87

SHA1
45b5ad9ea39c60ee61d6ad5776b82975c27191c5

SHA256
c37f72f8519621289d97d31889959c508ecd8ee7a18dd04462fcce53b74719c1

SHA512
5dbcd8f6ed1891f9099723934f46955f90d9219dc07ba468ab1cd286f9b96154365f4ada2515639a8f0710b98fa01451d01e02482ba334905d9443782eb2ed0d

Download Submit
C:\Users\Admin\AppData\LocalLow\Inbox Toolbar\config.ini

Filesize
69B

MD5
60ec226c2985de781dbd2aa830ec95db

SHA1
04118cd6f8fe0b0134192eee64ff5b8744fbc34f

SHA256
52ff9d63dafa87e0a999388ee046311c46871ba9c1878cb554d6d4fcc0291f48

SHA512
0b1c83295a2725bd779e76348c35185b090e3b7770a39bb97ce7f360170c79a1f4975f7c1a832aa13256606f49bb49f2010a30d2bd2d69e063fa59f8c0caa7cc

Download Submit
C:\Users\Admin\AppData\LocalLow\Inbox Toolbar\config.ini

Filesize
98B

MD5
843601ded5e84b303b2512f247921090

SHA1
5aa088892d91a1c2567b2881a913970fec5eab14

SHA256
93fd2faf5ea0c0a0a4fb814c22e0bf070ec9cbfae21419f9adceb14e8afac1b0

SHA512
0bcfc70b77abe91dd3200c0ca96b4ecbf6595e5c324c2ffb3dda245a2a0486126a9411453df6ded054d58de72a403aacbd2b2b0ebdec014e8f732b7e6edecfb1

Download Submit
C:\Users\Admin\AppData\LocalLow\Inbox Toolbar\config.ini

Filesize
111B

MD5
9da20bf029762bbe9e77fa09e46f4ea5

SHA1
d58e745d06cd5b3dd2901874aba7eeae87f2ba6a

SHA256
cae3340dd4b23475e1d5991cd5cbd156406f2eec0f60c52912660698d803f275

SHA512
491fdeb896d9a44284daa917908749ee5a85d9d98098cc7c294ec6d1cc5270e45dec4e34c8ce9a327d1949e2c45c4fa96c26f3506deeb88ff00899d9accc68d1

Download Submit
C:\Users\Admin\AppData\LocalLow\Inbox Toolbar\config.ini

Filesize
151B

MD5
58ea179907bb6608d65d2ae7523971a5

SHA1
581006f036b9af664a77664057e3c640dee55626

SHA256
4ea444a86cb74ee447e2abe1d1802a30d462255cc7f896e2493b50e796e8ea5f

SHA512
15d829c99cc6844031e92db4a1733e43465cf772bf379ad9a98f5a0f292a560b4c877fc4df158cb231aa4ad46c811881d46ed41f1c90b98c730819d671306199

Download Submit
C:\Users\Admin\AppData\LocalLow\Inbox Toolbar\translate.ini

Filesize
89KB

MD5
6b72fbdc939dffb3c9d268d521459f91

SHA1
948023c34ddd35bab4b83d80cabf6b7fb06eb5f2

SHA256
9b1c3b8a08541289d360526f37a4647a59fa40f474d2288ea6a5c3a947364fff

SHA512
f8948e0cc24361f361886a4f9467b8316ed093e0def78df860ed221e345a69a8cae785f57d08cfd3ac54741ea9dbde97f035eb88aa8d35b5529c32cf50b1d8e3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\04C877C4AFBB535AAE63CDD73020ABA0

Filesize
504B

MD5
8ed4a8d4e4d3a505c9017e27c04f2d81

SHA1
e4152b52a85bdc7c74eae0639228c4e9d3124b9e

SHA256
4f3ae43cf7ef0b7765465180a1965373b5be7422fdacb5bc1ba519c43ce61810

SHA512
1b1bacb4ceb588a8c00e283941e8adf843cdb18038224d52d750b87105ac6c44d9f73595796d0b2a6a57bebc96b723dcaf4eb72f412928f1c75c680239473b19

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751

Filesize
734B

MD5
e192462f281446b5d1500d474fbacc4b

SHA1
5ed0044ac937193b78f9878ad7bac5c9ff7534ff

SHA256
f1ba9f1b63c447682ebf9de956d0da2a027b1b779abef9522d347d3479139a60

SHA512
cc69a761a4e8e1d4bf6585aa8e3e5a7dfed610f540a6d43a288ebb35b16e669874ed5d2b06756ee4f30854f6465c84ee423502fc5b67ee9e7758a2dab41b31d3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\415AAC9DCEAFAF7DB9D97FB3E799FF52

Filesize
504B

MD5
8a5cadd18b9cd33f0b0468cb44d430c3

SHA1
ee37241e5249b79ef0276e092e564013c8bf0c23

SHA256
c523790a4b063edec097ec012583c4197c220e9b42ccd457c112be92731f7081

SHA512
09dc2283c0c1fe3261eab42dcd51a9742c072183f41ea2a0000ace435dc799e363b5404cb1b087331a547c6504468dfd62ea77fb69665f3d8e17fc4e6f29fd57

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\04C877C4AFBB535AAE63CDD73020ABA0

Filesize
546B

MD5
56d3b34183c759a1cc63b854481d7658

SHA1
553f149224c3a8e3ddb05b3aee1d0aaed3ceb373

SHA256
ed3c6189ad93ea6228b7e07decf61aec64ff5228e8a41fe20cc383850b353cbe

SHA512
09b9284cfd6a704d29bef003ef417648a96a71e114ad8044ac4ff1eec459e817384a5ec3a129da223f1e5ecaa91a08354666427d9bc585436c954e099f55c4a0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751

Filesize
192B

MD5
7f5afb4bd58523ce85a1d65c7651de3e

SHA1
3d0d3c3e09f8b3227fd6adf91207d80997f6e43f

SHA256
fdfb1eb6e2031456bd14de318ce3b81eec20d109e054ead6abe0ce8a2330ab71

SHA512
7991aa3a587322699b8978d9bfc4fc4cfa69f4817afdc86b70458858d3e226bb35ac1eef9400cdfe43eba48001ae71175740f336d945669af2779e9d42742ef8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\415AAC9DCEAFAF7DB9D97FB3E799FF52

Filesize
546B

MD5
9d2d24846a90c29b392b41eae4c501ba

SHA1
f9a3e04e0079058c8472316c0f6d804af4a17836

SHA256
7a7ee4012e73c6d36cf90a58bd1fbc1ca6011ceca0fe963fd13f974fc3415c1c

SHA512
bc3c21362b69db75cde965f37953b368cff86d1aa3b047dcd889eac33edb5168fa1c3848db7c32c966c0bcabb9d4991855997d2f802b8b4a84c781fb27a9e34d

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-AGS5I.tmp\ef9f232e313d9dd77d7db51379f86c150c19373344bd27b592b1a803cfe9f8f5.tmp

Filesize
1.2MB

MD5
e7106fbf42fbc6d5b08a18ada4f781b4

SHA1
36d4a629f79d772c0b0df8bd2ae2ea09108d239d

SHA256
64e1f1fa7d91920b17bc7bc679a4cd8d87ff5b104318b6921bb6bf6a19055635

SHA512
adf876296a952aadeb4f25211c0939bf5a278809b5d3007ad7e26c5d4975e7684d242c1b3de796efd474a47cb7ecdb80f9047935924a1108bf0e4d7c973d1845

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-EFRS1.tmp\DownLib.dll

Filesize
183KB

MD5
db25dfdd4c1f2b65c68a230881072695

SHA1
94cd6a3438041f0e61b0a1bea7b66461854efe69

SHA256
1b66aaf1e7e3c493dd96af3b7442ea60072f6e93ba45281eacd31a14ca7e7e73

SHA512
db69e4ab2218856e5184d9094e7e39705b83e3efdc15225067205c8faf6e5836145364f1d509192defa3b48864e72b9f8c0f2dc53a7adb2b86c655318b7afc2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-EFRS1.tmp\setupcfg.ini

Filesize
44B

MD5
07352ba73699fdaef6e2f996b9aa8f74

SHA1
512b73da0a2645a123835777327864bd72d3fbed

SHA256
30b91bc9116288231a2c574e4f78c678a049c08867d56e7b280b6e569449f01a

SHA512
b3ce3222ead04c4bf4b0252def84f6b19c950fc012ca97ef7faa3185df35c4375490b15035ae06b3fc709c76c7e7cd4e9a5ffa7851773fcc7ed4c45270e05671

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-EFRS1.tmp\tbr_dots.bmp

Filesize
164B

MD5
adc799ec79eeaef366ea4dddf099c3ae

SHA1
556c915615a34a2499604b7b732ab304b20fdd4e

SHA256
7e7f18c73560f9c020abe1ab1f22705083281e2ea16ab0030fc927901b5b5d1e

SHA512
76962a17cc26d3f9886828be4e43373ac530165e1c627272ed7c0bc731133e97608e55d2e31f44592aad0d0974352155f41a0718aa0666ec128406b1050c1d6c

Download Submit
memory/704-147-0x0000000000400000-0x000000000055A000-memory.dmp

Filesize
1.4MB

Download
memory/2064-185-0x00000000023E0000-0x0000000002571000-memory.dmp

Filesize
1.6MB

Download
memory/2376-180-0x0000000000400000-0x000000000055A000-memory.dmp

Filesize
1.4MB

Download
memory/4004-0-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4004-114-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4004-2-0x0000000000401000-0x000000000040D000-memory.dmp

Filesize
48KB

Download
memory/4660-326-0x0000000000400000-0x000000000055A000-memory.dmp

Filesize
1.4MB

Download
memory/4808-116-0x0000000003C60000-0x0000000003C97000-memory.dmp

Filesize
220KB

Download
memory/4808-7-0x0000000000400000-0x0000000000536000-memory.dmp

Filesize
1.2MB

Download
memory/4808-256-0x0000000000400000-0x0000000000536000-memory.dmp

Filesize
1.2MB

Download
memory/4808-209-0x0000000004960000-0x0000000004A6B000-memory.dmp

Filesize
1.0MB

Download
memory/4808-207-0x0000000000400000-0x0000000000536000-memory.dmp

Filesize
1.2MB

Download
memory/4808-189-0x0000000004960000-0x0000000004A6B000-memory.dmp

Filesize
1.0MB

Download
memory/4808-115-0x0000000000400000-0x0000000000536000-memory.dmp

Filesize
1.2MB

Download
memory/4808-20-0x0000000003C60000-0x0000000003C97000-memory.dmp

Filesize
220KB

Download
memory/4808-323-0x0000000000400000-0x0000000000536000-memory.dmp

Filesize
1.2MB

Download
memory/4808-371-0x0000000000400000-0x0000000000536000-memory.dmp

Filesize
1.2MB

Download
memory/4808-339-0x0000000000400000-0x0000000000536000-memory.dmp

Filesize
1.2MB

Download
memory/4808-341-0x0000000004960000-0x0000000004A6B000-memory.dmp

Filesize
1.0MB

Download
memory/4808-340-0x0000000003C60000-0x0000000003C97000-memory.dmp

Filesize
220KB

Download
memory/4808-344-0x0000000000400000-0x0000000000536000-memory.dmp

Filesize
1.2MB

Download
memory/4808-349-0x0000000000400000-0x0000000000536000-memory.dmp

Filesize
1.2MB

Download
memory/4808-354-0x0000000000400000-0x0000000000536000-memory.dmp

Filesize
1.2MB

Download
memory/4808-359-0x0000000000400000-0x0000000000536000-memory.dmp

Filesize
1.2MB

Download
memory/4808-366-0x0000000000400000-0x0000000000536000-memory.dmp

Filesize
1.2MB

Download
memory/4968-292-0x0000000000400000-0x000000000055A000-memory.dmp

Filesize
1.4MB

Download