e51bdf1f6da853bc6713ae4001350a5efe246349846e0dedb42c0bfb9000383f

Analysis

max time kernel
92s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
08/07/2024, 14:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

$0.exe
Size

6.8MB
MD5

e243832f455be7e48f744887486461a9
SHA1

e1ff3ad8eb89ebeda99b712a6b49327d5c00decd
SHA256

6b0285fec5f9c69e3efe6915c82e10471c7f087248b922e96e6f213bec94785c
SHA512

8ba9a7a212fee4df3e46ab2ac7591b33087593e1be1510f6de5b2831a8454d82f2ecfd50907c92b28814bbebf19fd79f78cac2596c6baee99ca96158ff217c91
SSDEEP

196608:/4C6LY5eF2Chd1khvEgRaQc5uG8sQkgpY16eGi:AVM0hhd1khvWQKuGiW16eGi

Score

7^/10

adware discovery spyware stealer

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2547232018-1419253926-3356748848-1000\Control Panel\International\Geo\Nation	$0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2547232018-1419253926-3356748848-1000\Control Panel\International\Geo\Nation	SETUPD~1.EXE

Executes dropped EXE 11 IoCs

pid	Process
5068	files.exe
1328	SETUPD~1.EXE
3228	SearchquMediaBar.exe
636	BandooUI.exe
2360	GLJBFF5.tmp
4980	GLJBFF5.tmp
4984	GLJBFF5.tmp
2300	GLJBFF5.tmp
3284	BndCore.exe
1676	Bandoo.exe
3880	Bandoo.exe

Loads dropped DLL 64 IoCs

pid	Process
3804	$0.exe
3804	$0.exe
3804	$0.exe
3804	$0.exe
3804	$0.exe
3804	$0.exe
3804	$0.exe
3804	$0.exe
3804	$0.exe
3804	$0.exe
3804	$0.exe
3804	$0.exe
3804	$0.exe
3804	$0.exe
3804	$0.exe
3804	$0.exe
3804	$0.exe
3804	$0.exe
3804	$0.exe
3804	$0.exe
3804	$0.exe
3804	$0.exe
3804	$0.exe
1328	SETUPD~1.EXE
1328	SETUPD~1.EXE
1328	SETUPD~1.EXE
3804	$0.exe
3804	$0.exe
3804	$0.exe
3804	$0.exe
3804	$0.exe
3804	$0.exe
636	BandooUI.exe
3804	$0.exe
3804	$0.exe
3804	$0.exe
3804	$0.exe
3804	$0.exe
3804	$0.exe
3228	SearchquMediaBar.exe
3228	SearchquMediaBar.exe
3228	SearchquMediaBar.exe
3228	SearchquMediaBar.exe
3228	SearchquMediaBar.exe
2360	GLJBFF5.tmp
2360	GLJBFF5.tmp
4980	GLJBFF5.tmp
4984	GLJBFF5.tmp
3228	SearchquMediaBar.exe
3228	SearchquMediaBar.exe
2300	GLJBFF5.tmp
3284	BndCore.exe
3804	$0.exe
3804	$0.exe
3804	$0.exe
3804	$0.exe
3804	$0.exe
3804	$0.exe
1676	Bandoo.exe
3228	SearchquMediaBar.exe
3228	SearchquMediaBar.exe
2708	regsvr32.exe
3880	Bandoo.exe
3804	$0.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Installs/modifies Browser Helper Object 2 TTPs 5 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7FF99715-3016-4381-84CE-E4E4C9673020}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7FF99715-3016-4381-84CE-E4E4C9673020}\ = "Searchqu Toolbar"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{EB5CEE80-030A-4ED8-8E20-454E9C68380F}	GLJBFF5.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{EB5CEE80-030A-4ED8-8E20-454E9C68380F}\ = "Bandoo IE Plugin"	GLJBFF5.tmp
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{EB5CEE80-030A-4ED8-8E20-454E9C68380F}\NoExplorer = "1"	GLJBFF5.tmp

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Fun4IM\~GLH0004.TMP	$0.exe
File opened for modification	C:\Program Files (x86)\Fun4IM\CrashRpt.dll	$0.exe
File created	C:\PROGRA~2\WIA6EB~1\ToolBar\chrome\skin\lib\arrow-dn.gif	SearchquMediaBar.exe
File created	C:\PROGRA~2\WIA6EB~1\ToolBar\chrome\skin\lib\radio\images\radio-options-design.png	SearchquMediaBar.exe
File created	C:\PROGRA~2\WIA6EB~1\ToolBar\chrome\skin\lib\radio\images\scrollbar-track.png	SearchquMediaBar.exe
File opened for modification	C:\Program Files (x86)\Fun4IM\ExtensionsManager.exe	$0.exe
File opened for modification	C:\Program Files (x86)\Fun4IM\Plugins\MSN\Resources\Toolbar\~GLH0021.TMP	$0.exe
File opened for modification	C:\Program Files (x86)\Fun4IM\Plugins\Yahoo\Resources\Toolbar\BandooToolbar.xml	$0.exe
File created	C:\PROGRA~2\WIA6EB~1\ToolBar\chrome\content\widgets\net.vmn.www.3.Twitter.1257\btnarrow-next-off.png	SearchquMediaBar.exe
File created	C:\PROGRA~2\WIA6EB~1\ToolBar\chrome\skin\button-down-back-ff.png	SearchquMediaBar.exe
File created	C:\PROGRA~2\WIA6EB~1\ToolBar\chrome\skin\lib\panels\images\icon-Add.png	SearchquMediaBar.exe
File created	C:\PROGRA~2\WIA6EB~1\ToolBar\chrome\skin\lib\collapse.png	SearchquMediaBar.exe
File created	C:\PROGRA~2\WIA6EB~1\ToolBar\chrome\skin\lib\menuitem-splitter.png	SearchquMediaBar.exe
File created	C:\PROGRA~2\WIA6EB~1\ToolBar\chrome\skin\lib\radio.png	SearchquMediaBar.exe
File created	C:\PROGRA~2\WIA6EB~1\ToolBar\chrome\skin\lib\panels\footer.htm	SearchquMediaBar.exe
File created	C:\PROGRA~2\WIA6EB~1\ToolBar\chrome\skin\lib\panels\images\TRUSTe_about.png	SearchquMediaBar.exe
File created	C:\PROGRA~2\WIA6EB~1\ToolBar\chrome\skin\lib\panels\images\bg-pnl520x390.png	SearchquMediaBar.exe
File created	C:\PROGRA~2\WIA6EB~1\ToolBar\chrome\skin\lib\radio\images\ico-playstation-down.png	SearchquMediaBar.exe
File created	C:\PROGRA~2\WIA6EB~1\ToolBar\chrome\skin\lib\weatherbutton\panels\images\box-uncheck.png	SearchquMediaBar.exe
File created	C:\PROGRA~2\WIA6EB~1\ToolBar\chrome\skin\dictionary.png	SearchquMediaBar.exe
File created	C:\Program Files (x86)\Fun4IM\~GLH0010.TMP	$0.exe
File opened for modification	C:\Program Files (x86)\Fun4IM\Plugins\Yahoo\Resources\Toolbar\Images\1053.dat	$0.exe
File created	C:\PROGRA~2\WIA6EB~1\ToolBar\chrome\content\widgets\net.vmn.www.3.Twitter.1257\btn-wide-maximize.png	SearchquMediaBar.exe
File created	C:\PROGRA~2\WIA6EB~1\ToolBar\chrome\content\widgets\net.vmn.www.3.YouTube.1217\btn-wide-minimize-down.PNG	SearchquMediaBar.exe
File created	C:\PROGRA~2\WIA6EB~1\ToolBar\chrome\skin\news.png	SearchquMediaBar.exe
File created	C:\PROGRA~2\WIA6EB~1\ToolBar\chrome\skin\lib\loadingMid.gif	SearchquMediaBar.exe
File created	C:\PROGRA~2\WIA6EB~1\ToolBar\chrome\skin\lib\scroll-right.png	SearchquMediaBar.exe
File opened for modification	C:\Program Files (x86)\Fun4IM\Plugins\MSN\Resources\Toolbar\BandooToolbar.xml	$0.exe
File opened for modification	C:\Program Files (x86)\Fun4IM\Plugins\Yahoo\Resources\Toolbar\Images\1054.dat	$0.exe
File created	C:\PROGRA~2\WIA6EB~1\ToolBar\chrome\content\widgets\net.vmn.www.3.Twitter.1257\btnarrow-next.png	SearchquMediaBar.exe
File created	C:\PROGRA~2\WIA6EB~1\ToolBar\chrome\content\widgets\net.vmn.www.3.Twitter.1257\btnarrow-previous-off.png	SearchquMediaBar.exe
File created	C:\PROGRA~2\WIA6EB~1\ToolBar\chrome\skin\skin-grey.png	SearchquMediaBar.exe
File created	C:\PROGRA~2\WIA6EB~1\ToolBar\chrome\skin\lib\remove.png	SearchquMediaBar.exe
File created	C:\PROGRA~2\WIA6EB~1\ToolBar\chrome\skin\lib\radio\volumeslider.html	SearchquMediaBar.exe
File created	C:\PROGRA~2\WIA6EB~1\ToolBar\chrome\skin\lib\weatherbutton\icons\na.png	SearchquMediaBar.exe
File created	C:\PROGRA~2\WIA6EB~1\ToolBar\chrome\skin\button-hover-left.png	SearchquMediaBar.exe
File created	C:\PROGRA~2\WIA6EB~1\ToolBar\chrome\skin\lib\panels\images\scrollt-down.png	SearchquMediaBar.exe
File created	C:\Program Files (x86)\Fun4IM\~GLH0006.TMP	$0.exe
File created	C:\PROGRA~2\WIA6EB~1\ToolBar\chrome\content\widgets\net.vmn.www.3.Twitter.1257\btn-wide-minimize-over.PNG	SearchquMediaBar.exe
File created	C:\PROGRA~2\WIA6EB~1\ToolBar\chrome\skin\zoom.png	SearchquMediaBar.exe
File created	C:\PROGRA~2\WIA6EB~1\ToolBar\chrome\skin\lib\dtx.css	SearchquMediaBar.exe
File created	C:\PROGRA~2\WIA6EB~1\ToolBar\chrome\skin\options\options-main.png	SearchquMediaBar.exe
File opened for modification	C:\Program Files (x86)\Fun4IM\Plugins\MSN\Resources\Toolbar\Images\1002.dat	$0.exe
File created	C:\Program Files (x86)\Fun4IM\Plugins\Yahoo\Resources\Toolbar\Images\~GLH0032.TMP	$0.exe
File created	C:\PROGRA~2\WIA6EB~1\ToolBar\SearchquDx.dll	SearchquMediaBar.exe
File created	C:\PROGRA~2\WIA6EB~1\ToolBar\chrome\content\lib\external.js	SearchquMediaBar.exe
File created	C:\PROGRA~2\WIA6EB~1\ToolBar\chrome\content\modules\datastore.jsm	SearchquMediaBar.exe
File created	C:\PROGRA~2\WIA6EB~1\ToolBar\chrome\skin\lib\expand.png	SearchquMediaBar.exe
File created	C:\Program Files (x86)\Fun4IM\~GLH0015.TMP	$0.exe
File created	C:\Program Files (x86)\Fun4IM\Plugins\IE\Resources\HTML\~GLH0040.TMP	$0.exe
File created	C:\PROGRA~2\WIA6EB~1\ToolBar\chrome\content\widgets\net.vmn.www.3.Twitter.1257\btnarrow-previous.png	SearchquMediaBar.exe
File created	C:\PROGRA~2\WIA6EB~1\ToolBar\chrome\skin\lib\radio\images\radio-eq-busy.gif	SearchquMediaBar.exe
File created	C:\Program Files (x86)\Fun4IM\~GLH0005.TMP	$0.exe
File opened for modification	C:\Program Files (x86)\Fun4IM\Resources\~GLH001b.TMP	$0.exe
File created	C:\Program Files (x86)\Fun4IM\Plugins\Yahoo\Resources\Toolbar\Images\~GLH002f.TMP	$0.exe
File created	C:\PROGRA~2\WIA6EB~1\ToolBar\chrome\skin\lib\bg-btn-start.png	SearchquMediaBar.exe
File created	C:\PROGRA~2\WIA6EB~1\ToolBar\chrome\skin\lib\weatherbutton\panels\images\add.png	SearchquMediaBar.exe
File created	C:\Program Files (x86)\Fun4IM\~GLH000c.TMP	$0.exe
File created	C:\Program Files (x86)\Fun4IM\Plugins\Yahoo\~GLH0017.TMP	$0.exe
File created	C:\PROGRA~2\WIA6EB~1\ToolBar\chrome\skin\menuseparatorback.gif	SearchquMediaBar.exe
File opened for modification	C:\Program Files (x86)\Fun4IM\~GLH000c.TMP	$0.exe
File created	C:\Program Files (x86)\Fun4IM\Plugins\MSN\Resources\Toolbar\Images\~GLH0022.TMP	$0.exe
File opened for modification	C:\Program Files (x86)\Fun4IM\Plugins\MSN\Resources\Toolbar\Images\~GLH0026.TMP	$0.exe
File created	C:\PROGRA~2\WIA6EB~1\ToolBar\chrome\content\widgets\net.vmn.www.3.YouTube.1217\btn-dragresize.png	SearchquMediaBar.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

NSIS installer 5 IoCs

installer

resource	yara_rule
behavioral4/files/0x0007000000023533-216.dat	nsis_installer_2
behavioral4/files/0x000700000002354b-349.dat	nsis_installer_1
behavioral4/files/0x000700000002354b-349.dat	nsis_installer_2
behavioral4/files/0x0007000000023532-379.dat	nsis_installer_1
behavioral4/files/0x0007000000023532-379.dat	nsis_installer_2

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2547232018-1419253926-3356748848-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPageShowClosedTabs = "1"	SETUPD~1.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2547232018-1419253926-3356748848-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\QuickTabsThreshold = "1"	SETUPD~1.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{424624F4-C5DD-4e1d-BDD0-1E9C9B7799CC}\AppPath = "C:\\Program Files (x86)\\Fun4IM"	$0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7f000001-db8e-f89c-2fec-49bf726f8c12}\Policy = "3"	$0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{F9189560-573A-4fde-B055-AE7B0F4CF080}\AppName = "BandooUI.exe"	$0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{F7FB2BC4-6C27-4EAC-B5E2-037B71FDE101}	Bandoo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2547232018-1419253926-3356748848-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{8A96AF9E-4074-43b7-BEA3-87217BDA7403}\URL = "http://www.searchqu.com/web?src=ieb&systemid=403&q={searchTerms}"	SETUPD~1.EXE
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7FF99715-3016-4381-84CE-E4E4C9673020}	SearchquMediaBar.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2547232018-1419253926-3356748848-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\ShowTabsWelcome = "0"	SETUPD~1.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{FD53FE35-4368-4B71-89D6-F29F3DB29DF1}\Compatibility Flags = "1024"	Bandoo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9C8A3CA5-889E-4554-BEEC-EC0876E4E96A}\AppName = "Bandoo.exe"	$0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{167B2B5F-2757-434A-BBDA-2FDB2003F14F}	Bandoo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7FF99715-3016-4381-84CE-E4E4C9673020}\AppPath = "C:\\PROGRA~2\\WIA6EB~1\\ToolBar"	SearchquMediaBar.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2547232018-1419253926-3356748848-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{8A96AF9E-4074-43b7-BEA3-87217BDA7403}\ShowSearchSuggestions = "1"	SETUPD~1.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{27F69C85-64E1-43CE-98B5-3C9F22FB408E}	BndCore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{424624F4-C5DD-4e1d-BDD0-1E9C9B7799CC}\AppName = "BndCore.exe"	$0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2547232018-1419253926-3356748848-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\DefaultScope = "{8A96AF9E-4074-43b7-BEA3-87217BDA7403}"	SETUPD~1.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{C3AB94A4-BFD0-4BBA-A331-DE504F07D2DB}	BndCore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7FF99715-3016-4381-84CE-E4E4C9673020}\Policy = "3"	SearchquMediaBar.exe
Key created	\REGISTRY\USER\S-1-5-21-2547232018-1419253926-3356748848-1000\Software\Microsoft\Internet Explorer\SearchScopes	SETUPD~1.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{424624F4-C5DD-4e1d-BDD0-1E9C9B7799CC}\Policy = "3"	$0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{424624F4-C5DD-4e1d-BDD0-1E9C9B7799CC}\Policy = "3"	$0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Toolbar\{7FF99715-3016-4381-84CE-E4E4C9673020} = "Searchqu Toolbar"	regsvr32.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2547232018-1419253926-3356748848-1000\SOFTWARE\MICROSOFT\INTERNET EXPLORER\USER PREFERENCES	SETUPD~1.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\SearchScopes\{8A96AF9E-4074-43b7-BEA3-87217BDA7403}\Deleted = "0"	SETUPD~1.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{F9189560-573A-4fde-B055-AE7B0F4CF080}\Policy = "3"	$0.exe
Key created	\REGISTRY\USER\S-1-5-21-2547232018-1419253926-3356748848-1000\Software\Microsoft\Internet Explorer\SearchScopes\{8A96AF9E-4074-43b7-BEA3-87217BDA7403}	SETUPD~1.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\SearchScopes\{8A96AF9E-4074-43b7-BEA3-87217BDA7403}\SuggestionsURL_JSON = "http://www.searchqu.com/suggest.php?src=ieb&systemid=403&qu={searchTerms}&ft=json"	SETUPD~1.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{C3AB94A4-BFD0-4BBA-A331-DE504F07D2DB}\Compatibility Flags = "1024"	BndCore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{44CFFEF4-E7E1-44BD-B1F5-29F828ADA1B8}	Bandoo.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2547232018-1419253926-3356748848-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\Enabled = "1"	SETUPD~1.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\SearchScopes\DefaultScope = "{8A96AF9E-4074-43b7-BEA3-87217BDA7403}"	SETUPD~1.EXE
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{424624F4-C5DD-4e1d-BDD0-1E9C9B7799CC}	$0.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2547232018-1419253926-3356748848-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\OpenAllHomePages = "1"	SETUPD~1.EXE
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{424624F4-C5DD-4e1d-BDD0-1E9C9B7799CC}	$0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{2E9A60EA-5554-49C3-BC9D-D0404DBACC62}	Bandoo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{BB76A90B-2B4C-4378-8506-9A2B6E16943C}\Compatibility Flags = "1024"	BndCore.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7f000001-db8e-f89c-2fec-49bf726f8c12}	$0.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2547232018-1419253926-3356748848-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPageShowActivities = "1"	SETUPD~1.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9C8A3CA5-889E-4554-BEEC-EC0876E4E96A}\AppName = "Bandoo.exe"	$0.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2547232018-1419253926-3356748848-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\WarnOnClose = "1"	SETUPD~1.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7f000001-db8e-f89c-2fec-49bf726f8c12}\AppPath = "C:\\Program Files (x86)\\Fun4IM"	$0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{F5379B4B-24D8-432A-9A96-BE75EE5117DB}	Bandoo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9C8A3CA5-889E-4554-BEEC-EC0876E4E96A}\Policy = "3"	$0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{FD53FE35-4368-4B71-89D6-F29F3DB29DF1}	Bandoo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{EF2B6317-C367-401B-83B8-80302D6588A7}\Compatibility Flags = "1024"	Bandoo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{424624F4-C5DD-4e1d-BDD0-1E9C9B7799CC}\AppName = "BndCore.exe"	$0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{F9189560-573A-4fde-B055-AE7B0F4CF080}\AppPath = "C:\\Program Files (x86)\\Fun4IM"	$0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7f000001-db8e-f89c-2fec-49bf726f8c12}\Policy = "3"	$0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{2E9A60EA-5554-49C3-BC9D-D0404DBACC62}\Compatibility Flags = "1024"	Bandoo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\SearchScopes\{8A96AF9E-4074-43b7-BEA3-87217BDA7403}\DisplayName = "Web Search"	SETUPD~1.EXE
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{F9189560-573A-4fde-B055-AE7B0F4CF080}	$0.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\SearchScopes\{8A96AF9E-4074-43b7-BEA3-87217BDA7403}	SETUPD~1.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\SearchScopes\{8A96AF9E-4074-43b7-BEA3-87217BDA7403}\ShowSearchSuggestions = "1"	SETUPD~1.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{27F69C85-64E1-43CE-98B5-3C9F22FB408E}\Compatibility Flags = "1024"	BndCore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{167B2B5F-2757-434A-BBDA-2FDB2003F14F}\Compatibility Flags = "1024"	Bandoo.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2547232018-1419253926-3356748848-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\ShortcutBehavior = "1"	SETUPD~1.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\SearchScopes\{8A96AF9E-4074-43b7-BEA3-87217BDA7403}\URL = "http://www.searchqu.com/web?src=ieb&systemid=403&q={searchTerms}"	SETUPD~1.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{BB76A90B-2B4C-4378-8506-9A2B6E16943C}	BndCore.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9C8A3CA5-889E-4554-BEEC-EC0876E4E96A}	$0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9C8A3CA5-889E-4554-BEEC-EC0876E4E96A}\AppPath = "C:\\Program Files (x86)\\Fun4IM"	$0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{44CFFEF4-E7E1-44BD-B1F5-29F828ADA1B8}\Compatibility Flags = "1024"	Bandoo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2547232018-1419253926-3356748848-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{8A96AF9E-4074-43b7-BEA3-87217BDA7403}\Deleted = "0"	SETUPD~1.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{F9189560-573A-4fde-B055-AE7B0F4CF080}\Policy = "3"	$0.exe

Modifies Internet Explorer start page 1 TTPs 1 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2547232018-1419253926-3356748848-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.searchqu.com/403"	SETUPD~1.EXE

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9932C738-5580-4408-A0E8-5EA03BE5FB18}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	Bandoo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BandooIEPlugin.BandooIEPlugin\CLSID\ = "{EB5CEE80-030A-4ED8-8E20-454E9C68380F}"	GLJBFF5.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BandooCoordinator.BandooCoordinator\CLSID	Bandoo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BandooCoordinator.CoordinatorUI\ = "CoordinatorUI Class"	Bandoo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FF871E51-2655-4D06-AED5-745962A96B32}\ = "_IBandooCoreEvents"	BndCore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CURL.HTTPDataAccessor\CLSID\ = "{074E4EFE-81BB-4EA4-866E-082CB0E01070}"	Bandoo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{167B2B5F-2757-434A-BBDA-2FDB2003F14F}	Bandoo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{074E4EFE-81BB-4EA4-866E-082CB0E01070}\ = "HTTPDataAccessor Class"	Bandoo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{44CFFEF4-E7E1-44BD-B1F5-29F828ADA1B8}\VersionIndependentProgID	Bandoo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{44CFFEF4-E7E1-44BD-B1F5-29F828ADA1B8}\LocalServer32	Bandoo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A9005ED5-4A1D-4606-A4DF-1A25E7D7B417}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	Bandoo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CE1CB632-6817-47b3-8587-D05AF75D6D5A}\AppID = "{3AD7A5B6-610D-4A82-979E-0AED20920690}"	GLJBFF5.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BandooCore.ResourcesMngr\CLSID\ = "{27F69C85-64E1-43CE-98B5-3C9F22FB408E}"	BndCore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C3AB94A4-BFD0-4BBA-A331-DE504F07D2DB}\Programmable	BndCore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CURL.HTTPFileDownloadService\ = "HTTPFileDownloadService Class"	Bandoo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{A01A3335-0C30-4312-A430-92356CC37A92}\ = "IEPlugin"	GLJBFF5.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{1301A8A5-3DFB-4731-A162-B357D00C9644}\ = "BandooCore"	BndCore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BandooCore.StatisticMngr\CLSID	BndCore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B543EF05-9758-464E-9F37-4C28525B4A4C}\ = "SettingsMngr Class"	BndCore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DF948646-8BF4-450E-A059-CF8A4E0FE2BE}\ProxyStubClsid32	BndCore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A9005ED5-4A1D-4606-A4DF-1A25E7D7B417}\TypeLib	Bandoo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CE1CB632-6817-47b3-8587-D05AF75D6D5A}\MiscStatus	GLJBFF5.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C3AB94A4-BFD0-4BBA-A331-DE504F07D2DB}\LocalServer32\ = "\"C:\\PROGRA~2\\Fun4IM\\BndCore.exe\""	BndCore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BandooCoordinator.PlugInNotifier	Bandoo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CURL.HTTPDownloadStatus\CLSID	Bandoo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CURL.HTTPProxyInfo\CurVer	Bandoo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{3AD7A5B6-610D-4A82-979E-0AED20920690}	GLJBFF5.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{3AD7A5B6-610D-4A82-979E-0AED20920690}\ = "FlashAnimator"	GLJBFF5.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\FlashAnimator.DLL	GLJBFF5.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FD53FE35-4368-4B71-89D6-F29F3DB29DF1}\TypeLib	Bandoo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C3AB94A4-BFD0-4BBA-A331-DE504F07D2DB}\LocalServer32	BndCore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BandooCore.SettingsMngr\CurVer\ = "BandooCore.SettingsMngr.1"	BndCore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8F5F1CB6-EA9E-40AF-A5CA-C7FD63CC1971}	BndCore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{167B2B5F-2757-434A-BBDA-2FDB2003F14F}\LocalServer32	Bandoo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F7FB2BC4-6C27-4EAC-B5E2-037B71FDE101}\LocalServer32\ = "\"C:\\PROGRA~2\\Fun4IM\\Bandoo.exe\""	Bandoo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D60A7941-4F69-4A79-BED7-72ADA784B8F7}\TypeLib\Version = "1.0"	Bandoo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{872F3C0B-4462-424c-BB9F-74C6899B9F92}\MiscStatus\1\ = "131473"	GLJBFF5.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{27F69C85-64E1-43CE-98B5-3C9F22FB408E}\TypeLib\ = "{8F5F1CB6-EA9E-40AF-A5CA-C7FD63CC1971}"	BndCore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BandooCoordinator.PlugInNotifier\CurVer	Bandoo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9932C738-5580-4408-A0E8-5EA03BE5FB18}\ = "IHTTPFileDownloadServiceObserver"	Bandoo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{518CA0FD-F755-4F98-A2A8-CD450FB203AB}\ = "IHTTPObserver"	Bandoo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C29CF951-7F4F-4B8D-ACA8-C4EE934C27DC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	GLJBFF5.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BandooCoordinator.PlugInNotifier\CLSID	Bandoo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2E9A60EA-5554-49C3-BC9D-D0404DBACC62}\TypeLib	Bandoo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CURL.HTTPProxyInfo\ = "HTTPProxyInfo Class"	Bandoo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7DBA2B02-EA31-4B98-812B-C6E8AE5C2972}\ = "IHTTPResult"	Bandoo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B543EF05-9758-464E-9F37-4C28525B4A4C}\LocalServer32	BndCore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6F43FA77-C18F-4D0C-9C7E-958876FE2061}\TypeLib\Version = "1.0"	BndCore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6F43FA77-C18F-4D0C-9C7E-958876FE2061}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	BndCore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A5D99259-ADA3-48A5-B861-39813B713DCB}\TypeLib	Bandoo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5E9B4D72-C58D-48BF-AC09-68182D472160}\TypeLib\ = "{4410C118-B23C-406C-9F52-9CDABD90A5EA}"	Bandoo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EB5CEE80-030A-4ED8-8E20-454E9C68380F}\Programmable	GLJBFF5.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CURL.HTTPService.1\CLSID\ = "{F5379B4B-24D8-432A-9A96-BE75EE5117DB}"	Bandoo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EF2B6317-C367-401B-83B8-80302D6588A7}	Bandoo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{62E5C9E1-A0E8-4F8C-8EAF-0F9250CC5786}\1.0\HELPDIR	GLJBFF5.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0CE5B352-9D9C-41E1-9551-FCCD92820217}\LocalServer32\ = "\"C:\\PROGRA~2\\Fun4IM\\Bandoo.exe\""	Bandoo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CURL.HTTPProxyInfo\CLSID	Bandoo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AFFA986E-4B0F-4F15-9DDC-19FE8129602A}\TypeLib	Bandoo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\GIFAnimator.DLL\AppID = "{9C123289-82E1-4da7-A3C2-B8D28AAD114B}"	GLJBFF5.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BandooCoordinator.BandooCoordinator	Bandoo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FD53FE35-4368-4B71-89D6-F29F3DB29DF1}	Bandoo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{167B2B5F-2757-434A-BBDA-2FDB2003F14F}\ProgID	Bandoo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BandooCoordinator.CoordinatorUI\CLSID\ = "{2E9A60EA-5554-49C3-BC9D-D0404DBACC62}"	Bandoo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{94FBDF11-676E-42E5-A516-1FD39970386B}	Bandoo.exe

Suspicious behavior: EnumeratesProcesses 52 IoCs

pid	Process
3804	$0.exe
3804	$0.exe
3804	$0.exe
3804	$0.exe
3804	$0.exe
3804	$0.exe
3804	$0.exe
3804	$0.exe
3804	$0.exe
3804	$0.exe
3804	$0.exe
3804	$0.exe
3804	$0.exe
3804	$0.exe
3804	$0.exe
3804	$0.exe
3804	$0.exe
3804	$0.exe
3804	$0.exe
3804	$0.exe
3804	$0.exe
3804	$0.exe
3804	$0.exe
3804	$0.exe
3804	$0.exe
3804	$0.exe
3804	$0.exe
3804	$0.exe
3804	$0.exe
3804	$0.exe
3804	$0.exe
3804	$0.exe
3804	$0.exe
3804	$0.exe
3804	$0.exe
3804	$0.exe
3804	$0.exe
3804	$0.exe
3804	$0.exe
3804	$0.exe
3804	$0.exe
3804	$0.exe
3804	$0.exe
3804	$0.exe
3804	$0.exe
3804	$0.exe
3804	$0.exe
3804	$0.exe
3804	$0.exe
3804	$0.exe
3804	$0.exe
3804	$0.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

description	pid	Process
Token: SeDebugPrivilege	3804	$0.exe
Token: SeDebugPrivilege	3804	$0.exe
Token: SeDebugPrivilege	3804	$0.exe
Token: SeDebugPrivilege	3804	$0.exe
Token: SeDebugPrivilege	3804	$0.exe
Token: SeDebugPrivilege	3804	$0.exe
Token: SeDebugPrivilege	3804	$0.exe
Token: SeDebugPrivilege	3804	$0.exe
Token: SeDebugPrivilege	3804	$0.exe
Token: SeDebugPrivilege	3804	$0.exe
Token: SeDebugPrivilege	3804	$0.exe
Token: SeDebugPrivilege	3804	$0.exe
Token: SeDebugPrivilege	3804	$0.exe
Token: SeDebugPrivilege	3804	$0.exe
Token: SeDebugPrivilege	3804	$0.exe
Token: SeDebugPrivilege	1676	Bandoo.exe
Token: SeDebugPrivilege	1676	Bandoo.exe
Token: SeDebugPrivilege	3880	Bandoo.exe
Token: SeDebugPrivilege	3880	Bandoo.exe
Token: SeDebugPrivilege	3804	$0.exe
Token: SeDebugPrivilege	3804	$0.exe
Token: SeDebugPrivilege	3804	$0.exe
Token: SeDebugPrivilege	3804	$0.exe

Suspicious use of WriteProcessMemory 39 IoCs

description	pid	Process	procid_target
PID 3804 wrote to memory of 5068	3804	$0.exe	85
PID 3804 wrote to memory of 5068	3804	$0.exe	85
PID 3804 wrote to memory of 5068	3804	$0.exe	85
PID 3804 wrote to memory of 1328	3804	$0.exe	88
PID 3804 wrote to memory of 1328	3804	$0.exe	88
PID 3804 wrote to memory of 1328	3804	$0.exe	88
PID 1328 wrote to memory of 3228	1328	SETUPD~1.EXE	89
PID 1328 wrote to memory of 3228	1328	SETUPD~1.EXE	89
PID 1328 wrote to memory of 3228	1328	SETUPD~1.EXE	89
PID 3804 wrote to memory of 636	3804	$0.exe	90
PID 3804 wrote to memory of 636	3804	$0.exe	90
PID 3804 wrote to memory of 636	3804	$0.exe	90
PID 3804 wrote to memory of 2360	3804	$0.exe	91
PID 3804 wrote to memory of 2360	3804	$0.exe	91
PID 3804 wrote to memory of 2360	3804	$0.exe	91
PID 3804 wrote to memory of 4980	3804	$0.exe	92
PID 3804 wrote to memory of 4980	3804	$0.exe	92
PID 3804 wrote to memory of 4980	3804	$0.exe	92
PID 3804 wrote to memory of 4984	3804	$0.exe	93
PID 3804 wrote to memory of 4984	3804	$0.exe	93
PID 3804 wrote to memory of 4984	3804	$0.exe	93
PID 3228 wrote to memory of 2792	3228	SearchquMediaBar.exe	94
PID 3228 wrote to memory of 2792	3228	SearchquMediaBar.exe	94
PID 3228 wrote to memory of 2792	3228	SearchquMediaBar.exe	94
PID 3804 wrote to memory of 2300	3804	$0.exe	95
PID 3804 wrote to memory of 2300	3804	$0.exe	95
PID 3804 wrote to memory of 2300	3804	$0.exe	95
PID 3804 wrote to memory of 3284	3804	$0.exe	96
PID 3804 wrote to memory of 3284	3804	$0.exe	96
PID 3804 wrote to memory of 3284	3804	$0.exe	96
PID 3804 wrote to memory of 1676	3804	$0.exe	97
PID 3804 wrote to memory of 1676	3804	$0.exe	97
PID 3804 wrote to memory of 1676	3804	$0.exe	97
PID 3228 wrote to memory of 2708	3228	SearchquMediaBar.exe	98
PID 3228 wrote to memory of 2708	3228	SearchquMediaBar.exe	98
PID 3228 wrote to memory of 2708	3228	SearchquMediaBar.exe	98
PID 3804 wrote to memory of 3880	3804	$0.exe	99
PID 3804 wrote to memory of 3880	3804	$0.exe	99
PID 3804 wrote to memory of 3880	3804	$0.exe	99

C:\Users\Admin\AppData\Local\Temp\$0.exe
"C:\Users\Admin\AppData\Local\Temp\$0.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3804
- C:\Users\Admin\AppData\Local\Temp\FUN4IM~1\files.exe
  "C:\Users\Admin\AppData\Local\Temp\FUN4IM~1\files.exe" "-oC:\Users\Admin\AppData\Local\Temp\Fun4IMFiles" -y
  2⤵
  - Executes dropped EXE
  PID:5068
- C:\Users\Admin\AppData\Local\Temp\SETUPD~1.EXE
  "C:\Users\Admin\AppData\Local\Temp\SETUPD~1.EXE" /S
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies Internet Explorer settings
  - Modifies Internet Explorer start page
  - Suspicious use of WriteProcessMemory
  PID:1328
- - C:\Users\Admin\AppData\Local\Temp\Searchqu_DM\SearchquMediaBar.exe
    "C:\Users\Admin\AppData\Local\Temp\Searchqu_DM\SearchquMediaBar.exe" /S /NOADDREMOVE /D=C:\PROGRA~2\WIA6EB~1\ToolBar
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - Modifies Internet Explorer settings
    - Suspicious use of WriteProcessMemory
    PID:3228
  - - C:\Windows\SysWOW64\regsvr32.exe
      regsvr32 /u /s "C:\PROGRA~2\WIA6EB~1\ToolBar\SearchquDx.dll"
      4⤵
      PID:2792
  - - C:\Windows\SysWOW64\regsvr32.exe
      regsvr32 /s "C:\PROGRA~2\WIA6EB~1\ToolBar\SearchquDx.dll"
      4⤵
      Loads dropped DLL
      Installs/modifies Browser Helper Object
      Modifies Internet Explorer settings
      PID:2708
- C:\Program Files (x86)\Fun4IM\BandooUI.exe
  "C:\Program Files (x86)\Fun4IM\BandooUI.exe" cookie http://fun4im.com
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:636
- C:\Users\Admin\AppData\Local\Temp\GLJBFF5.tmp
  "C:\Users\Admin\AppData\Local\Temp\GLJBFF5.tmp" C:\Program Files (x86)\Fun4IM\GIFAnimator.dll
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies registry class
  PID:2360
- C:\Users\Admin\AppData\Local\Temp\GLJBFF5.tmp
  "C:\Users\Admin\AppData\Local\Temp\GLJBFF5.tmp" C:\Program Files (x86)\Fun4IM\FlashAnimator.dll
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies registry class
  PID:4980
- C:\Users\Admin\AppData\Local\Temp\GLJBFF5.tmp
  "C:\Users\Admin\AppData\Local\Temp\GLJBFF5.tmp" C:\Program Files (x86)\Fun4IM\CrashRpt.dll
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:4984
- C:\Users\Admin\AppData\Local\Temp\GLJBFF5.tmp
  "C:\Users\Admin\AppData\Local\Temp\GLJBFF5.tmp" C:\Program Files (x86)\Fun4IM\Plugins\IE\ieplugin.dll
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Installs/modifies Browser Helper Object
  - Modifies registry class
  PID:2300
- C:\PROGRA~2\Fun4IM\BndCore.exe
  "C:\PROGRA~2\Fun4IM\BndCore.exe" /RegServer
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies Internet Explorer settings
  - Modifies registry class
  PID:3284
- C:\PROGRA~2\Fun4IM\Bandoo.exe
  "C:\PROGRA~2\Fun4IM\Bandoo.exe" /Service
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  PID:1676
- C:\PROGRA~2\Fun4IM\Bandoo.exe
  "C:\PROGRA~2\Fun4IM\Bandoo.exe" /Start
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  PID:3880

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~2\Fun4IM\UNWISE.EXE

Filesize
149KB

MD5
973567b98cdfc147df4e60471d9df072

SHA1
3c4735750c99c63e6861170a8c459a608594211e

SHA256
69b9dd6160524e0eb44905224f5b1747dfce43243c00c11c87f5c2ec55102876

SHA512
e891e3a413691eddd895a31293117aec8d151ecf18f84d3aa73bc1c4eb95582df1dfe04d51b7011eb55b5e754e2240de4c6269f9547f3cab3519985da1e07294

Download Submit
C:\PROGRA~2\WIA6EB~1\ToolBar\SearchquDx.dll

Filesize
85KB

MD5
5341d89ccc497fcdb3cb2b0ee447af2c

SHA1
21569742db2e4b878560c81b1c4d660aa411f2ee

SHA256
6cbf7ea6d40cf18fd45be290cf450fa49ca589603c36b193a43d40479b2053a6

SHA512
5cb97e4c32c5086358611323be03ee831667ed980e5b7315d51533724f4459099cb5993a44d644d6c59670e297870cd52e0693f7a78f6485cd19349c7e16bef4

Download Submit
C:\PROGRA~2\WIA6EB~1\ToolBar\chrome\skin\lib\weatherbutton\panels\images\btnarrow-next-off.png

Filesize
591B

MD5
ec52771cc9f815db8567ed6d7cfe1b09

SHA1
e1a93767f8336a722d5f6dc1e24bd0336e34a77e

SHA256
ddc97723151b88824e949b565eab55b2acd9ef0df9b95ad1ee6f0dd1f97bced0

SHA512
78f6030e570164703d1e7fb4ed407bed8f7de879c861cc6ab27df6a3919ebb4aff5c1826f3e57c535294bca256336e359564df1ce35b21c7a242b42a40bfbebd

Download Submit
C:\PROGRA~2\WIA6EB~1\ToolBar\chrome\skin\lib\weatherbutton\panels\images\btnarrow-next.png

Filesize
627B

MD5
53c02dc4ee48e77ea7e6f15b8cd9b632

SHA1
278a37d0be98089abab95b1438082edf21e33b83

SHA256
d5275d4eacef964ceac13a7c71c25cf8169477df7254e5d672524394e23f4457

SHA512
9e953bcec9221e40ee67b1abc2e713064ffc63be5b7727424219a399e4ffecaea53deae1d734cae5354b5aab4f65721e84f7baf4861bc863c3ceb3d28a4d300b

Download Submit
C:\PROGRA~2\WIA6EB~1\ToolBar\chrome\skin\lib\weatherbutton\panels\images\btnarrow-previous-off.png

Filesize
633B

MD5
9a8d072191d4e475e5e480fc3543b16b

SHA1
783592cbcf2d9d9417d1c3ea7e80b8cca46dd590

SHA256
e7cf677144d89ca7eff48d4179bfff6fa976ef07a7c72c5287a8e64e261dfafb

SHA512
3ac524ba93c5d0ce3e80dfd251da4cc6bde325d46bd9ef63f24ab442122957e312107053c85fec24d0366767424361fcb0cd162bc6ed769a9025b2b8e1bf1000

Download Submit
C:\PROGRA~2\WIA6EB~1\ToolBar\chrome\skin\lib\weatherbutton\panels\images\btnarrow-previous.png

Filesize
667B

MD5
10783b75928207bf1dd84b5a1f65c7c9

SHA1
a3d4f71415026150a7e87535e359ca390c2eae1b

SHA256
6728d4c55ad14ca07fbb022dfb993f677ebd13c6c164db489c5b6c33b443211c

SHA512
90a4a3bfdc265ba14b27107135eb6ab658d556e3b6198f3e6fb60f035a40dabc73d1a47dc327fd95664d18b624cb5a6cfed1316371e46e127d4eda35d21fab1d

Download Submit
C:\PROGRA~2\WIA6EB~1\ToolBar\manifest.xml

Filesize
677B

MD5
809a59f13e2410bc684ba26004c19a26

SHA1
73a8d3364be3a2585b4096beeeca8f7ec0e57f87

SHA256
c734caf5170d50ce5e51b7512c8a795d0ca5aa0a3e201e6a2900967e016afa69

SHA512
f52e269104480d3979f1245e61bcbc433b39bb0d75ad4e6d4f86627fba1e4a09d24620e0f7cf4570d6d1c89fcdd34af10270738639c51c4f946c9846a7875d5a

Download Submit
C:\Program Files (x86)\Fun4IM\CrashRpt.dll

Filesize
341KB

MD5
48796c97029b662bf8f8cbc1990324fd

SHA1
b2b8b08ac8bf4daa0619d335b2369ddb1d5c9fe1

SHA256
1432e09a68e76a0791750fede63ee44ceb2270ee1cadf9356de969706b031a56

SHA512
071ff77893382bc5b4d152b7cec6eaa02b0b89087fa592df997fb26d3e34fb27ebe4215095cc6a5887a0943fe52b098e6aa2b25b44bb01fdec82d8714ad4a3d7

Download Submit
C:\Program Files (x86)\Fun4IM\ExtensionsManager.exe

Filesize
1.1MB

MD5
823bea11a41ebc5874534c4d2ead58af

SHA1
3a67665e49d187aca1b807885d8c2a8ee3c18af5

SHA256
10136b60d4fb77edc7512c98775500ad4cc6027aa6bcd08aa396476d097e1c0a

SHA512
887d16ddf813be6c812f03d2c8105a3a7c176617be637e062727d2c95128ffd056de0b5d6b586a8f1fa59a3cd3217c78116c9d3f3ad4eff64e3341eb745b15c3

Download Submit
C:\Program Files (x86)\Fun4IM\FlashAnimator.dll

Filesize
160KB

MD5
5893f6ca8c62621bd3b7fd194d74a286

SHA1
c6261d3156f3a7b74471f3916ea5637ab91e22bb

SHA256
405171fd1655032507559036c1259a0edcd8936bfaa564184a4e692b918d445f

SHA512
32350ced1f3901d41286c38393da0f9beee306649fe69f08546e3036b460087fec26dc1cfba4a1899ec441d1adf73fc727698800ca1e4a77b9ad3ed52bd96293

Download Submit
C:\Program Files (x86)\Fun4IM\GIFAnimator.dll

Filesize
162KB

MD5
dbef230ea5ebd1f6fbe5be5e4cef1d1b

SHA1
987b9898cacbfe9152eff4bb0b5e3566d2212895

SHA256
6903984b835179bd0a234fad3dfb19802d22f69cc96840ad505603e67126be25

SHA512
0da271928c8a1c2d855691b71fd7bad1ebb9fdfffe138805c885f90df9b33375549fec338a8c38fbc78b64f6fe8128a2e84df726deb330a96b505f3383f05435

Download Submit
C:\Program Files (x86)\Fun4IM\Plugins\IE\ieplugin.dll

Filesize
2.1MB

MD5
a72cd138796f5d4c8c02b50c3288726f

SHA1
039e5bdce33569351dd4f3a45c6a3b9b4c1e6fbe

SHA256
be91bf1a8a61558561118e51c980029aad59cd8eb062ceca8a1f59adb59afe65

SHA512
babff671ca7373cc4a7b197ba4b4becce5b0ec133993156090393f32392468d13c3feeb1b60367a7274fb982e3f2893e133418db9a5674db4bda235949110be5

Download Submit
C:\Program Files (x86)\Fun4IM\Plugins\MSN\Resources\Toolbar\Images\~GLH0022.TMP

Filesize
1KB

MD5
4b24730682e1bd265e08bec28bd68c2b

SHA1
a9ada2a9ec74268874601731c7e3b41c7b0846e0

SHA256
9c1eff07cf8d7f35bc62238e5c7fc51e413ddc8f80a1071e4ae41411961815ed

SHA512
90d730486e788f5b1e33cfc9f8ab9946845fd125d6dbe48df9b5b3b128d5236066ff62b9304f32ffdbc3023967046aa83d52e4da99bdf19b9c04d1b0c6a387be

Download Submit
C:\Program Files (x86)\Fun4IM\Plugins\MSN\Resources\Toolbar\Images\~GLH0023.TMP

Filesize
1KB

MD5
e5f04b872687c16acebb60726886b67d

SHA1
1ab298337ddb7cebc97b03e512ac1257e50dd149

SHA256
0f146fae3d2e3aaadb90687dfeccd0a26927254a048be7828bf2b12b6237bed3

SHA512
421dd77fee2d065bdc683c5ee3254bce9d6d52aff7190cc15d193590a6e58b92ca3095d143e7a73c993f955c5d2620868f8d566e706df7d97ddbd69302ccfdb0

Download Submit
C:\Program Files (x86)\Fun4IM\Plugins\MSN\Resources\Toolbar\Images\~GLH0024.TMP

Filesize
1KB

MD5
92b06f6952fd2e0266d5246506515b8b

SHA1
7ba5807536048f3c5fc0cc76d6e5984f4fab88e5

SHA256
baeb3bac49604023c3093d1340af6c5c0a9e20c2d479b6141e52ced932dd092c

SHA512
714098c30460784d99f5aa8b2268dc7820770f3e35d93ad319d8fc319ead6adc1ec8ea30cd535f729165b4d8a4258e5d00f18838c541f36ab71c9e3c0c95ae38

Download Submit
C:\Program Files (x86)\Fun4IM\Plugins\MSN\Resources\Toolbar\Images\~GLH0027.TMP

Filesize
3KB

MD5
71d54a61b44e3aec554f30ba43986a53

SHA1
d87ac38081c01a8b8dfd50cf129a94692cc84849

SHA256
7cb8db9993d52bc66f45e0900e5acc36ad40c2f6b3ac25d7f4aa892a0bf5c0bd

SHA512
1a6f730801a57d99d995847512c6b079f9f963b968dea49d43e6c45a05018ec8bee2c4b058f847cc245b07667392d5a6aa6908074d3a7d79883980a704fdabb7

Download Submit
C:\Program Files (x86)\Fun4IM\Plugins\MSN\Resources\Toolbar\Images\~GLH0028.TMP

Filesize
3KB

MD5
8b518642a7ed21cb2008ef4ea558aaa2

SHA1
d811236f78fe3e2f4d7fe93653addd58da6253a1

SHA256
411b37dd8a13a1da1cf688ca3a646fef36113956be76c7c6630647fa7382324c

SHA512
662fea897287ddf520781262c9745f2a6ad508333e0177ca7f18f1a39ef1321ed781648bd77f54d788d2b5ebeb7fb266fa477638363c5eab1a71b5a6eff22663

Download Submit
C:\Program Files (x86)\Fun4IM\Plugins\MSN\Resources\Toolbar\Images\~GLH0029.TMP

Filesize
3KB

MD5
bd503fc079afbb9593e01e3f77f684a5

SHA1
caccaeab77250dc2f3ca6cc37d1efdcf59251997

SHA256
5b93440f929865a5d80106358550b64d18df20a42ca5254a2b5a5c6b7653eaa5

SHA512
b947cb0d4b35a238626448b5b8c081bd2c984b07929523b13e43185e450b269f934084659ec2583f14ceda68d4814f9fe25cbc07d9ef2afad15e2a8d8c8bf8e7

Download Submit
C:\Program Files (x86)\Fun4IM\Plugins\MSN\Resources\Toolbar\Images\~GLH002a.TMP

Filesize
1KB

MD5
dc77d8c55634ed66b8625c987eb25946

SHA1
5ad7bdc1ca076e94d465fa343ab4cbcf9858597c

SHA256
2b3a45b5f2f7cb5e3f7112e59d4e94ace459d16126a8107a93bad1e6f15b6c5c

SHA512
ea662835239dbf9b2e9ef9965e66984867bf25b7a5698cfa8c97123912622c1e8e1f0b2475ee41f8df5ebd8a217741bc69afd06481a9991f79a15f00eab328e9

Download Submit
C:\Program Files (x86)\Fun4IM\Plugins\MSN\Resources\Toolbar\Images\~GLH002b.TMP

Filesize
1KB

MD5
d4c76de55315e8eee5b34ea403af3fd9

SHA1
551cca2f1a1cf1f2b71d5a65ee7cf6a391b72f91

SHA256
184007ae605ee4ffbdbf779e6275f6a75aa9250cda8652bf9ce73b5dac54d76a

SHA512
78f3049bfb91e9d43f963f8f1a05ca2fdb867c2ed2661a43787c0066b9f101a0c1adb0bca211ffb0240f33529e8bfed8d4552b4d4f49015b59044a650cef0126

Download Submit
C:\Program Files (x86)\Fun4IM\Resources\BandooMessages.xml

Filesize
10KB

MD5
97c46521e75a3a738208cf5711782523

SHA1
d09ec7c63d8bc27bb29c700a4ba73d864bc28d98

SHA256
e7e326b997de54efeb2c4a260836ca19c24de9f3a3b603aaafb59132db12a1a5

SHA512
771234afedd61d13f8caf0744b7416c07bf13ca2cc8f8ae57504a15b4cc1ce867612a5c7531d1360e8bed600b8f6b1790ee80bbee0ad7d860c967df642c12bd0

Download Submit
C:\Program Files (x86)\Fun4IM\Resources\downloading.gif

Filesize
1KB

MD5
e57db08b1b405864e28e9282c05a5e26

SHA1
761bc01a3fed758253cb32fa9674edaa08a1fe9a

SHA256
17d73f59930d91b4eeb1abe7695d547a3a7e6d7be419e07b188b95a21236d7fa

SHA512
7b0b9c3c8811729dfaf4354d79d37f51f4d8accdbed147fe3ed50289bcd328cbad8f87d44d62fad275125e23d63c974f7d48eed3f3350a7f7d3b8c0c672a8f47

Download Submit
C:\Program Files (x86)\Fun4IM\Resources\nudge3.wav

Filesize
21KB

MD5
db507d76fe5408b3ecab582b545fbd04

SHA1
6c32d18157dde92d056a86a4f23c57da5f82d889

SHA256
d5202d30e318458df7a56605937a20eafa37714884edf43dd4c7a6324794323d

SHA512
834745c1bcb5482f2d37b821248120fa4b605969e6c381d8c74bcaade63836fd9f627ec386963262b833626f3cfc1fd5bb903a539189c5ddac13808001d7e6cd

Download Submit
C:\Program Files (x86)\Fun4IM\Resources\nudge4.wav

Filesize
53KB

MD5
8ea6b0aec1769520e28c9c4a4ee97011

SHA1
cf469dd89b588e79f254c41c61a7012adbfbe061

SHA256
a42a6fae8baef018de0c25d35a3fdfe28abb72066ef7a4169b19748e5e4e1002

SHA512
27603c9efc258ff97956a1aeb3a321b921366eb62613fb67f5acb908fcf4b600422b696a97d92f8742a219114b709d340ed853fd7f7d76243c5f21499dd12bad

Download Submit
C:\Program Files (x86)\Fun4IM\Resources\nudge5.wav

Filesize
32KB

MD5
2ac2fcfa7469d5fa2d7e6a762aad45a9

SHA1
08358fcdf1efcfe6938f5ab0db19a745544f1b79

SHA256
627a38c6c239a51d77780bc5bde4cbe6e91d60a43cb2359116295aca766dce90

SHA512
3c910b4bdf064f82f3662f6399a3fe7facb9de19202d460fd9f99a3d6de015e46248b325c4902373c195bb62b789315c4c051691b9750ba3dd16f4ee9fae415e

Download Submit
C:\Program Files (x86)\Fun4IM\license.rtf

Filesize
43KB

MD5
811bd95a366cd578e1ad14dc34a22bd2

SHA1
baa445788ec5d58d54f3db3ae8b30693ade29a75

SHA256
2063f5f281a700e5ada86f6911bdecc52bce49de464e978e7245a9daa0ef7241

SHA512
658c3a9e35737b6c0f7787a986200570862a0058d01b6aef817bae4ea50dd4957421b67197298e4a026b7bda7806ab83eec4d1c72379f3e8eb8a629c91819968

Download Submit
C:\Users\Admin\AppData\Local\Temp\FUN4IM~1\Bin\BANDOO~1.DLL

Filesize
370KB

MD5
978ec98a467d2dce39fc5e349a0fc654

SHA1
9f737cd25b60b30f89ea4bc98c35860c049c5ae6

SHA256
602e7176b963a575a18163c92d6e22ba78d42979d05e80940983573a6438edba

SHA512
e243d8e00e7ecce08deea9b8bc8d2a9b36641324388a6be9e0d6e40206632e321762224721208356e7bb2e2e7793eaec1d0659d49bc8b7eb90f6c7d269dc4867

Download Submit
C:\Users\Admin\AppData\Local\Temp\FUN4IM~1\Bin\Bandoo.exe

Filesize
1.9MB

MD5
ea7670482ef8c3d2788c6618a1023a76

SHA1
61ea87eff4ed3fb15560ea4fb3c6378de7096287

SHA256
fd72406e887f28c0bf01021e1d3c29ef896f0e0049fddd3e3839131508068483

SHA512
eaf79ae2b186962d8a849797b46ed22a875a3c9dc7a7b09109b203e89ec6baad8236991ff15c1c5c18de7d3cc4e2e47b47eff8df32f4cc393c1c633d4c4b305f

Download Submit
C:\Users\Admin\AppData\Local\Temp\FUN4IM~1\Bin\BandooGo.exe

Filesize
1.0MB

MD5
6122b5784fb3322af1ca7ed5563f9f88

SHA1
797df1ed22fae6841043cad26ba34b292b15f316

SHA256
ab1b615cc0a38fd765ec078254bad57e27a0ce22db5ade7d25d0ed94bc9ed3fc

SHA512
68ab4904351c35844d2594a3eef1c6071ca307abb8445982ee57e025d9c330fd907d7afd6b206a013c03d500dead82da31db557d5976e404679993379a83916e

Download Submit
C:\Users\Admin\AppData\Local\Temp\FUN4IM~1\Bin\BandooUI.exe

Filesize
1.7MB

MD5
9cccdfccb7f2a6d61c509f60e928c177

SHA1
3a513758615a7a59860e221fae554a0b9127ea69

SHA256
938cb652ee3ec0fddc55332ddda7e8311348051b5dd02daff593115bfad2006a

SHA512
e2dc0363d727f908e2f2d7c361d2ca8ae757842804eceb7eb75b3a7539d466cbdab097541c0767549add36ca39eb0ee4782de32863b6995611eab3f875121e91

Download Submit
C:\Users\Admin\AppData\Local\Temp\FUN4IM~1\Bin\BndCore.exe

Filesize
1.5MB

MD5
3dc8dfe611053a3d862c549f6e4b052a

SHA1
324b882de4ee80617f06a122675c0210c94fde86

SHA256
c31471f98d12204304e2da4489980937accf6841db8f5c95e4402449548f7f2d

SHA512
c43eacbe233b7b7382bd5a4f3d92007c2e3c3e08725575045fb610e0d7cd870771a4f3819951aa7efc85cd66a1a9834cdfdf6be485459464e5886498083f95ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\FUN4IM~1\Bin\BndHook.dll

Filesize
67KB

MD5
83dbed8794c11c41b64708bb02b6b53d

SHA1
0e6a549961d851e4c87a089af736d63c0bc7c002

SHA256
af1725d9c50def042ce50d6a725f015037a8786347bdede5bc8fa34ac3d087b1

SHA512
e07dd6afd043d3b23fbdc48bdff030419abd65335d1313bd9fe35138931a539b44a963baaebb55d0371753695b92348fdeee5280bd685e477c688f92aa231b6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\FUN4IM~1\Bin\INSTAL~1.DLL

Filesize
1.3MB

MD5
a4acc1ddc7716f8e45b352e7efbfdec3

SHA1
12d97dd518b31e51e4ff66a6bcf0dd9b33213588

SHA256
37131a34d25379d2f7bc24e6334b1e797ec34f29456ce22726ce879cd4a526b3

SHA512
27f0a1b1270b516c115db3a8dc3664bdd957d7876e5dd96ee7b545116d5ffddde8e0897195b77312d241718ef9fe5eb701ab6f936dda95474701919a5edae477

Download Submit
C:\Users\Admin\AppData\Local\Temp\FUN4IM~1\Bin\MSNPLU~1.DLL

Filesize
2.3MB

MD5
f24409b488283a507623fab59fb7a61e

SHA1
0d49d7f2afc58a610eda3a37d4b2f1170b391264

SHA256
d85c8f55d06c54d6d1f023dc97d53bbd9540473c00746ba14948666e7979a48f

SHA512
9965e72f54ddf8ce93cfe87d823e1633bffdd065a82b45ba08979c7bf017c514727e8c30ea9a6a5c4619a9f398ccb32fc16b69eab651b57f24d499a31e19ec9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\FUN4IM~1\Bin\PREUNI~1.EXE

Filesize
189KB

MD5
2f545b97b9481af9900aac4577454b1d

SHA1
ac1821fc08c89fcea1aede404119d316a44ab0c8

SHA256
d2dd5b8c00ffe6450389d61d51e247927ff36cf3eaee8caeedc4225cedb2f712

SHA512
0551b918cba83c7153592651eca84567e711e7b5cc658618edd08e32b2f08987cc22d6803cbd864114bfcce8954902a4b02d5bb3c3259b7fefaac0b84fae9e9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\FUN4IM~1\Bin\RESOUR~1\Plugins.ini

Filesize
255B

MD5
1892f1c769946d1a66a0afb2436c4f4b

SHA1
9d39ccf030fac61af3556de9eb2501156669c8de

SHA256
9a5edb451f045ffd1d0cb19e0e313de52942bfcad87755def690e83e394dffcd

SHA512
ca15bb9c64f5b8987264e3443c8181f89ea70af59fb7fcfdf0cd082b5ab46b4d8b654da197ab903d4590abe799d9ee200f6d0a8ace048d74a87fdacf960b791a

Download Submit
C:\Users\Admin\AppData\Local\Temp\FUN4IM~1\Bin\RESOUR~1\nudge0.wav

Filesize
11KB

MD5
f96b12eff2e280fa46bcc195d2d057cc

SHA1
fa5a8151ad4f5389bd212ec9dcd038c6eb9c5805

SHA256
54d7ac010bcfbd438f1d5c0d0c499490868eeb554391080eecf1080631f97f04

SHA512
5ced80ac083a32783e833244d6396868a307556a87af687cdcc6757278ecf49badbd388a4c667567dd9a05fa179187ce1b95f0cc5922deb56207dd5d34a48168

Download Submit
C:\Users\Admin\AppData\Local\Temp\FUN4IM~1\Bin\RESOUR~1\nudge1.wav

Filesize
12KB

MD5
a28a7e96196efea17fa5ca7d2a58f5bf

SHA1
2521a16cb673df46a691e9627bc9ccb87bcfa6da

SHA256
0ad6f4b78a6f6ecbd194c3d2ce99346400141ba495bd3beb103d03282b30dd69

SHA512
770127ee43bfe8370676c9b5c82f4961bb8914842553dcb0482da0dd2a1c996a59fdcbd583d0b0b4e3b64ddc4de86af373dd1fb192d428a130d6fa3d73ab1980

Download Submit
C:\Users\Admin\AppData\Local\Temp\FUN4IM~1\Bin\RESOUR~1\nudge2.wav

Filesize
14KB

MD5
4e32717c73d79a7d6a6c070cc603a039

SHA1
c8ccfec55fac31756d55795f6d91d3f1314a8580

SHA256
70c7247a884aa000d618eacdb55abfd7647956ec736065e816533b362249b9a3

SHA512
097137c44f7f47b10661ddc93e76060d163b96d4a2ab8da6281f20ef4ddadacc8b3029296f5fac173e7137f8e94a78cb18751d496a9289d400e7b98ca00eb1ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\FUN4IM~1\Bin\YAHOOP~1.DLL

Filesize
2.1MB

MD5
9a7dc6f241432fb0ee30c45f6d0c74fb

SHA1
bd3cc74d5ba94e87b47d6980687e96c72f7c8030

SHA256
750a65ba88da30b0356cca57994532c4311f7ce4e072b63d8882efc652ce7ded

SHA512
c6818e0aa0cc0e2d36d60d2cba6dff01dd6a8b40db6d10e537d37cb2e91604f800ad494adaeaadd98484947014df089a0017cfe7de84d18f57b9f67ebe205a4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\FUN4IM~1\Static\FFSETT~1.EXE

Filesize
139KB

MD5
d1bb2ca95ed61ca158fee42c4714a47a

SHA1
d28124ec312d1d6a7d92249353c3ba0b9e13930c

SHA256
226c2e50e91306f6ae1307e8a3a2ccd04054cab85d9ac1d205a6bd56ae82c305

SHA512
71b3cfda5c447546f3ed2a52183417013ad6413fde737595c57b74bba066423407971b4d96bbe7ebc3b96f5e533a5dc6b1e544c91efe4ed14019f32b023cfca1

Download Submit
C:\Users\Admin\AppData\Local\Temp\FUN4IM~1\Static\LIBUNG~1.DLL

Filesize
30KB

MD5
5395d8552b99dacf6f4cc4610dc317fe

SHA1
96187f9d487600268428a98c77788f5be9c195c0

SHA256
f3deaa142f26b1596d73ea7d5f2844ded23265c215f1b0ad435d6203bf1544f5

SHA512
d1cb0f8a598cbeec8bc954795530e7a41df4f9cca631604ec69c02d4d697fef7ff071446ec29f48370e96bd8a9e151bc0748a33a7d52dd9552ddd6b7f05dd2ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\FUN4IM~1\Static\SETUPD~1.EXE

Filesize
2.3MB

MD5
0487a88ce05c6b6d80e51bd1bc803bcc

SHA1
a7a57b06079045621c92c0a07e8ad852d54f66e8

SHA256
2e3e217282b926f210e77315ec5a45c64eaad7e0e0439c9cff713b31029ada20

SHA512
64fbd3f62de85fca031add4c01904f09fdfddbb1a379c9af65ba35b698b865553d170d8c7e408f07a25954b29bee77754270089774a1e505dad86b8955d6730b

Download Submit
C:\Users\Admin\AppData\Local\Temp\FUN4IM~1\Static\WPSUBS~1.XML

Filesize
1KB

MD5
aeb8a0f98aa3c7ab18d5ff3c7adaf12f

SHA1
a10588232218b98bdc57d6a7dc6dbf63b9981ceb

SHA256
a69c0d2985d39d49165cde5c9662ee642526459fb44a0469b1c57b535f0bd730

SHA512
0238482a2546528494e977530c165f266ba8bd354d244bbb47af5d61736670e2686278488002d70eeaaab39fba203b1c2b915f4bf51c645bd349e93ea4a9d1de

Download Submit
C:\Users\Admin\AppData\Local\Temp\FUN4IM~1\files.exe

Filesize
6.7MB

MD5
c9eb1f8cb9ad3fb9afe746d795fec690

SHA1
5152e2eaf846bb07d0853ac76fb08a1fccbb4170

SHA256
d6f2ab4334012f22a99ad45c1d10c275ff8989522610bf82fd85dfe965c221fa

SHA512
179cca09515476611550883127eb0b2c26e64e3bf6d56cd1ae7d09dc7187d720846fb16899a9d9c3b5a0a6e0c72dae250b0a7595e6b9be80d187b1f0c4141393

Download Submit
C:\Users\Admin\AppData\Local\Temp\Fun4IMFiles\Bin\resources\plugins\OE\HTML\blank.html

Filesize
471B

MD5
8adb616d567aa9bff9e4ae0706bccb3b

SHA1
0bbf2ce61145358a89cf4af14340071a9c680b8d

SHA256
5bc3f1f0e802f4143a88186e9eb7a8d0465bf788c04d109512ae73942f378be8

SHA512
1d1b08ef9ee0a47ae2888711b042229c66e1d2d1dacb705d820793300670f81de7a62f8f117dfe8de406133d778519519bde3205e9914658256c8f8b6181bcbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\Fun4IMFiles\Bin\resources\plugins\OE\HTML\error.html

Filesize
723B

MD5
b7c7467f89925c675476492aed843958

SHA1
3357ffd23d718bf60ce999a1f82987a40da4ae0e

SHA256
690db044770f1d0e1d9350ff3bb41a5151a0a75c47d7dbef50e48efbae14d656

SHA512
cf4ba2f79dc908c8e6d73cb9f7399e2993df47604f7c9f8332c4f1cbcdca6d5756219930c9e526fd0e909be8c60feb13bf16fefc112cb97d47c34939afcacdd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\GLCBFB6.tmp

Filesize
161KB

MD5
8c97d8bb1470c6498e47b12c5a03ce39

SHA1
15d233b22f1c3d756dca29bcc0021e6fb0b8cdf7

SHA256
a87f19f9fee475d2b2e82acfb4589be6d816b613064cd06826e1d4c147beb50a

SHA512
7ad0b2b0319da52152c2595ee45045d0c06b157cdaaa56ad57dde9736be3e45fd7357949126f80d3e72b21510f9bf69d010d51b3967a7644662808beed067c3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\GLFC624.tmp

Filesize
10KB

MD5
3b2e23d259394c701050486e642d14fa

SHA1
4e9661c4ba84400146b80b905f46a0f7ef4d62eb

SHA256
166d7156142f3ee09fa69eb617dd22e4fd248aa80a1ac08767db6ad99a2705c1

SHA512
2b792296dffa4e43bc85295dc7691bd29762ce5d9d5eafaa74e199e6a8e5b24aa85d0a1b27776d4719a49b0d29abcf6f240746a209528e608b596b560e5a3b88

Download Submit
C:\Users\Admin\AppData\Local\Temp\GLKC1FA.tmp

Filesize
35KB

MD5
5614b11b85320c6e526b9ccff1fa7448

SHA1
1c01ecdc58643d752344c8dd1fd6ff04c554d874

SHA256
e4993861e8dc24757dd9983086203a078fc48f7a71efd6f3746c23bb12bf9b60

SHA512
58cb7cd54a81ae7f40ab0036b8479c18b16536ba4676dabb494b7eeb6c02283c3170b99048dc08476fd7d3b833efcd89842a871a1ed5b89d1ddd3bcb43c98d1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Searchqu.ini

Filesize
231B

MD5
55d7d392f1abe3ff5934b395be79b4f3

SHA1
fb21e5f479e1c0edcf4cfb51fe8e6f99688c8c91

SHA256
18b51f45bbb92889498317702c75fcbfb7721c443da6c0531a73d26ea188e4ee

SHA512
3b98fc378d320634cf6b78917cc3f9fe15e2bb9d0386c10b5b7755a2da92661f2d4eba3d9456a87785e49e5dd1ec0895b557a05678240ae4217a631d4e053cce

Download Submit
C:\Users\Admin\AppData\Local\Temp\Searchqu_DM\SearchquMediaBar.exe

Filesize
985KB

MD5
0cc6b522d6d5a0a434cab814b6fc060e

SHA1
954edee56185e5edb04ed2975831a7b3e359c355

SHA256
340b17703b82755262173c8218c4601928244c6dea2d68c53e1b9985c4ca47fa

SHA512
c45c5f47f6b91810ba4e17ddc22646e512062cc0f2044710a2ea813c42132a6221176018a6b16d843651e179026863167f3a52b29989afb13e51974cf8e99c21

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsfD1D8.tmp\GetVersion.dll

Filesize
6KB

MD5
5264f7d6d89d1dc04955cfb391798446

SHA1
211d8d3e7c2b2f57f54a11cb8bc4fa536df08acc

SHA256
7d76c7dd8f7cd5a87e0118dacb434db3971a049501e22a5f4b947154621ab3d4

SHA512
80d27ee2f87e2822bd5c8c55cc3d1e49beebb86d8557c92b52b7cbea9f27882d80e59eefa25e414eecee268a9a6193b6b50b748de33c778b007cde24ef8bcfb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsfD1D8.tmp\System.dll

Filesize
11KB

MD5
00a0194c20ee912257df53bfe258ee4a

SHA1
d7b4e319bc5119024690dc8230b9cc919b1b86b2

SHA256
dc4da2ccadb11099076926b02764b2b44ad8f97cd32337421a4cc21a3f5448f3

SHA512
3b38a2c17996c3b77ebf7b858a6c37415615e756792132878d8eddbd13cb06710b7da0e8b58104768f8e475fc93e8b44b3b1ab6f70ddf52edee111aaf5ef5667

Download Submit
C:\Users\Admin\AppData\Local\Temp\nssD9B8.tmp\InetLoad.dll

Filesize
17KB

MD5
e241424579fdfd683f0adff02b7483a8

SHA1
c4cde72b3e5e34730a41d43383d1234279dff1f6

SHA256
c8601ee8eda1952ac188c05ae0527b51e525ee4ff36f67218dfdd2d48c79fd6a

SHA512
a0c0f4bb55b8c0143266705292805fcb98f72dbdc4b724569cb31bd7488258ded63583e1f060c1d7bf003d3df2018b05a0720cee3064b6f6c60247e959636947

Download Submit
C:\Users\Admin\AppData\Local\Temp\nssD9B8.tmp\UAC.dll

Filesize
16KB

MD5
0d422e0c03a7d9428c6c02175d7dc9f8

SHA1
5e13d49521cfbbe52cd74de8e1682789f0268969

SHA256
9f47ec720d74e538bbc8d0c1118efcbc52e52050dbe98c27029fc35329996f7c

SHA512
2edf47b24c4201e082841824d6ad9047a06e9a877d799e87befaf5d54179c924849d2e608cf9f60a1480828edcd98e19f3d139d19bdb4b96ee4939fe58bf0887

Download Submit
C:\Users\Admin\AppData\Local\Temp\nssD9B8.tmp\xml.dll

Filesize
26KB

MD5
fbda05aa26e02d38effb82294e83ea69

SHA1
aa2291ace177515173315668480c74442e21549d

SHA256
565e439a6262cbe6c8164312ad330930738efa8d4defcbcdcc1eeb752fdb75b3

SHA512
3fd4dcbe059df3078f7709b2b9edbe30744ad7ff6e4cd1c494b40bb796a31838d5c9761fe9db860c38bd929c364df4767435fb85dc4e4115e361dd9d640c256f

Download Submit
memory/3228-575-0x0000000002270000-0x000000000227A000-memory.dmp

Filesize
40KB

Download
memory/3228-1066-0x00000000038B0000-0x00000000038C6000-memory.dmp

Filesize
88KB

Download
memory/3804-721-0x0000000003DF0000-0x0000000003F39000-memory.dmp

Filesize
1.3MB

Download
memory/3804-231-0x0000000003B20000-0x0000000003C69000-memory.dmp

Filesize
1.3MB

Download