17cff57bc7b10004fc9e3fe1972208c275d33c832912d2949f58040ce5592f80

Analysis

max time kernel
148s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
10/03/2024, 04:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bdaf52245b4cfbab8209809c49d9e55f.exe
Size

6.6MB
MD5

bdaf52245b4cfbab8209809c49d9e55f
SHA1

416f5685bc7176a880c422068bebf29f87d4b2ef
SHA256

17cff57bc7b10004fc9e3fe1972208c275d33c832912d2949f58040ce5592f80
SHA512

2fc6ae223cbaac2b9de3c4514edf09d9d613772ed2fe55b59838d4d312b88737df25ea676b2e8161ba93ae9ca44215927bb7bc61572b20d9258ac1571510e75d
SSDEEP

98304:OucpgEgjU3FCxGzOjtD3V/3DcYQ8QPmxLe44DzhVYC7BMoSxOZcj6Fif330ksn:2+43Ax/tDl/wYQ3PmxLKhVPBps6iH0R

Score

7^/10

adware discovery spyware stealer

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	nsh7F63.tmp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	SETUPD~1.EXE

Executes dropped EXE 12 IoCs

pid	Process
3528	nsh7F63.tmp.exe
1284	files.exe
1540	SETUPD~1.EXE
788	SearchquMediaBar.exe
4948	BandooUI.exe
4416	GLJ9E54.tmp
3936	GLJ9E54.tmp
428	GLJ9E54.tmp
828	GLJ9E54.tmp
4796	BndCore.exe
1552	Bandoo.exe
444	Bandoo.exe

Loads dropped DLL 64 IoCs

pid	Process
260	bdaf52245b4cfbab8209809c49d9e55f.exe
260	bdaf52245b4cfbab8209809c49d9e55f.exe
3528	nsh7F63.tmp.exe
3528	nsh7F63.tmp.exe
3528	nsh7F63.tmp.exe
3528	nsh7F63.tmp.exe
3528	nsh7F63.tmp.exe
1540	SETUPD~1.EXE
1540	SETUPD~1.EXE
1540	SETUPD~1.EXE
3528	nsh7F63.tmp.exe
3528	nsh7F63.tmp.exe
3528	nsh7F63.tmp.exe
3528	nsh7F63.tmp.exe
3528	nsh7F63.tmp.exe
3528	nsh7F63.tmp.exe
3528	nsh7F63.tmp.exe
3528	nsh7F63.tmp.exe
788	SearchquMediaBar.exe
788	SearchquMediaBar.exe
788	SearchquMediaBar.exe
788	SearchquMediaBar.exe
788	SearchquMediaBar.exe
3528	nsh7F63.tmp.exe
3528	nsh7F63.tmp.exe
3528	nsh7F63.tmp.exe
3528	nsh7F63.tmp.exe
3528	nsh7F63.tmp.exe
3528	nsh7F63.tmp.exe
3528	nsh7F63.tmp.exe
3528	nsh7F63.tmp.exe
788	SearchquMediaBar.exe
788	SearchquMediaBar.exe
3528	nsh7F63.tmp.exe
3528	nsh7F63.tmp.exe
3528	nsh7F63.tmp.exe
3528	nsh7F63.tmp.exe
3528	nsh7F63.tmp.exe
3528	nsh7F63.tmp.exe
788	SearchquMediaBar.exe
788	SearchquMediaBar.exe
4180	regsvr32.exe
3528	nsh7F63.tmp.exe
3528	nsh7F63.tmp.exe
4948	BandooUI.exe
788	SearchquMediaBar.exe
788	SearchquMediaBar.exe
3528	nsh7F63.tmp.exe
3528	nsh7F63.tmp.exe
3528	nsh7F63.tmp.exe
3528	nsh7F63.tmp.exe
3528	nsh7F63.tmp.exe
3528	nsh7F63.tmp.exe
4416	GLJ9E54.tmp
4416	GLJ9E54.tmp
3936	GLJ9E54.tmp
428	GLJ9E54.tmp
828	GLJ9E54.tmp
4796	BndCore.exe
3528	nsh7F63.tmp.exe
3528	nsh7F63.tmp.exe
3528	nsh7F63.tmp.exe
3528	nsh7F63.tmp.exe
3528	nsh7F63.tmp.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Installs/modifies Browser Helper Object 2 TTPs 5 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{EB5CEE80-030A-4ED8-8E20-454E9C68380F}\NoExplorer = "1"	GLJ9E54.tmp
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7FF99715-3016-4381-84CE-E4E4C9673020}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7FF99715-3016-4381-84CE-E4E4C9673020}\ = "Searchqu Toolbar"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{EB5CEE80-030A-4ED8-8E20-454E9C68380F}	GLJ9E54.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{EB5CEE80-030A-4ED8-8E20-454E9C68380F}\ = "Bandoo IE Plugin"	GLJ9E54.tmp

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\PROGRA~2\WIA6EB~1\ToolBar\chrome\content\widgets\net.vmn.www.3.Twitter.1255\widget.xml	SearchquMediaBar.exe
File opened for modification	C:\Program Files (x86)\Fun4IM\Resources\~GLH0020.TMP	nsh7F63.tmp.exe
File opened for modification	C:\Program Files (x86)\Fun4IM\FFSettings.exe	nsh7F63.tmp.exe
File opened for modification	C:\Program Files (x86)\Fun4IM\Resources\nudge4.wav	nsh7F63.tmp.exe
File created	C:\PROGRA~2\WIA6EB~1\ToolBar\chrome\content\widgets\net.vmn.www.3.Twitter.1257\btn-wide-maximize-down.png	SearchquMediaBar.exe
File created	C:\PROGRA~2\WIA6EB~1\ToolBar\chrome\content\widgets\net.vmn.www.3.YouTube.1217\btnarrow-previous-off.png	SearchquMediaBar.exe
File created	C:\PROGRA~2\WIA6EB~1\ToolBar\chrome\skin\divider.png	SearchquMediaBar.exe
File created	C:\PROGRA~2\WIA6EB~1\ToolBar\chrome\skin\lib\radio\css\manager.css	SearchquMediaBar.exe
File created	C:\Program Files (x86)\Fun4IM\~GLH000c.TMP	nsh7F63.tmp.exe
File created	C:\PROGRA~2\WIA6EB~1\ToolBar\SearchquDx.dll	SearchquMediaBar.exe
File created	C:\PROGRA~2\WIA6EB~1\ToolBar\chrome\skin\rss-expand.png	SearchquMediaBar.exe
File created	C:\PROGRA~2\WIA6EB~1\ToolBar\chrome\skin\lib\rsstabdivider.gif	SearchquMediaBar.exe
File opened for modification	C:\Program Files (x86)\Fun4IM\Bandoo.exe	nsh7F63.tmp.exe
File created	C:\PROGRA~2\WIA6EB~1\ToolBar\chrome\skin\lib\uwa\templateFF.html	SearchquMediaBar.exe
File created	C:\PROGRA~2\WIA6EB~1\ToolBar\chrome\skin\lib\weatherbutton\panels\images\ico-hotandhumid-s.png	SearchquMediaBar.exe
File opened for modification	C:\Program Files (x86)\Fun4IM\Resources\~GLH001e.TMP	nsh7F63.tmp.exe
File opened for modification	C:\Program Files (x86)\Fun4IM\GIFAnimator.dll	nsh7F63.tmp.exe
File opened for modification	C:\Program Files (x86)\Fun4IM\Plugins\Yahoo\Resources\Toolbar\Images\~GLH0036.TMP	nsh7F63.tmp.exe
File opened for modification	C:\Program Files (x86)\Fun4IM\Plugins\IE\Resources\~GLH003f.TMP	nsh7F63.tmp.exe
File created	C:\PROGRA~2\WIA6EB~1\ToolBar\chrome\content\widgets\net.vmn.www.3.YouTube.1217\btn-wide-maximize-over.png	SearchquMediaBar.exe
File created	C:\PROGRA~2\WIA6EB~1\ToolBar\chrome\skin\bluelite.gif	SearchquMediaBar.exe
File created	C:\PROGRA~2\WIA6EB~1\ToolBar\chrome\skin\lib\bg-btnover-mdl_ff.png	SearchquMediaBar.exe
File created	C:\PROGRA~2\WIA6EB~1\ToolBar\chrome\skin\lib\btnright-vista.png	SearchquMediaBar.exe
File created	C:\PROGRA~2\WIA6EB~1\ToolBar\chrome\skin\lib\panels\images\view-detailed-over.png	SearchquMediaBar.exe
File created	C:\PROGRA~2\WIA6EB~1\ToolBar\chrome\skin\images.png	SearchquMediaBar.exe
File created	C:\PROGRA~2\WIA6EB~1\ToolBar\chrome\skin\rss-collapse.png	SearchquMediaBar.exe
File created	C:\PROGRA~2\WIA6EB~1\ToolBar\chrome\skin\lib\radio\images\radio-btn-play.png	SearchquMediaBar.exe
File opened for modification	C:\Program Files (x86)\Fun4IM\Plugins\MSN\Resources\Toolbar\Images\~GLH002a.TMP	nsh7F63.tmp.exe
File opened for modification	C:\Program Files (x86)\Fun4IM\Plugins\Yahoo\Resources\Toolbar\Images\1002.dat	nsh7F63.tmp.exe
File created	C:\PROGRA~2\WIA6EB~1\ToolBar\chrome\skin\widget_calcal.png	SearchquMediaBar.exe
File created	C:\PROGRA~2\WIA6EB~1\ToolBar\chrome\skin\lib\highlight.png	SearchquMediaBar.exe
File created	C:\PROGRA~2\WIA6EB~1\ToolBar\chrome\skin\lib\panels\gametype.xsl	SearchquMediaBar.exe
File created	C:\PROGRA~2\WIA6EB~1\ToolBar\chrome\skin\lib\weatherbutton\panels\images\btn-search-pnlbtm.png	SearchquMediaBar.exe
File created	C:\Program Files (x86)\Fun4IM\Resources\~GLH0020.TMP	nsh7F63.tmp.exe
File created	C:\PROGRA~2\WIA6EB~1\ToolBar\chrome\content\lib\emailnotifierproviders.xml	SearchquMediaBar.exe
File created	C:\PROGRA~2\WIA6EB~1\ToolBar\chrome\skin\lib\arrow-dn.gif	SearchquMediaBar.exe
File created	C:\PROGRA~2\WIA6EB~1\ToolBar\chrome\skin\lib\scroll-right.png	SearchquMediaBar.exe
File created	C:\PROGRA~2\WIA6EB~1\ToolBar\chrome\skin\lib\uwa\border_10.png	SearchquMediaBar.exe
File created	C:\PROGRA~2\WIA6EB~1\ToolBar\chrome\skin\options\options-main.png	SearchquMediaBar.exe
File created	C:\PROGRA~2\WIA6EB~1\ToolBar\chrome\skin\lib\radio\images\radio-volume-1.png	SearchquMediaBar.exe
File opened for modification	C:\Program Files (x86)\Fun4IM\Resources\~GLH001a.TMP	nsh7F63.tmp.exe
File opened for modification	C:\Program Files (x86)\Fun4IM\Resources\BandooMessages.xml	nsh7F63.tmp.exe
File opened for modification	C:\Program Files (x86)\Fun4IM\Resources\nudge2.wav	nsh7F63.tmp.exe
File created	C:\PROGRA~2\WIA6EB~1\ToolBar\chrome\content\widgets\net.vmn.www.3.Twitter.1227\btn-dragresize.png	SearchquMediaBar.exe
File created	C:\PROGRA~2\WIA6EB~1\ToolBar\chrome\skin\maps.bmp	SearchquMediaBar.exe
File created	C:\PROGRA~2\WIA6EB~1\ToolBar\chrome\skin\lib\radio\images\ico-playstation-over.png	SearchquMediaBar.exe
File created	C:\PROGRA~2\WIA6EB~1\ToolBar\chrome\skin\lib\uwa\border_16.png	SearchquMediaBar.exe
File opened for modification	C:\Program Files (x86)\Fun4IM\~GLH000d.TMP	nsh7F63.tmp.exe
File created	C:\PROGRA~2\WIA6EB~1\ToolBar\chrome\skin\rss-subscribe.png	SearchquMediaBar.exe
File created	C:\Program Files (x86)\Fun4IM\~GLH000e.TMP	nsh7F63.tmp.exe
File created	C:\PROGRA~2\WIA6EB~1\ToolBar\chrome\content\widgets\net.vmn.www.3.YouTube.1217\btn-wide-close.png	SearchquMediaBar.exe
File created	C:\PROGRA~2\WIA6EB~1\ToolBar\chrome\skin\lib\edit-back.png	SearchquMediaBar.exe
File created	C:\PROGRA~2\WIA6EB~1\ToolBar\chrome\skin\lib\panels\popupWidgets.html	SearchquMediaBar.exe
File created	C:\PROGRA~2\WIA6EB~1\ToolBar\chrome\skin\options\options-widgets.png	SearchquMediaBar.exe
File opened for modification	C:\Program Files (x86)\Fun4IM\~GLH000b.TMP	nsh7F63.tmp.exe
File created	C:\PROGRA~2\WIA6EB~1\ToolBar\chrome\content\widgets\net.vmn.www.3.Twitter.1257\widget.js	SearchquMediaBar.exe
File created	C:\PROGRA~2\WIA6EB~1\ToolBar\chrome\skin\lib\uwa\border_09.png	SearchquMediaBar.exe
File created	C:\PROGRA~2\WIA6EB~1\ToolBar\chrome\skin\lib\uwa\loadingMid.gif	SearchquMediaBar.exe
File created	C:\PROGRA~2\WIA6EB~1\ToolBar\chrome\skin\button-drop-left.png	SearchquMediaBar.exe
File created	C:\PROGRA~2\WIA6EB~1\ToolBar\chrome\skin\lib\highlight_cyan.png	SearchquMediaBar.exe
File created	C:\PROGRA~2\WIA6EB~1\ToolBar\chrome\skin\lib\highlight_yellow.png	SearchquMediaBar.exe
File created	C:\PROGRA~2\WIA6EB~1\ToolBar\chrome\skin\lib\panels\images\ico-download.png	SearchquMediaBar.exe
File created	C:\PROGRA~2\WIA6EB~1\ToolBar\chrome\skin\lib\radio\images\music-note.png	SearchquMediaBar.exe
File opened for modification	C:\Program Files (x86)\Fun4IM\Plugins\MSN\Resources\Toolbar\Images\~GLH0023.TMP	nsh7F63.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

NSIS installer 12 IoCs

installer

resource	yara_rule
behavioral2/files/0x000700000002329c-230.dat	nsis_installer_2
behavioral2/files/0x000700000002329f-233.dat	nsis_installer_2
behavioral2/files/0x000700000002329f-238.dat	nsis_installer_2
behavioral2/files/0x000700000002329f-239.dat	nsis_installer_2
behavioral2/files/0x00070000000232ab-282.dat	nsis_installer_1
behavioral2/files/0x00070000000232ab-282.dat	nsis_installer_2
behavioral2/files/0x00070000000232ab-300.dat	nsis_installer_1
behavioral2/files/0x00070000000232ab-300.dat	nsis_installer_2
behavioral2/files/0x00070000000232ab-299.dat	nsis_installer_1
behavioral2/files/0x00070000000232ab-299.dat	nsis_installer_2
behavioral2/files/0x000700000002329b-856.dat	nsis_installer_1
behavioral2/files/0x000700000002329b-856.dat	nsis_installer_2

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{8A96AF9E-4074-43b7-BEA3-87217BDA7402}\SuggestionsURL_JSON = "http://www.searchqu.com/suggest.php?src=ieb&systemid=402&qu={searchTerms}&ft=json"	SETUPD~1.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{EF2B6317-C367-401B-83B8-80302D6588A7}\Compatibility Flags = "1024"	Bandoo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{27F69C85-64E1-43CE-98B5-3C9F22FB408E}\Compatibility Flags = "1024"	BndCore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{F9189560-573A-4fde-B055-AE7B0F4CF080}\Policy = "3"	nsh7F63.tmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7f000001-db8e-f89c-2fec-49bf726f8c12}\AppName = "ExtensionsManager.exe"	nsh7F63.tmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{074E4EFE-81BB-4EA4-866E-082CB0E01070}	Bandoo.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\OpenInForeground = "0"	SETUPD~1.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\SearchScopes\{8A96AF9E-4074-43b7-BEA3-87217BDA7402}\ShowSearchSuggestions = "1"	SETUPD~1.EXE
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{424624F4-C5DD-4e1d-BDD0-1E9C9B7799CC}	nsh7F63.tmp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\WarnOnClose = "1"	SETUPD~1.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7FF99715-3016-4381-84CE-E4E4C9673020}\Policy = "3"	SearchquMediaBar.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{424624F4-C5DD-4e1d-BDD0-1E9C9B7799CC}\AppName = "BndCore.exe"	nsh7F63.tmp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{424624F4-C5DD-4e1d-BDD0-1E9C9B7799CC}\Policy = "3"	nsh7F63.tmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9C8A3CA5-889E-4554-BEEC-EC0876E4E96A}\AppName = "Bandoo.exe"	nsh7F63.tmp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{167B2B5F-2757-434A-BBDA-2FDB2003F14F}\Compatibility Flags = "1024"	Bandoo.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\Groups = "1"	SETUPD~1.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{2E9A60EA-5554-49C3-BC9D-D0404DBACC62}\Compatibility Flags = "1024"	Bandoo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{C3AB94A4-BFD0-4BBA-A331-DE504F07D2DB}\Compatibility Flags = "1024"	BndCore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9C8A3CA5-889E-4554-BEEC-EC0876E4E96A}\AppPath = "C:\\Program Files (x86)\\Fun4IM"	nsh7F63.tmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7f000001-db8e-f89c-2fec-49bf726f8c12}\AppPath = "C:\\Program Files (x86)\\Fun4IM"	nsh7F63.tmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{167B2B5F-2757-434A-BBDA-2FDB2003F14F}	Bandoo.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\Enabled = "1"	SETUPD~1.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{8A96AF9E-4074-43b7-BEA3-87217BDA7402}\URL = "http://www.searchqu.com/web?src=ieb&systemid=402&q={searchTerms}"	SETUPD~1.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{2E9A60EA-5554-49C3-BC9D-D0404DBACC62}	Bandoo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{424624F4-C5DD-4e1d-BDD0-1E9C9B7799CC}\AppName = "BndCore.exe"	nsh7F63.tmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\SearchScopes\{8A96AF9E-4074-43b7-BEA3-87217BDA7402}\DisplayName = "Web Search"	SETUPD~1.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{27F69C85-64E1-43CE-98B5-3C9F22FB408E}	BndCore.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{424624F4-C5DD-4e1d-BDD0-1E9C9B7799CC}	nsh7F63.tmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{F9189560-573A-4fde-B055-AE7B0F4CF080}\AppName = "BandooUI.exe"	nsh7F63.tmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{F5379B4B-24D8-432A-9A96-BE75EE5117DB}	Bandoo.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\UseHomepageForNewTab = "1"	SETUPD~1.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Toolbar\{7FF99715-3016-4381-84CE-E4E4C9673020} = "Searchqu Toolbar"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{C3AB94A4-BFD0-4BBA-A331-DE504F07D2DB}	BndCore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\SearchScopes\{8A96AF9E-4074-43b7-BEA3-87217BDA7402}\SuggestionsURL_JSON = "http://www.searchqu.com/suggest.php?src=ieb&systemid=402&qu={searchTerms}&ft=json"	SETUPD~1.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{B543EF05-9758-464E-9F37-4C28525B4A4C}\Compatibility Flags = "1024"	BndCore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{BB76A90B-2B4C-4378-8506-9A2B6E16943C}\Compatibility Flags = "1024"	BndCore.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9C8A3CA5-889E-4554-BEEC-EC0876E4E96A}	nsh7F63.tmp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{8A96AF9E-4074-43b7-BEA3-87217BDA7402}\Deleted = "0"	SETUPD~1.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\SearchScopes\{8A96AF9E-4074-43b7-BEA3-87217BDA7402}\URL = "http://www.searchqu.com/web?src=ieb&systemid=402&q={searchTerms}"	SETUPD~1.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{3E63C9BC-DD51-4E83-ABA6-B350EAD28531}\Compatibility Flags = "1024"	Bandoo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\SearchScopes\DefaultScope = "{8A96AF9E-4074-43b7-BEA3-87217BDA7402}"	SETUPD~1.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9C8A3CA5-889E-4554-BEEC-EC0876E4E96A}\AppPath = "C:\\Program Files (x86)\\Fun4IM"	nsh7F63.tmp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{074E4EFE-81BB-4EA4-866E-082CB0E01070}\Compatibility Flags = "1024"	Bandoo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{0CE5B352-9D9C-41E1-9551-FCCD92820217}\Compatibility Flags = "1024"	Bandoo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{8A96AF9E-4074-43b7-BEA3-87217BDA7402}\ShowSearchSuggestions = "1"	SETUPD~1.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{8A96AF9E-4074-43b7-BEA3-87217BDA7402}\DisplayName = "Web Search"	SETUPD~1.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{424624F4-C5DD-4e1d-BDD0-1E9C9B7799CC}\AppPath = "C:\\Program Files (x86)\\Fun4IM"	nsh7F63.tmp.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9C8A3CA5-889E-4554-BEEC-EC0876E4E96A}	nsh7F63.tmp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\SearchScopes	SETUPD~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Software\Microsoft\Internet Explorer\SearchScopes\{8A96AF9E-4074-43b7-BEA3-87217BDA7402}	SETUPD~1.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7f000001-db8e-f89c-2fec-49bf726f8c12}\AppPath = "C:\\Program Files (x86)\\Fun4IM"	nsh7F63.tmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{EF2B6317-C367-401B-83B8-80302D6588A7}	Bandoo.exe
Key created	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	SETUPD~1.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\PopupsUseNewWindow = "1"	SETUPD~1.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPageShowActivities = "1"	SETUPD~1.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{F9189560-573A-4fde-B055-AE7B0F4CF080}\AppPath = "C:\\Program Files (x86)\\Fun4IM"	nsh7F63.tmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{F9189560-573A-4fde-B055-AE7B0F4CF080}\AppPath = "C:\\Program Files (x86)\\Fun4IM"	nsh7F63.tmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{F7FB2BC4-6C27-4EAC-B5E2-037B71FDE101}	Bandoo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7FF99715-3016-4381-84CE-E4E4C9673020}	SearchquMediaBar.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7FF99715-3016-4381-84CE-E4E4C9673020}\AppName = "uninstall.exe"	SearchquMediaBar.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9C8A3CA5-889E-4554-BEEC-EC0876E4E96A}\Policy = "3"	nsh7F63.tmp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{F5379B4B-24D8-432A-9A96-BE75EE5117DB}\Compatibility Flags = "1024"	Bandoo.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\QuickTabsThreshold = "1"	SETUPD~1.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\ShortcutBehavior = "1"	SETUPD~1.EXE

Modifies Internet Explorer start page 1 TTPs 1 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.searchqu.com/402"	SETUPD~1.EXE

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3AD7A5B6-610D-4A82-979E-0AED20920690}\1.0\FLAGS	GLJ9E54.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6087829B-114F-42A1-A72B-B4AEDCEA4E5B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	GLJ9E54.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\FlashAnimator.DLL	GLJ9E54.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E96B49B0-E11F-48FC-984A-EEC29A4F57E1}\ProxyStubClsid32	BndCore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0CE5B352-9D9C-41E1-9551-FCCD92820217}\ProgID\ = "CURL.HTTPDownloadStatus.1"	Bandoo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CURL.HTTPService\CurVer\ = "CURL.HTTPService.1"	Bandoo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{01222E21-6BD0-4EB3-94F1-967EB09CCED5}	Bandoo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9932C738-5580-4408-A0E8-5EA03BE5FB18}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	Bandoo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A5D99259-ADA3-48A5-B861-39813B713DCB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	Bandoo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BGIFAnimator.BGIFAnimatorCtrl	GLJ9E54.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BandooCore.SettingsMngr\CLSID\ = "{B543EF05-9758-464E-9F37-4C28525B4A4C}"	BndCore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{477F210A-2A86-4666-9C4B-1189634D2C84}\TypeLib\Version = "1.0"	BndCore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CURL.HTTPFileDownloadService\CurVer\ = "CURL.HTTPFileDownloadService.1"	Bandoo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{01222E21-6BD0-4EB3-94F1-967EB09CCED5}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	Bandoo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CE1CB632-6817-47b3-8587-D05AF75D6D5A}\InprocServer32	GLJ9E54.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BB76A90B-2B4C-4378-8506-9A2B6E16943C}	BndCore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0CE5B352-9D9C-41E1-9551-FCCD92820217}\ProgID	Bandoo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{9C123289-82E1-4da7-A3C2-B8D28AAD114B}\ = "GIFAnimator"	GLJ9E54.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8F5F1CB6-EA9E-40AF-A5CA-C7FD63CC1971}	BndCore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C29CF951-7F4F-4B8D-ACA8-C4EE934C27DC}\TypeLib\Version = "1.0"	GLJ9E54.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C29CF951-7F4F-4B8D-ACA8-C4EE934C27DC}\TypeLib	GLJ9E54.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CE1CB632-6817-47b3-8587-D05AF75D6D5A}\InprocServer32\ThreadingModel = "apartment"	GLJ9E54.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{33DDFC61-F531-4982-8C32-4212B7835D44}\ = "_IBandooCoordinatorEvents"	Bandoo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D60A7941-4F69-4A79-BED7-72ADA784B8F7}\ProxyStubClsid32	Bandoo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BandooCore.StatisticMngr.1\ = "StatisticMngr Class"	BndCore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BandooCoordinator.BandooCoordinator\CLSID	Bandoo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F7FB2BC4-6C27-4EAC-B5E2-037B71FDE101}	Bandoo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7DBA2B02-EA31-4B98-812B-C6E8AE5C2972}\ProxyStubClsid32	Bandoo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9932C738-5580-4408-A0E8-5EA03BE5FB18}	Bandoo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E57D3C8D-ADD0-4AE0-8A14-0D0F6A3487FB}\TypeLib	Bandoo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BGIFAnimator.BGIFAnimatorCtrl.1\CLSID	GLJ9E54.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BandooCore.StatisticMngr\ = "StatisticMngr Class"	BndCore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BandooCoordinator.PlugInNotifier.1\CLSID	Bandoo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CURL.HTTPService.1\ = "HTTPService Class"	Bandoo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EF2B6317-C367-401B-83B8-80302D6588A7}\Programmable	Bandoo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{44CFFEF4-E7E1-44BD-B1F5-29F828ADA1B8}\LocalServer32	Bandoo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D60A7941-4F69-4A79-BED7-72ADA784B8F7}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	Bandoo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BGIFAnimator.BGIFAnimatorCtrl\CurVer	GLJ9E54.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CE1CB632-6817-47b3-8587-D05AF75D6D5A}\Version\ = "1.0"	GLJ9E54.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EB5CEE80-030A-4ED8-8E20-454E9C68380F}	GLJ9E54.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{477F210A-2A86-4666-9C4B-1189634D2C84}	BndCore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E57D3C8D-ADD0-4AE0-8A14-0D0F6A3487FB}\ProxyStubClsid32	Bandoo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{62E5C9E1-A0E8-4F8C-8EAF-0F9250CC5786}\1.0\0	GLJ9E54.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CE1CB632-6817-47b3-8587-D05AF75D6D5A}\VersionIndependentProgID	GLJ9E54.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CE1CB632-6817-47b3-8587-D05AF75D6D5A}\MiscStatus\1\ = "131473"	GLJ9E54.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{074E4EFE-81BB-4EA4-866E-082CB0E01070}\VersionIndependentProgID\ = "CURL.HTTPDataAccessor"	Bandoo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3AD7A5B6-610D-4A82-979E-0AED20920690}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\Fun4IM"	GLJ9E54.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BandooCore.StatisticMngr	BndCore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CURL.HTTPDataAccessor.1\CLSID\ = "{074E4EFE-81BB-4EA4-866E-082CB0E01070}"	Bandoo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{074E4EFE-81BB-4EA4-866E-082CB0E01070}\TypeLib	Bandoo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BandooIEPlugin.BandooIEPlugin.1\ = "BandooIEPlugin Class"	GLJ9E54.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{06DE5702-44CF-4B79-B4EF-3DDF653358F5}\TypeLib	BndCore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BandooCoordinator.HTTPAsyncResult	Bandoo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D60A7941-4F69-4A79-BED7-72ADA784B8F7}\TypeLib	Bandoo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BandooCore.SettingsMngr\CurVer	BndCore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A9005ED5-4A1D-4606-A4DF-1A25E7D7B417}\TypeLib	Bandoo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{72434BC1-E46D-47A1-A597-8749DFBCC24A}\TypeLib\ = "{4410C118-B23C-406C-9F52-9CDABD90A5EA}"	Bandoo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A9005ED5-4A1D-4606-A4DF-1A25E7D7B417}\TypeLib\ = "{4410C118-B23C-406C-9F52-9CDABD90A5EA}"	Bandoo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{872F3C0B-4462-424c-BB9F-74C6899B9F92}\TypeLib\ = "{9C123289-82E1-4DA7-A3C2-B8D28AAD114B}"	GLJ9E54.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C29CF951-7F4F-4B8D-ACA8-C4EE934C27DC}\TypeLib\ = "{9C123289-82E1-4DA7-A3C2-B8D28AAD114B}"	GLJ9E54.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BB76A90B-2B4C-4378-8506-9A2B6E16943C}\Programmable	BndCore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CURL.HTTPProxyInfo.1\CLSID	Bandoo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CURL.HTTPServiceFactory\CurVer\ = "CURL.HTTPServiceFactory.1"	Bandoo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BGIFAnimator.BGIFAnimatorCtrl\ = "CGIFAnimatorCtrl Object"	GLJ9E54.tmp

Suspicious behavior: EnumeratesProcesses 56 IoCs

pid	Process
3528	nsh7F63.tmp.exe
3528	nsh7F63.tmp.exe
3528	nsh7F63.tmp.exe
3528	nsh7F63.tmp.exe
3528	nsh7F63.tmp.exe
3528	nsh7F63.tmp.exe
3528	nsh7F63.tmp.exe
3528	nsh7F63.tmp.exe
3528	nsh7F63.tmp.exe
3528	nsh7F63.tmp.exe
3528	nsh7F63.tmp.exe
3528	nsh7F63.tmp.exe
3528	nsh7F63.tmp.exe
3528	nsh7F63.tmp.exe
3528	nsh7F63.tmp.exe
3528	nsh7F63.tmp.exe
3528	nsh7F63.tmp.exe
3528	nsh7F63.tmp.exe
3528	nsh7F63.tmp.exe
3528	nsh7F63.tmp.exe
3528	nsh7F63.tmp.exe
3528	nsh7F63.tmp.exe
3528	nsh7F63.tmp.exe
3528	nsh7F63.tmp.exe
3528	nsh7F63.tmp.exe
3528	nsh7F63.tmp.exe
3528	nsh7F63.tmp.exe
3528	nsh7F63.tmp.exe
3528	nsh7F63.tmp.exe
3528	nsh7F63.tmp.exe
3528	nsh7F63.tmp.exe
3528	nsh7F63.tmp.exe
3528	nsh7F63.tmp.exe
3528	nsh7F63.tmp.exe
3528	nsh7F63.tmp.exe
3528	nsh7F63.tmp.exe
3528	nsh7F63.tmp.exe
3528	nsh7F63.tmp.exe
3528	nsh7F63.tmp.exe
3528	nsh7F63.tmp.exe
3528	nsh7F63.tmp.exe
3528	nsh7F63.tmp.exe
3528	nsh7F63.tmp.exe
3528	nsh7F63.tmp.exe
3528	nsh7F63.tmp.exe
3528	nsh7F63.tmp.exe
3528	nsh7F63.tmp.exe
3528	nsh7F63.tmp.exe
3528	nsh7F63.tmp.exe
3528	nsh7F63.tmp.exe
3528	nsh7F63.tmp.exe
3528	nsh7F63.tmp.exe
3528	nsh7F63.tmp.exe
3528	nsh7F63.tmp.exe
3528	nsh7F63.tmp.exe
3528	nsh7F63.tmp.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

description	pid	Process
Token: SeDebugPrivilege	3528	nsh7F63.tmp.exe
Token: SeDebugPrivilege	3528	nsh7F63.tmp.exe
Token: SeDebugPrivilege	3528	nsh7F63.tmp.exe
Token: SeDebugPrivilege	3528	nsh7F63.tmp.exe
Token: SeDebugPrivilege	3528	nsh7F63.tmp.exe
Token: SeDebugPrivilege	3528	nsh7F63.tmp.exe
Token: SeDebugPrivilege	3528	nsh7F63.tmp.exe
Token: SeDebugPrivilege	3528	nsh7F63.tmp.exe
Token: SeDebugPrivilege	3528	nsh7F63.tmp.exe
Token: SeDebugPrivilege	3528	nsh7F63.tmp.exe
Token: SeDebugPrivilege	3528	nsh7F63.tmp.exe
Token: SeDebugPrivilege	3528	nsh7F63.tmp.exe
Token: SeDebugPrivilege	3528	nsh7F63.tmp.exe
Token: SeDebugPrivilege	3528	nsh7F63.tmp.exe
Token: SeDebugPrivilege	3528	nsh7F63.tmp.exe
Token: SeDebugPrivilege	1552	Bandoo.exe
Token: SeDebugPrivilege	1552	Bandoo.exe
Token: SeDebugPrivilege	444	Bandoo.exe
Token: SeDebugPrivilege	444	Bandoo.exe
Token: SeDebugPrivilege	3528	nsh7F63.tmp.exe
Token: SeDebugPrivilege	3528	nsh7F63.tmp.exe
Token: SeDebugPrivilege	3528	nsh7F63.tmp.exe
Token: SeDebugPrivilege	3528	nsh7F63.tmp.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 260 wrote to memory of 3528	260	bdaf52245b4cfbab8209809c49d9e55f.exe	91
PID 260 wrote to memory of 3528	260	bdaf52245b4cfbab8209809c49d9e55f.exe	91
PID 260 wrote to memory of 3528	260	bdaf52245b4cfbab8209809c49d9e55f.exe	91
PID 3528 wrote to memory of 1284	3528	nsh7F63.tmp.exe	95
PID 3528 wrote to memory of 1284	3528	nsh7F63.tmp.exe	95
PID 3528 wrote to memory of 1284	3528	nsh7F63.tmp.exe	95
PID 3528 wrote to memory of 1540	3528	nsh7F63.tmp.exe	103
PID 3528 wrote to memory of 1540	3528	nsh7F63.tmp.exe	103
PID 3528 wrote to memory of 1540	3528	nsh7F63.tmp.exe	103
PID 1540 wrote to memory of 788	1540	SETUPD~1.EXE	105
PID 1540 wrote to memory of 788	1540	SETUPD~1.EXE	105
PID 1540 wrote to memory of 788	1540	SETUPD~1.EXE	105
PID 788 wrote to memory of 3332	788	SearchquMediaBar.exe	106
PID 788 wrote to memory of 3332	788	SearchquMediaBar.exe	106
PID 788 wrote to memory of 3332	788	SearchquMediaBar.exe	106
PID 788 wrote to memory of 4180	788	SearchquMediaBar.exe	110
PID 788 wrote to memory of 4180	788	SearchquMediaBar.exe	110
PID 788 wrote to memory of 4180	788	SearchquMediaBar.exe	110
PID 3528 wrote to memory of 4948	3528	nsh7F63.tmp.exe	111
PID 3528 wrote to memory of 4948	3528	nsh7F63.tmp.exe	111
PID 3528 wrote to memory of 4948	3528	nsh7F63.tmp.exe	111
PID 3528 wrote to memory of 4416	3528	nsh7F63.tmp.exe	112
PID 3528 wrote to memory of 4416	3528	nsh7F63.tmp.exe	112
PID 3528 wrote to memory of 4416	3528	nsh7F63.tmp.exe	112
PID 3528 wrote to memory of 3936	3528	nsh7F63.tmp.exe	117
PID 3528 wrote to memory of 3936	3528	nsh7F63.tmp.exe	117
PID 3528 wrote to memory of 3936	3528	nsh7F63.tmp.exe	117
PID 3528 wrote to memory of 428	3528	nsh7F63.tmp.exe	118
PID 3528 wrote to memory of 428	3528	nsh7F63.tmp.exe	118
PID 3528 wrote to memory of 428	3528	nsh7F63.tmp.exe	118
PID 3528 wrote to memory of 828	3528	nsh7F63.tmp.exe	119
PID 3528 wrote to memory of 828	3528	nsh7F63.tmp.exe	119
PID 3528 wrote to memory of 828	3528	nsh7F63.tmp.exe	119
PID 3528 wrote to memory of 4796	3528	nsh7F63.tmp.exe	120
PID 3528 wrote to memory of 4796	3528	nsh7F63.tmp.exe	120
PID 3528 wrote to memory of 4796	3528	nsh7F63.tmp.exe	120
PID 3528 wrote to memory of 1552	3528	nsh7F63.tmp.exe	122
PID 3528 wrote to memory of 1552	3528	nsh7F63.tmp.exe	122
PID 3528 wrote to memory of 1552	3528	nsh7F63.tmp.exe	122
PID 3528 wrote to memory of 444	3528	nsh7F63.tmp.exe	123
PID 3528 wrote to memory of 444	3528	nsh7F63.tmp.exe	123
PID 3528 wrote to memory of 444	3528	nsh7F63.tmp.exe	123

C:\Users\Admin\AppData\Local\Temp\bdaf52245b4cfbab8209809c49d9e55f.exe
"C:\Users\Admin\AppData\Local\Temp\bdaf52245b4cfbab8209809c49d9e55f.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:260
- C:\Users\Admin\AppData\Local\Temp\nsh7F63.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\nsh7F63.tmp.exe" -AnswerFile=C:\Users\Admin\AppData\Local\Temp\nsc7F93.tmp -Extra=REFID:54|ORIGIN:0
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3528
- - C:\Users\Admin\AppData\Local\Temp\FUN4IM~1\files.exe
    "C:\Users\Admin\AppData\Local\Temp\FUN4IM~1\files.exe" "-oC:\Users\Admin\AppData\Local\Temp\Fun4IMFiles" -y
    3⤵
    - Executes dropped EXE
    PID:1284
- - C:\Users\Admin\AppData\Local\Temp\SETUPD~1.EXE
    "C:\Users\Admin\AppData\Local\Temp\SETUPD~1.EXE" /S
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Modifies Internet Explorer settings
    - Modifies Internet Explorer start page
    - Suspicious use of WriteProcessMemory
    PID:1540
  - - C:\Users\Admin\AppData\Local\Temp\Searchqu_DM\SearchquMediaBar.exe
      "C:\Users\Admin\AppData\Local\Temp\Searchqu_DM\SearchquMediaBar.exe" /S /NOADDREMOVE /D=C:\PROGRA~2\WIA6EB~1\ToolBar
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Program Files directory
      Modifies Internet Explorer settings
      Suspicious use of WriteProcessMemory
      PID:788
    - - C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32 /u /s "C:\PROGRA~2\WIA6EB~1\ToolBar\SearchquDx.dll"
        5⤵
        
        PID:3332
    - - C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32 /s "C:\PROGRA~2\WIA6EB~1\ToolBar\SearchquDx.dll"
        5⤵
        Loads dropped DLL
        Installs/modifies Browser Helper Object
        Modifies Internet Explorer settings
        
        PID:4180
- - C:\Program Files (x86)\Fun4IM\BandooUI.exe
    "C:\Program Files (x86)\Fun4IM\BandooUI.exe" cookie http://fun4im.com
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:4948
- - C:\Users\Admin\AppData\Local\Temp\GLJ9E54.tmp
    "C:\Users\Admin\AppData\Local\Temp\GLJ9E54.tmp" C:\Program Files (x86)\Fun4IM\GIFAnimator.dll
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Modifies registry class
    PID:4416
- - C:\Users\Admin\AppData\Local\Temp\GLJ9E54.tmp
    "C:\Users\Admin\AppData\Local\Temp\GLJ9E54.tmp" C:\Program Files (x86)\Fun4IM\FlashAnimator.dll
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Modifies registry class
    PID:3936
- - C:\Users\Admin\AppData\Local\Temp\GLJ9E54.tmp
    "C:\Users\Admin\AppData\Local\Temp\GLJ9E54.tmp" C:\Program Files (x86)\Fun4IM\CrashRpt.dll
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:428
- - C:\Users\Admin\AppData\Local\Temp\GLJ9E54.tmp
    "C:\Users\Admin\AppData\Local\Temp\GLJ9E54.tmp" C:\Program Files (x86)\Fun4IM\Plugins\IE\ieplugin.dll
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Installs/modifies Browser Helper Object
    - Modifies registry class
    PID:828
- - C:\PROGRA~2\Fun4IM\BndCore.exe
    "C:\PROGRA~2\Fun4IM\BndCore.exe" /RegServer
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Modifies Internet Explorer settings
    - Modifies registry class
    PID:4796
- - C:\PROGRA~2\Fun4IM\Bandoo.exe
    "C:\PROGRA~2\Fun4IM\Bandoo.exe" /Service
    3⤵
    - Executes dropped EXE
    - Modifies Internet Explorer settings
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    PID:1552
- - C:\PROGRA~2\Fun4IM\Bandoo.exe
    "C:\PROGRA~2\Fun4IM\Bandoo.exe" /Start
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:444

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~2\Fun4IM\Bandoo.exe

Filesize
64KB

MD5
da73a6b6dca59d8f7f7d9ff494c725f6

SHA1
01e043eaaac01329e8ff09d45b3017d6582588da

SHA256
9ed8425966bf40377cb684baecdff123dad1c43f6679d0cfb6608be6b9b9c917

SHA512
79ef7acc0445a3781d19fb83e701b3a935bbd28ea4ce4fddaf4e287230a9acfd82ddf0cb816e8d2b7dc84e189312b63ed85e3444b1a4c2e6af1a3c6918f4b25a

Download Submit
C:\PROGRA~2\Fun4IM\BndCore.exe

Filesize
1.5MB

MD5
d0c1e5654ae09f42dee564572511ef2e

SHA1
e2895459d69e93e944755dc007c612cc777df502

SHA256
cf3a68d5b82382817679d77f6a1af18ad48dda3d16f52c4cf43e81b54fd463c2

SHA512
271e3e76d4a9c199a2487b95f22b0cd589845b41f18e7b283c0f8bbe898b941128b0a6d9773c08d05b5b7f325effabf8eb77b16db96b422a2c7228544bd01c56

Download Submit
C:\PROGRA~2\Fun4IM\UNWISE.EXE

Filesize
149KB

MD5
973567b98cdfc147df4e60471d9df072

SHA1
3c4735750c99c63e6861170a8c459a608594211e

SHA256
69b9dd6160524e0eb44905224f5b1747dfce43243c00c11c87f5c2ec55102876

SHA512
e891e3a413691eddd895a31293117aec8d151ecf18f84d3aa73bc1c4eb95582df1dfe04d51b7011eb55b5e754e2240de4c6269f9547f3cab3519985da1e07294

Download Submit
C:\PROGRA~2\WIA6EB~1\ToolBar\chrome\skin\lib\weatherbutton\panels\images\btnarrow-next-off.png

Filesize
591B

MD5
ec52771cc9f815db8567ed6d7cfe1b09

SHA1
e1a93767f8336a722d5f6dc1e24bd0336e34a77e

SHA256
ddc97723151b88824e949b565eab55b2acd9ef0df9b95ad1ee6f0dd1f97bced0

SHA512
78f6030e570164703d1e7fb4ed407bed8f7de879c861cc6ab27df6a3919ebb4aff5c1826f3e57c535294bca256336e359564df1ce35b21c7a242b42a40bfbebd

Download Submit
C:\PROGRA~2\WIA6EB~1\ToolBar\chrome\skin\lib\weatherbutton\panels\images\btnarrow-next.png

Filesize
627B

MD5
53c02dc4ee48e77ea7e6f15b8cd9b632

SHA1
278a37d0be98089abab95b1438082edf21e33b83

SHA256
d5275d4eacef964ceac13a7c71c25cf8169477df7254e5d672524394e23f4457

SHA512
9e953bcec9221e40ee67b1abc2e713064ffc63be5b7727424219a399e4ffecaea53deae1d734cae5354b5aab4f65721e84f7baf4861bc863c3ceb3d28a4d300b

Download Submit
C:\PROGRA~2\WIA6EB~1\ToolBar\chrome\skin\lib\weatherbutton\panels\images\btnarrow-previous-off.png

Filesize
633B

MD5
9a8d072191d4e475e5e480fc3543b16b

SHA1
783592cbcf2d9d9417d1c3ea7e80b8cca46dd590

SHA256
e7cf677144d89ca7eff48d4179bfff6fa976ef07a7c72c5287a8e64e261dfafb

SHA512
3ac524ba93c5d0ce3e80dfd251da4cc6bde325d46bd9ef63f24ab442122957e312107053c85fec24d0366767424361fcb0cd162bc6ed769a9025b2b8e1bf1000

Download Submit
C:\PROGRA~2\WIA6EB~1\ToolBar\chrome\skin\lib\weatherbutton\panels\images\btnarrow-previous.png

Filesize
667B

MD5
10783b75928207bf1dd84b5a1f65c7c9

SHA1
a3d4f71415026150a7e87535e359ca390c2eae1b

SHA256
6728d4c55ad14ca07fbb022dfb993f677ebd13c6c164db489c5b6c33b443211c

SHA512
90a4a3bfdc265ba14b27107135eb6ab658d556e3b6198f3e6fb60f035a40dabc73d1a47dc327fd95664d18b624cb5a6cfed1316371e46e127d4eda35d21fab1d

Download Submit
C:\PROGRA~2\WIA6EB~1\ToolBar\manifest.xml

Filesize
677B

MD5
809a59f13e2410bc684ba26004c19a26

SHA1
73a8d3364be3a2585b4096beeeca8f7ec0e57f87

SHA256
c734caf5170d50ce5e51b7512c8a795d0ca5aa0a3e201e6a2900967e016afa69

SHA512
f52e269104480d3979f1245e61bcbc433b39bb0d75ad4e6d4f86627fba1e4a09d24620e0f7cf4570d6d1c89fcdd34af10270738639c51c4f946c9846a7875d5a

Download Submit
C:\Program Files (x86)\Fun4IM\BandooUI.exe

Filesize
1.7MB

MD5
1cb076b06346feee33ec3e409ea0ec42

SHA1
8cf322d41f7c8e326c6a0a697b90eb813cf256bc

SHA256
307f36ef56a1443a22b838e7d5188fe6d6f04a08194c8789285e599096af5605

SHA512
c9a4ee681ea51c2a3515321a776fe3acc32f9626d0de343a2b12e09095e9e9b3983f7f3b97289033fa8c1e93618194b8ee01bf0d3571aff991e24c8e323c8439

Download Submit
C:\Program Files (x86)\Fun4IM\CrashRpt.dll

Filesize
339KB

MD5
6674549585e1adbc9a453d864e0d70be

SHA1
108dd53d267a3039e8ec61a589e39b55c8c1b664

SHA256
8cb8a63fcb283a8b633ddaac0bf54d8ed208d4898388ff980107470b4860fc37

SHA512
8be6a47c1c87b12f6426aaca4594c51136ed530028e786dfa7f667392a164b2cf929285df445208b214e4cc57a06ef5e0cfdbec57f7f3dc105de75f7f89496b3

Download Submit
C:\Program Files (x86)\Fun4IM\GIFAnimator.dll

Filesize
161KB

MD5
a9fd2046ebaed67672113870c545959e

SHA1
c838473ab1d2ba2e7a7a4d71242750d4fe4d3203

SHA256
063f9ddadb5a48bc4960dc579bca62cf8a64779d3d34cce2f0a20588b9872a7b

SHA512
a4311f328fd13d3cddc7b4970f59b183d8a72dfe55229584dd4f0a54d233743bfd72ff7642fec368c0ffe4ef29b68fa45bcbbf216202cd237f9123bdd9bb38c5

Download Submit
C:\Program Files (x86)\Fun4IM\InstallerHelper.dll

Filesize
1.0MB

MD5
b8b3c250869d12692a057c79c82ae4c7

SHA1
4dee9892b35fe22caf6f9faf7e3fd4104e81eb31

SHA256
714d727f3ab6b926e424b11b8ed4e9e13681abc1efaf32cbafb5c31edc51be31

SHA512
81da8255436f8e209fd7bcf1f961c81e6b47ea6d77b44ef9bd389f465fbf6b52625a70d6c0512422f8fa60fbcd175f2c3c98603750ce9c91ad3ac9e517817aa5

Download Submit
C:\Program Files (x86)\Fun4IM\Plugins\IE\ieplugin.dll

Filesize
14KB

MD5
0bdfc5068f824269fd817ee16c3a3ced

SHA1
613ace62e1141111231982a1632285f0ac81101c

SHA256
cce0d21c90496e5f8d05347782ae5e0372fb3500a82f05d9a82fe20694ada509

SHA512
3b06501b4f88590422ca6fb5c6dfc3711e374141c8b89d2ab6ed6ff4633ae10dd9f10b5327fefd8392130d603b493223ab4033a7f2e3c678e2ddfbd3a141eb63

Download Submit
C:\Program Files (x86)\Fun4IM\Plugins\MSN\Resources\Toolbar\Images\~GLH0022.TMP

Filesize
1KB

MD5
4b24730682e1bd265e08bec28bd68c2b

SHA1
a9ada2a9ec74268874601731c7e3b41c7b0846e0

SHA256
9c1eff07cf8d7f35bc62238e5c7fc51e413ddc8f80a1071e4ae41411961815ed

SHA512
90d730486e788f5b1e33cfc9f8ab9946845fd125d6dbe48df9b5b3b128d5236066ff62b9304f32ffdbc3023967046aa83d52e4da99bdf19b9c04d1b0c6a387be

Download Submit
C:\Program Files (x86)\Fun4IM\Plugins\MSN\Resources\Toolbar\Images\~GLH0023.TMP

Filesize
1KB

MD5
e5f04b872687c16acebb60726886b67d

SHA1
1ab298337ddb7cebc97b03e512ac1257e50dd149

SHA256
0f146fae3d2e3aaadb90687dfeccd0a26927254a048be7828bf2b12b6237bed3

SHA512
421dd77fee2d065bdc683c5ee3254bce9d6d52aff7190cc15d193590a6e58b92ca3095d143e7a73c993f955c5d2620868f8d566e706df7d97ddbd69302ccfdb0

Download Submit
C:\Program Files (x86)\Fun4IM\Plugins\MSN\Resources\Toolbar\Images\~GLH0024.TMP

Filesize
1KB

MD5
92b06f6952fd2e0266d5246506515b8b

SHA1
7ba5807536048f3c5fc0cc76d6e5984f4fab88e5

SHA256
baeb3bac49604023c3093d1340af6c5c0a9e20c2d479b6141e52ced932dd092c

SHA512
714098c30460784d99f5aa8b2268dc7820770f3e35d93ad319d8fc319ead6adc1ec8ea30cd535f729165b4d8a4258e5d00f18838c541f36ab71c9e3c0c95ae38

Download Submit
C:\Program Files (x86)\Fun4IM\Plugins\MSN\Resources\Toolbar\Images\~GLH0027.TMP

Filesize
3KB

MD5
71d54a61b44e3aec554f30ba43986a53

SHA1
d87ac38081c01a8b8dfd50cf129a94692cc84849

SHA256
7cb8db9993d52bc66f45e0900e5acc36ad40c2f6b3ac25d7f4aa892a0bf5c0bd

SHA512
1a6f730801a57d99d995847512c6b079f9f963b968dea49d43e6c45a05018ec8bee2c4b058f847cc245b07667392d5a6aa6908074d3a7d79883980a704fdabb7

Download Submit
C:\Program Files (x86)\Fun4IM\Plugins\MSN\Resources\Toolbar\Images\~GLH0028.TMP

Filesize
3KB

MD5
8b518642a7ed21cb2008ef4ea558aaa2

SHA1
d811236f78fe3e2f4d7fe93653addd58da6253a1

SHA256
411b37dd8a13a1da1cf688ca3a646fef36113956be76c7c6630647fa7382324c

SHA512
662fea897287ddf520781262c9745f2a6ad508333e0177ca7f18f1a39ef1321ed781648bd77f54d788d2b5ebeb7fb266fa477638363c5eab1a71b5a6eff22663

Download Submit
C:\Program Files (x86)\Fun4IM\Plugins\MSN\Resources\Toolbar\Images\~GLH0029.TMP

Filesize
3KB

MD5
bd503fc079afbb9593e01e3f77f684a5

SHA1
caccaeab77250dc2f3ca6cc37d1efdcf59251997

SHA256
5b93440f929865a5d80106358550b64d18df20a42ca5254a2b5a5c6b7653eaa5

SHA512
b947cb0d4b35a238626448b5b8c081bd2c984b07929523b13e43185e450b269f934084659ec2583f14ceda68d4814f9fe25cbc07d9ef2afad15e2a8d8c8bf8e7

Download Submit
C:\Program Files (x86)\Fun4IM\Plugins\MSN\Resources\Toolbar\Images\~GLH002a.TMP

Filesize
1KB

MD5
dc77d8c55634ed66b8625c987eb25946

SHA1
5ad7bdc1ca076e94d465fa343ab4cbcf9858597c

SHA256
2b3a45b5f2f7cb5e3f7112e59d4e94ace459d16126a8107a93bad1e6f15b6c5c

SHA512
ea662835239dbf9b2e9ef9965e66984867bf25b7a5698cfa8c97123912622c1e8e1f0b2475ee41f8df5ebd8a217741bc69afd06481a9991f79a15f00eab328e9

Download Submit
C:\Program Files (x86)\Fun4IM\Plugins\MSN\Resources\Toolbar\Images\~GLH002b.TMP

Filesize
1KB

MD5
d4c76de55315e8eee5b34ea403af3fd9

SHA1
551cca2f1a1cf1f2b71d5a65ee7cf6a391b72f91

SHA256
184007ae605ee4ffbdbf779e6275f6a75aa9250cda8652bf9ce73b5dac54d76a

SHA512
78f3049bfb91e9d43f963f8f1a05ca2fdb867c2ed2661a43787c0066b9f101a0c1adb0bca211ffb0240f33529e8bfed8d4552b4d4f49015b59044a650cef0126

Download Submit
C:\Program Files (x86)\Fun4IM\Resources\BandooMessages.xml

Filesize
10KB

MD5
97c46521e75a3a738208cf5711782523

SHA1
d09ec7c63d8bc27bb29c700a4ba73d864bc28d98

SHA256
e7e326b997de54efeb2c4a260836ca19c24de9f3a3b603aaafb59132db12a1a5

SHA512
771234afedd61d13f8caf0744b7416c07bf13ca2cc8f8ae57504a15b4cc1ce867612a5c7531d1360e8bed600b8f6b1790ee80bbee0ad7d860c967df642c12bd0

Download Submit
C:\Program Files (x86)\Fun4IM\Resources\downloading.gif

Filesize
1KB

MD5
e57db08b1b405864e28e9282c05a5e26

SHA1
761bc01a3fed758253cb32fa9674edaa08a1fe9a

SHA256
17d73f59930d91b4eeb1abe7695d547a3a7e6d7be419e07b188b95a21236d7fa

SHA512
7b0b9c3c8811729dfaf4354d79d37f51f4d8accdbed147fe3ed50289bcd328cbad8f87d44d62fad275125e23d63c974f7d48eed3f3350a7f7d3b8c0c672a8f47

Download Submit
C:\Program Files (x86)\Fun4IM\Resources\nudge3.wav

Filesize
21KB

MD5
db507d76fe5408b3ecab582b545fbd04

SHA1
6c32d18157dde92d056a86a4f23c57da5f82d889

SHA256
d5202d30e318458df7a56605937a20eafa37714884edf43dd4c7a6324794323d

SHA512
834745c1bcb5482f2d37b821248120fa4b605969e6c381d8c74bcaade63836fd9f627ec386963262b833626f3cfc1fd5bb903a539189c5ddac13808001d7e6cd

Download Submit
C:\Program Files (x86)\Fun4IM\Resources\nudge4.wav

Filesize
53KB

MD5
8ea6b0aec1769520e28c9c4a4ee97011

SHA1
cf469dd89b588e79f254c41c61a7012adbfbe061

SHA256
a42a6fae8baef018de0c25d35a3fdfe28abb72066ef7a4169b19748e5e4e1002

SHA512
27603c9efc258ff97956a1aeb3a321b921366eb62613fb67f5acb908fcf4b600422b696a97d92f8742a219114b709d340ed853fd7f7d76243c5f21499dd12bad

Download Submit
C:\Program Files (x86)\Fun4IM\Resources\nudge5.wav

Filesize
32KB

MD5
2ac2fcfa7469d5fa2d7e6a762aad45a9

SHA1
08358fcdf1efcfe6938f5ab0db19a745544f1b79

SHA256
627a38c6c239a51d77780bc5bde4cbe6e91d60a43cb2359116295aca766dce90

SHA512
3c910b4bdf064f82f3662f6399a3fe7facb9de19202d460fd9f99a3d6de015e46248b325c4902373c195bb62b789315c4c051691b9750ba3dd16f4ee9fae415e

Download Submit
C:\Program Files (x86)\Windows Searchqu Toolbar\ToolBar\SearchquDx.dll

Filesize
85KB

MD5
5341d89ccc497fcdb3cb2b0ee447af2c

SHA1
21569742db2e4b878560c81b1c4d660aa411f2ee

SHA256
6cbf7ea6d40cf18fd45be290cf450fa49ca589603c36b193a43d40479b2053a6

SHA512
5cb97e4c32c5086358611323be03ee831667ed980e5b7315d51533724f4459099cb5993a44d644d6c59670e297870cd52e0693f7a78f6485cd19349c7e16bef4

Download Submit
C:\ProgramData\Fun4IM\WPSubsystems.xml

Filesize
1KB

MD5
aeb8a0f98aa3c7ab18d5ff3c7adaf12f

SHA1
a10588232218b98bdc57d6a7dc6dbf63b9981ceb

SHA256
a69c0d2985d39d49165cde5c9662ee642526459fb44a0469b1c57b535f0bd730

SHA512
0238482a2546528494e977530c165f266ba8bd354d244bbb47af5d61736670e2686278488002d70eeaaab39fba203b1c2b915f4bf51c645bd349e93ea4a9d1de

Download Submit
C:\Users\Admin\AppData\Local\Temp\FUN4IM~1\Bin\BANDOO~1.DLL

Filesize
320KB

MD5
36f3be188b03db0b9078dd1ca1892a4a

SHA1
d6a152cbd22b8bfe8a8e7a6a1262affa3429aa58

SHA256
a5af85d1b372aae69c38f8cd79463903eea49d12b85d75691dd1adcfa93b8c39

SHA512
db056946c4f78f74fb9f47f09b00dac8025c60a8bdcb5140502eb0e0d27742ff7e88060257081156f3164cefc327ffde8ecb9cb909003130d019e2ed7ad271f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\FUN4IM~1\Bin\Bandoo.exe

Filesize
640KB

MD5
acd8618ce0514e9b3d39e08459fcb6f3

SHA1
db9dbab2ffd93408c3652d30bbf9880c21a3824e

SHA256
c1234e10f4787b1ed91dce720f56cd5e7987e7160b2206e4db71ca471d27fa07

SHA512
f0b6453a54db5c3853881ab8002da31498b80f972cae76644865c7a1c106e3a3f2edfe82d07ed0d8a19aebf31fb3d8e0e950f2e6fd764bea5943dce5ea4a840a

Download Submit
C:\Users\Admin\AppData\Local\Temp\FUN4IM~1\Bin\BandooGo.exe

Filesize
576KB

MD5
a5a7c01361f94d1d4aaa9973a068948f

SHA1
a8eead938afb8219c6f2ebf6f33ac692f188e83e

SHA256
54365cf18b4a3b82b2295e482341d2f1d649033867ec61499fe93fc99557b02f

SHA512
1c1395fb243298b4d598298a99a8fb71d2561d9d23af6be87d7b6bbe26ab502dfb49180b3f27e4c2dbdfce64416bf19a7b00718d3f801e9087ccc4f3d437730a

Download Submit
C:\Users\Admin\AppData\Local\Temp\FUN4IM~1\Bin\BndCore.exe

Filesize
384KB

MD5
d6d79c333cedc5360ff053bdf15e2681

SHA1
db15a2748fef1c73af602bf876417a84ca6c9936

SHA256
240f809ec26c0d2e13eb30efae6c77927e683e8c7e7da0ce19a23960ed16d7b8

SHA512
b38aba04e85f5584873b16608ed4aba82a9da9c1d06061ec40b451c0cb4036af52b88afb78d5dd5bf965a796fd5fce39e27822b1af13e6bdaa4328c0908615ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\FUN4IM~1\Bin\CrashRpt.dll

Filesize
256KB

MD5
8bbbaa5c88af23cd537ee38acc4aa9c5

SHA1
5092fe6db4c457c2021ad6abc7e1d8f035d5d3d0

SHA256
c956c45e903563f0576cea21f25274598bd3d842f5e3dcb657bdb41bd91c6f23

SHA512
27a6a96fa2ceed2e328d21c4d2aafce173b86135f0539891da46b63b3d7ca2cb15f17aba1fc044ed89320485931c065494829d381b355cc2878d46665f699067

Download Submit
C:\Users\Admin\AppData\Local\Temp\FUN4IM~1\Bin\EXTENS~1.EXE

Filesize
1.1MB

MD5
8becc2a870db96977054b01cd1409720

SHA1
8b4dcd16a8dd63e476ddcdfd0b0c7d838a6651aa

SHA256
3943ca184a48976a6e61a703c9fb08598f2c3256265461a495fcf9de974ec0c7

SHA512
58b7c83b118381b69ffd6509cf2c8782003d0027d4d7663c8c01b3e358625aba681d2142c1136e35efcdc26ef067f04549e17ae8755ec590765d0c1d31249879

Download Submit
C:\Users\Admin\AppData\Local\Temp\FUN4IM~1\Bin\FLASHA~1.DLL

Filesize
188KB

MD5
425a1f948efb36e5ed37e7a9a25f357f

SHA1
67672df006a6313116b5bfa26e493bcc76a720c7

SHA256
d4bcfd1d80d2dae506cecbd64f43886ff822bc3f17f409017a6e6e2dc687407b

SHA512
b937752c802217d598ba3bae9267429534ca9d57942ce9f806d8231a49a2646189f20678bb6c88ee29499b99abc6840c15a78fab83827237b07f36e919a6a8e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\FUN4IM~1\Bin\INSTAL~1.DLL

Filesize
1.3MB

MD5
8b8d57a7822c281d136813a6a6bee3f5

SHA1
baaaffa093dcd78d1e33f82aa52d13bd88e7c704

SHA256
41a463a7409350e1b937d0e5ed4d6c89addd30b7f582904174b689c6537a4b36

SHA512
19d186b668050d1e857f1fd5a210b62db3e84e3b859d99c42be707bf06c6fc362fc920b45b310d480c0811443deff968a6a8348b71d8f4a120d43bddfed21070

Download Submit
C:\Users\Admin\AppData\Local\Temp\FUN4IM~1\Bin\PREUNI~1.EXE

Filesize
185KB

MD5
6b4c2474ab43b101158dc9249d625471

SHA1
e9205b8cbb5eb5a1d0a487c9401023a6ee853cd5

SHA256
dc5d27aea969527bada1d4cf6080fac59fe497c1f77d36db51deddb2e0047d9e

SHA512
6b0fb876ebf3270aebae2df530d3591aa90f99432924454b3fcfdf8224895dbe90bdc1ccfc0bd83ae01383d0d89f59fa92fc71d256a5b343848fac071fa4aaef

Download Submit
C:\Users\Admin\AppData\Local\Temp\FUN4IM~1\Bin\RESOUR~1\Plugins.ini

Filesize
222B

MD5
b80866b84490c8974ec17ab899bfbe5d

SHA1
3f1b794e1e035d2d5aa60069ce32af89165692aa

SHA256
f4404b5e92163280a0fb077a1a51c0bf033945f5d6b5b0fb4c7d423aca07a5ad

SHA512
19a0295bd652f38ad481743b0dbce3a612edf4a57a92a4f2fec4e728f216e85fcdc435529c5886db89996d36a12d974c28d6b053f7761b875e874b1de7dab0db

Download Submit
C:\Users\Admin\AppData\Local\Temp\FUN4IM~1\Static\LIBUNG~1.DLL

Filesize
30KB

MD5
5395d8552b99dacf6f4cc4610dc317fe

SHA1
96187f9d487600268428a98c77788f5be9c195c0

SHA256
f3deaa142f26b1596d73ea7d5f2844ded23265c215f1b0ad435d6203bf1544f5

SHA512
d1cb0f8a598cbeec8bc954795530e7a41df4f9cca631604ec69c02d4d697fef7ff071446ec29f48370e96bd8a9e151bc0748a33a7d52dd9552ddd6b7f05dd2ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\FUN4IM~1\Static\LICENS~1.RTF

Filesize
43KB

MD5
6efa068d4c5e66d296249eead5d4588b

SHA1
798706d0094c74f12f99163987ed324d40dae9dc

SHA256
f91c7ccd4653dc7f91938510434c16031f591bc498254f93125967a5e0b63782

SHA512
9dd1675180aa54884e0dcf282408a0b7385079a43e7476dd945edab7fc204a7e09634594971a59821cdee68b2d66bbed023964554f96bd347a73142f394301b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\FUN4IM~1\Static\SETUPD~1.EXE

Filesize
2.0MB

MD5
5b5555b6af246dfea73b585a1db26c6e

SHA1
ed352d072c5bd309af464986792c09c83b847caf

SHA256
30818c8c924c4124f3544d4c3e51e597bcae41798c6573329a2d710601521528

SHA512
93bcf786041c3f9475eeb0d2419d6f0c4c2e9a3ad7c4a60795ee8ba84d8624af92466b59ef5db649a6b2263dea8685c4456ed695024efaa4e8c0599a63c33b30

Download Submit
C:\Users\Admin\AppData\Local\Temp\FUN4IM~1\files.exe

Filesize
4.8MB

MD5
2813b70818348816893ee461431dc9ba

SHA1
1cf95c3f2678558e31993cea3ee33802da87c8e2

SHA256
32d019530321f6fb5ed4ca15497d080ad9a5e98cb2a39bb01331247e5d187807

SHA512
f8b97a2e4768fd743f0f9635da3783fb71b0cd28af789831a9d2c5e01da8264a49ea02a65e255542f868c53c989b4ede5f333509969dd8c162410bf538cc99dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\FUN4IM~1\files.exe

Filesize
6.4MB

MD5
f211b2557e7858ae124653d7cb29f0dd

SHA1
d9eb4d799047a942f826d5261a22b0aba1a0d753

SHA256
648d2021bcb77c24602f634f7db9c9b190c27df07aa95aa983ff00488ceaf395

SHA512
a949d67b5899888417648cdaf0fe379960ee74b48e9a2b9e763b3c0b84804dba921e2a45a35b5cc3fc2c9a9fdbfea25157849287a89efe6473a3abf138b26478

Download Submit
C:\Users\Admin\AppData\Local\Temp\Fun4IMFiles\Bin\resources\plugins\OE\HTML\blank.html

Filesize
471B

MD5
8adb616d567aa9bff9e4ae0706bccb3b

SHA1
0bbf2ce61145358a89cf4af14340071a9c680b8d

SHA256
5bc3f1f0e802f4143a88186e9eb7a8d0465bf788c04d109512ae73942f378be8

SHA512
1d1b08ef9ee0a47ae2888711b042229c66e1d2d1dacb705d820793300670f81de7a62f8f117dfe8de406133d778519519bde3205e9914658256c8f8b6181bcbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\Fun4IMFiles\Bin\resources\plugins\OE\HTML\error.html

Filesize
723B

MD5
b7c7467f89925c675476492aed843958

SHA1
3357ffd23d718bf60ce999a1f82987a40da4ae0e

SHA256
690db044770f1d0e1d9350ff3bb41a5151a0a75c47d7dbef50e48efbae14d656

SHA512
cf4ba2f79dc908c8e6d73cb9f7399e2993df47604f7c9f8332c4f1cbcdca6d5756219930c9e526fd0e909be8c60feb13bf16fefc112cb97d47c34939afcacdd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Fun4IMFiles\files.exe

Filesize
741KB

MD5
4e1b22d81ded73644296d3fab2084e88

SHA1
c0cd776142243c24d0903a79d6ebb6b097005072

SHA256
eabd731073145eeb295bf01d43f7d695a6aa4117ca5f15ea8e6d9a1f74933205

SHA512
8872de7b5fe87f94332da3748585eff410c634f4f3be55e78e787f6be2f504f452c0e902c300827ac7db8529e6b868339d7e350f51e41683005660799b3ea162

Download Submit
C:\Users\Admin\AppData\Local\Temp\GLC9E15.tmp

Filesize
161KB

MD5
8c97d8bb1470c6498e47b12c5a03ce39

SHA1
15d233b22f1c3d756dca29bcc0021e6fb0b8cdf7

SHA256
a87f19f9fee475d2b2e82acfb4589be6d816b613064cd06826e1d4c147beb50a

SHA512
7ad0b2b0319da52152c2595ee45045d0c06b157cdaaa56ad57dde9736be3e45fd7357949126f80d3e72b21510f9bf69d010d51b3967a7644662808beed067c3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\GLFCA1B.tmp

Filesize
10KB

MD5
3b2e23d259394c701050486e642d14fa

SHA1
4e9661c4ba84400146b80b905f46a0f7ef4d62eb

SHA256
166d7156142f3ee09fa69eb617dd22e4fd248aa80a1ac08767db6ad99a2705c1

SHA512
2b792296dffa4e43bc85295dc7691bd29762ce5d9d5eafaa74e199e6a8e5b24aa85d0a1b27776d4719a49b0d29abcf6f240746a209528e608b596b560e5a3b88

Download Submit
C:\Users\Admin\AppData\Local\Temp\GLFFCA6.tmp

Filesize
1.2MB

MD5
6545d7eff08c5b9b75f00462635fa6bb

SHA1
f792da0fc4f0328ad099984fcd3d57bf468fe5a6

SHA256
b5d5cd869f0d446e8c2a91d19cddfdf02beac11b182351f49ec551785f866357

SHA512
426a32b837503b766a0a8a52e72a5749d2914301bee484106ba24a8e2e57a4a8900fd39af6af801194909f18f2505f4360234ee96580cd144b9eacd6291f32f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\GLFFCA6.tmp

Filesize
896KB

MD5
9ebc21f06321a495d7fe8b665e243b79

SHA1
93a7aad0f78f7572e8736c902917a521b1d4bc00

SHA256
42311ca74b9cbeb884a59c270ea2ee438f27651786d2bdc0162e24f28a9d471d

SHA512
0d9179b26568d490f6a6fb3ade89a7e9d0bbd746cafed8c14a45968ac03d22a2d4d9a089dafbf70ce506c4d39ac1ab73ffc742bddcb7142eca954c7dce0a6832

Download Submit
C:\Users\Admin\AppData\Local\Temp\GLFFCA6.tmp

Filesize
768KB

MD5
be87ee53cb64b11b9402eac43b61089b

SHA1
938c92778ea2dc701d1863bec34424e67cd863b1

SHA256
70ba9556bc09b55a3213f271236eb8840b21f8a9be8ed82968a6a028400f30fc

SHA512
f922248f87bd7fcef5cfc86f0500d6dbc62a26158fba116eef5a59726428219f66ae7efe3469218eab5b6cb74c786f93f4876dbbd88dd99b6348172170d2fae3

Download Submit
C:\Users\Admin\AppData\Local\Temp\GLFFCA6.tmp

Filesize
192KB

MD5
c98971afdfe70d697ae86d21ad1b34ff

SHA1
490395fdb297295d584862d08c1bd50cab5a46aa

SHA256
87aa803b439e3fe9d814c200bdf79846f6cefafe65eace9d0c5056b9d70a38c4

SHA512
37db1a47d32867d0f7c421419630785c74d2332b9060221787c8e7aed9556f95201f9def872bab92bfc67c85517b196fe73cbee6a8a0f8cd9cd846d4f3092a39

Download Submit
C:\Users\Admin\AppData\Local\Temp\GLKA059.tmp

Filesize
35KB

MD5
5614b11b85320c6e526b9ccff1fa7448

SHA1
1c01ecdc58643d752344c8dd1fd6ff04c554d874

SHA256
e4993861e8dc24757dd9983086203a078fc48f7a71efd6f3746c23bb12bf9b60

SHA512
58cb7cd54a81ae7f40ab0036b8479c18b16536ba4676dabb494b7eeb6c02283c3170b99048dc08476fd7d3b833efcd89842a871a1ed5b89d1ddd3bcb43c98d1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUPD~1.EXE

Filesize
1024KB

MD5
b35972662766df6a771c8444ab74196e

SHA1
1d2cc64784d35eeeb3739632691add8d0a309578

SHA256
ab213b47a5690807f00c533f3d9385d9ed2418ca95e7f4cd56bb2a7d4bcd939b

SHA512
ed11d7d51ea344e4794b7d91acdace567313c9b06f717aadb2b700b36bc4a045bb7d74c89dacc5c5e4670da29f4913c8f5802158b7d9a67a87323b81de7aa52b

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUPD~1.EXE

Filesize
896KB

MD5
25ba9318953b9fab329b088f98574e43

SHA1
c348c85322d9b4bb8e395ca56e6551eafc7f0a16

SHA256
e3886306376aea3dfb5c00624862c9913402c1be151f40750a588524db017704

SHA512
9d107e5ee4b0e39f8536acb51d76b6244adbe3b637dc9e6194fb3fc1280a155162ca26997a5312893e5076d1beb4556f3534b34b91e54292897def12fc3bd92b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Searchqu.ini

Filesize
232B

MD5
f680b584d6946840d1ac2dfc145a59bd

SHA1
9d8f7624f8788af592e8f1cf61f7e5f1f60f3133

SHA256
dae4d55ef25b9036abca41aaae23563f9153246d9801b07e46ad47393adb929b

SHA512
a7b7adb0831885f5b115926408789e7d4099c5b2f33605ccb5d95ecb3f72cf2515807fa0335b2f3f0369b859614c4163a2d077c5c62d4b94ab6889a28f3c73f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Searchqu_DM\SearchquMediaBar.exe

Filesize
448KB

MD5
6668a6981f6a1917adcd59878f57533f

SHA1
949ee2bc26a9b720397959d35a56ab2f34885ee4

SHA256
6daffa4b193e8bdc24aa939529d2f14f1229049de8af56b85d938eadfb5272fd

SHA512
7d155b5b8f0d23c82bc3b5baa31c9e01ff4f2f375239ed18b0478fd277aa4649314f6e42e5673d072711f7e7e73b04d6b6eb3f4c491826eea97c33c9196bf218

Download Submit
C:\Users\Admin\AppData\Local\Temp\Searchqu_DM\SearchquMediaBar.exe

Filesize
320KB

MD5
c7c2e723f43f2a4a46ad1b933f0223d0

SHA1
1cfe280cb4f0350c78e34d27fb2e1f2b0488063f

SHA256
b7955eb27027a4833a4e4352593930f8ab74b4ec1fbcafe4f938dec663472aac

SHA512
88c114f5ccfcdc3f55ff3214cb2f92955c7966dc3623aafc680393bfb1f637224039b35209bb853755671ff26761a30f156e2977583b83a31558770595a85f88

Download Submit
C:\Users\Admin\AppData\Local\Temp\Searchqu_DM\SearchquMediaBar.exe

Filesize
128KB

MD5
376279aa0aa139922c78fcb918df6261

SHA1
17ae3d625cc83874349b99dc4912c2e29aa0a6f9

SHA256
22ef5759760a1ed07f657c263a361b1ce16b6ea876dd41172d47562d5e992805

SHA512
844e9683a4a994cfc3fa6dddcf0edc45d834ff2121e14c68299effe6553b8ec430c7218d427f30c0b6aaba63efebe7bcd8a95719df6909616a9b5178e15c64e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\SetupDataMngr_Searchqu.exe

Filesize
832KB

MD5
550f3d83214dd28d91e90a5e71043519

SHA1
64facee82ee611786731c88526fd360c118a18ce

SHA256
2aa786954ca38e304e3df1d5ba93c79aa11d9f34453ab14874ccc653013d9a71

SHA512
a79dc3d4e6233ddcb08c70ad18ef6742681a542369b1e9f5671f85759dfad645bac75951f87a0eec5af6a012756d82c1133dc32282d28b8e6ade919a8cd8b444

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsb1441.tmp\InetLoad.dll

Filesize
17KB

MD5
e241424579fdfd683f0adff02b7483a8

SHA1
c4cde72b3e5e34730a41d43383d1234279dff1f6

SHA256
c8601ee8eda1952ac188c05ae0527b51e525ee4ff36f67218dfdd2d48c79fd6a

SHA512
a0c0f4bb55b8c0143266705292805fcb98f72dbdc4b724569cb31bd7488258ded63583e1f060c1d7bf003d3df2018b05a0720cee3064b6f6c60247e959636947

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsb1441.tmp\UAC.dll

Filesize
16KB

MD5
0d422e0c03a7d9428c6c02175d7dc9f8

SHA1
5e13d49521cfbbe52cd74de8e1682789f0268969

SHA256
9f47ec720d74e538bbc8d0c1118efcbc52e52050dbe98c27029fc35329996f7c

SHA512
2edf47b24c4201e082841824d6ad9047a06e9a877d799e87befaf5d54179c924849d2e608cf9f60a1480828edcd98e19f3d139d19bdb4b96ee4939fe58bf0887

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsb1441.tmp\xml.dll

Filesize
26KB

MD5
fbda05aa26e02d38effb82294e83ea69

SHA1
aa2291ace177515173315668480c74442e21549d

SHA256
565e439a6262cbe6c8164312ad330930738efa8d4defcbcdcc1eeb752fdb75b3

SHA512
3fd4dcbe059df3078f7709b2b9edbe30744ad7ff6e4cd1c494b40bb796a31838d5c9761fe9db860c38bd929c364df4767435fb85dc4e4115e361dd9d640c256f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsh7F63.tmp.exe

Filesize
6.5MB

MD5
cfe3ccd4e51148fc43af6918502968ed

SHA1
fe08ac064dd792ec012929a1873e60ac2a517859

SHA256
2dd4cf403fe7d85d7d32cfc69239c479f4d25067facf6f38be38593582280b2c

SHA512
9245582ff6373fdf44795fa276ccf950bbeaa97b8427d3e47c304d74c0ac93ba30c92879d81c03ce3e6ad19f29d85d08e6b527d63660e3d922b01210cdd97435

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl694.tmp\GetVersion.dll

Filesize
6KB

MD5
5264f7d6d89d1dc04955cfb391798446

SHA1
211d8d3e7c2b2f57f54a11cb8bc4fa536df08acc

SHA256
7d76c7dd8f7cd5a87e0118dacb434db3971a049501e22a5f4b947154621ab3d4

SHA512
80d27ee2f87e2822bd5c8c55cc3d1e49beebb86d8557c92b52b7cbea9f27882d80e59eefa25e414eecee268a9a6193b6b50b748de33c778b007cde24ef8bcfb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nss7F53.tmp\System.dll

Filesize
11KB

MD5
00a0194c20ee912257df53bfe258ee4a

SHA1
d7b4e319bc5119024690dc8230b9cc919b1b86b2

SHA256
dc4da2ccadb11099076926b02764b2b44ad8f97cd32337421a4cc21a3f5448f3

SHA512
3b38a2c17996c3b77ebf7b858a6c37415615e756792132878d8eddbd13cb06710b7da0e8b58104768f8e475fc93e8b44b3b1ab6f70ddf52edee111aaf5ef5667

Download Submit
C:\Users\Admin\AppData\Local\Temp\nss7F53.tmp\UAC.dll

Filesize
17KB

MD5
88ad3fd90fc52ac3ee0441a38400a384

SHA1
08bc9e1f5951b54126b5c3c769e3eaed42f3d10b

SHA256
e58884695378cf02715373928bb8ade270baf03144369463f505c3b3808cbc42

SHA512
359496f571e6fa2ec4c5ab5bd1d35d1330586f624228713ae55c65a69e07d8623022ef54337c22c3aab558a9b74d9977c8436f5fea4194899d9ef3ffd74e7dbb

Download Submit
memory/788-853-0x00000000038B0000-0x00000000038C6000-memory.dmp

Filesize
88KB

Download
memory/788-368-0x0000000002070000-0x000000000207A000-memory.dmp

Filesize
40KB

Download
memory/3528-243-0x0000000003B30000-0x0000000003C7A000-memory.dmp

Filesize
1.3MB

Download
memory/3528-1059-0x0000000004280000-0x00000000043CA000-memory.dmp

Filesize
1.3MB

Download