Analysis

  • max time kernel
    43s
  • max time network
    50s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    19/01/2025, 18:43

General

  • Target

    JaffaCakes118_cfe3ccd4e51148fc43af6918502968ed.exe

  • Size

    6.5MB

  • MD5

    cfe3ccd4e51148fc43af6918502968ed

  • SHA1

    fe08ac064dd792ec012929a1873e60ac2a517859

  • SHA256

    2dd4cf403fe7d85d7d32cfc69239c479f4d25067facf6f38be38593582280b2c

  • SHA512

    9245582ff6373fdf44795fa276ccf950bbeaa97b8427d3e47c304d74c0ac93ba30c92879d81c03ce3e6ad19f29d85d08e6b527d63660e3d922b01210cdd97435

  • SSDEEP

    98304:TEI26o3CUY0XAKnx/tbTlu3DkaihIlYRVMN4lk7vYxNKtODx/JNkAJPWMx3QTw0:PGRY2AItbhuwaielYRVM7vKK0oAdDgTf

Malware Config

Signatures

  • Executes dropped EXE 11 IoCs
  • Loads dropped DLL 64 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Installs/modifies Browser Helper Object 2 TTPs 5 IoCs

    BHOs are DLL modules which act as plugins for Internet Explorer.

  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 14 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • NSIS installer 5 IoCs
  • Modifies Internet Explorer settings 1 TTPs 64 IoCs
  • Modifies Internet Explorer start page 1 TTPs 1 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 21 IoCs
  • Suspicious use of AdjustPrivilegeToken 25 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cfe3ccd4e51148fc43af6918502968ed.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cfe3ccd4e51148fc43af6918502968ed.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Modifies Internet Explorer settings
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2988
    • C:\Users\Admin\AppData\Local\Temp\FUN4IM~1\files.exe
      "C:\Users\Admin\AppData\Local\Temp\FUN4IM~1\files.exe" "-oC:\Users\Admin\AppData\Local\Temp\Fun4IMFiles" -y
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      PID:2996
    • C:\Users\Admin\AppData\Local\Temp\SETUPD~1.EXE
      "C:\Users\Admin\AppData\Local\Temp\SETUPD~1.EXE" /S
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Modifies Internet Explorer settings
      • Modifies Internet Explorer start page
      • Suspicious use of WriteProcessMemory
      PID:1456
      • C:\Users\Admin\AppData\Local\Temp\Searchqu_DM\SearchquMediaBar.exe
        "C:\Users\Admin\AppData\Local\Temp\Searchqu_DM\SearchquMediaBar.exe" /S /NOADDREMOVE /D=C:\PROGRA~2\WIA6EB~1\ToolBar
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops file in Program Files directory
        • System Location Discovery: System Language Discovery
        • Modifies Internet Explorer settings
        • Suspicious use of WriteProcessMemory
        PID:1400
        • C:\Windows\SysWOW64\regsvr32.exe
          regsvr32 /u /s "C:\PROGRA~2\WIA6EB~1\ToolBar\SearchquDx.dll"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2836
        • C:\Windows\SysWOW64\regsvr32.exe
          regsvr32 /s "C:\PROGRA~2\WIA6EB~1\ToolBar\SearchquDx.dll"
          4⤵
          • Installs/modifies Browser Helper Object
          • System Location Discovery: System Language Discovery
          • Modifies Internet Explorer settings
          PID:940
    • C:\Program Files (x86)\Fun4IM\BandooUI.exe
      "C:\Program Files (x86)\Fun4IM\BandooUI.exe" cookie http://fun4im.com
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      PID:1124
    • C:\Users\Admin\AppData\Local\Temp\GLJD27D.tmp
      "C:\Users\Admin\AppData\Local\Temp\GLJD27D.tmp" C:\Program Files (x86)\Fun4IM\GIFAnimator.dll
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      PID:900
    • C:\Users\Admin\AppData\Local\Temp\GLJD27D.tmp
      "C:\Users\Admin\AppData\Local\Temp\GLJD27D.tmp" C:\Program Files (x86)\Fun4IM\FlashAnimator.dll
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      PID:1740
    • C:\Users\Admin\AppData\Local\Temp\GLJD27D.tmp
      "C:\Users\Admin\AppData\Local\Temp\GLJD27D.tmp" C:\Program Files (x86)\Fun4IM\CrashRpt.dll
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      PID:1896
    • C:\Users\Admin\AppData\Local\Temp\GLJD27D.tmp
      "C:\Users\Admin\AppData\Local\Temp\GLJD27D.tmp" C:\Program Files (x86)\Fun4IM\Plugins\IE\ieplugin.dll
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Installs/modifies Browser Helper Object
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      PID:2376
    • C:\PROGRA~2\Fun4IM\BndCore.exe
      "C:\PROGRA~2\Fun4IM\BndCore.exe" /RegServer
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Modifies Internet Explorer settings
      • Modifies registry class
      PID:1692
    • C:\PROGRA~2\Fun4IM\Bandoo.exe
      "C:\PROGRA~2\Fun4IM\Bandoo.exe" /Service
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      PID:2552
    • C:\PROGRA~2\Fun4IM\Bandoo.exe
      "C:\PROGRA~2\Fun4IM\Bandoo.exe" /Start
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:2232

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\PROGRA~2\Fun4IM\UNWISE.EXE

          Filesize

          149KB

          MD5

          973567b98cdfc147df4e60471d9df072

          SHA1

          3c4735750c99c63e6861170a8c459a608594211e

          SHA256

          69b9dd6160524e0eb44905224f5b1747dfce43243c00c11c87f5c2ec55102876

          SHA512

          e891e3a413691eddd895a31293117aec8d151ecf18f84d3aa73bc1c4eb95582df1dfe04d51b7011eb55b5e754e2240de4c6269f9547f3cab3519985da1e07294

        • C:\PROGRA~2\WIA6EB~1\ToolBar\chrome\skin\lib\weatherbutton\panels\images\btnarrow-next-off.png

          Filesize

          591B

          MD5

          ec52771cc9f815db8567ed6d7cfe1b09

          SHA1

          e1a93767f8336a722d5f6dc1e24bd0336e34a77e

          SHA256

          ddc97723151b88824e949b565eab55b2acd9ef0df9b95ad1ee6f0dd1f97bced0

          SHA512

          78f6030e570164703d1e7fb4ed407bed8f7de879c861cc6ab27df6a3919ebb4aff5c1826f3e57c535294bca256336e359564df1ce35b21c7a242b42a40bfbebd

        • C:\PROGRA~2\WIA6EB~1\ToolBar\chrome\skin\lib\weatherbutton\panels\images\btnarrow-next.png

          Filesize

          627B

          MD5

          53c02dc4ee48e77ea7e6f15b8cd9b632

          SHA1

          278a37d0be98089abab95b1438082edf21e33b83

          SHA256

          d5275d4eacef964ceac13a7c71c25cf8169477df7254e5d672524394e23f4457

          SHA512

          9e953bcec9221e40ee67b1abc2e713064ffc63be5b7727424219a399e4ffecaea53deae1d734cae5354b5aab4f65721e84f7baf4861bc863c3ceb3d28a4d300b

        • C:\PROGRA~2\WIA6EB~1\ToolBar\chrome\skin\lib\weatherbutton\panels\images\btnarrow-previous-off.png

          Filesize

          633B

          MD5

          9a8d072191d4e475e5e480fc3543b16b

          SHA1

          783592cbcf2d9d9417d1c3ea7e80b8cca46dd590

          SHA256

          e7cf677144d89ca7eff48d4179bfff6fa976ef07a7c72c5287a8e64e261dfafb

          SHA512

          3ac524ba93c5d0ce3e80dfd251da4cc6bde325d46bd9ef63f24ab442122957e312107053c85fec24d0366767424361fcb0cd162bc6ed769a9025b2b8e1bf1000

        • C:\PROGRA~2\WIA6EB~1\ToolBar\chrome\skin\lib\weatherbutton\panels\images\btnarrow-previous.png

          Filesize

          667B

          MD5

          10783b75928207bf1dd84b5a1f65c7c9

          SHA1

          a3d4f71415026150a7e87535e359ca390c2eae1b

          SHA256

          6728d4c55ad14ca07fbb022dfb993f677ebd13c6c164db489c5b6c33b443211c

          SHA512

          90a4a3bfdc265ba14b27107135eb6ab658d556e3b6198f3e6fb60f035a40dabc73d1a47dc327fd95664d18b624cb5a6cfed1316371e46e127d4eda35d21fab1d

        • C:\PROGRA~2\WIA6EB~1\ToolBar\manifest.xml

          Filesize

          677B

          MD5

          809a59f13e2410bc684ba26004c19a26

          SHA1

          73a8d3364be3a2585b4096beeeca8f7ec0e57f87

          SHA256

          c734caf5170d50ce5e51b7512c8a795d0ca5aa0a3e201e6a2900967e016afa69

          SHA512

          f52e269104480d3979f1245e61bcbc433b39bb0d75ad4e6d4f86627fba1e4a09d24620e0f7cf4570d6d1c89fcdd34af10270738639c51c4f946c9846a7875d5a

        • C:\Program Files (x86)\Fun4IM\CrashRpt.dll

          Filesize

          339KB

          MD5

          6674549585e1adbc9a453d864e0d70be

          SHA1

          108dd53d267a3039e8ec61a589e39b55c8c1b664

          SHA256

          8cb8a63fcb283a8b633ddaac0bf54d8ed208d4898388ff980107470b4860fc37

          SHA512

          8be6a47c1c87b12f6426aaca4594c51136ed530028e786dfa7f667392a164b2cf929285df445208b214e4cc57a06ef5e0cfdbec57f7f3dc105de75f7f89496b3

        • C:\Program Files (x86)\Fun4IM\FlashAnimator.dll

          Filesize

          188KB

          MD5

          425a1f948efb36e5ed37e7a9a25f357f

          SHA1

          67672df006a6313116b5bfa26e493bcc76a720c7

          SHA256

          d4bcfd1d80d2dae506cecbd64f43886ff822bc3f17f409017a6e6e2dc687407b

          SHA512

          b937752c802217d598ba3bae9267429534ca9d57942ce9f806d8231a49a2646189f20678bb6c88ee29499b99abc6840c15a78fab83827237b07f36e919a6a8e0

        • C:\Program Files (x86)\Fun4IM\Plugins\IE\ieplugin.dll

          Filesize

          2.1MB

          MD5

          2545b89113e0ecbe1df70e27d02b1a11

          SHA1

          6627431addba4d8db91c5a88ca74bf1b7eeeba79

          SHA256

          c2199938c3989c3e7471f2a219588a68e4e531742d7246e64ef053e6bfc265ee

          SHA512

          ba340e293e5107424b9cc22a2a88a6f71b7a39ccf02c7fc6af4a1a3566be5428fe99619392f46ad964d634e4f5239744e843b13918a4a904bc9d5a6b7af692a7

        • C:\Program Files (x86)\Fun4IM\Plugins\MSN\Resources\Toolbar\Images\~GLH0022.TMP

          Filesize

          1KB

          MD5

          4b24730682e1bd265e08bec28bd68c2b

          SHA1

          a9ada2a9ec74268874601731c7e3b41c7b0846e0

          SHA256

          9c1eff07cf8d7f35bc62238e5c7fc51e413ddc8f80a1071e4ae41411961815ed

          SHA512

          90d730486e788f5b1e33cfc9f8ab9946845fd125d6dbe48df9b5b3b128d5236066ff62b9304f32ffdbc3023967046aa83d52e4da99bdf19b9c04d1b0c6a387be

        • C:\Program Files (x86)\Fun4IM\Plugins\MSN\Resources\Toolbar\Images\~GLH0023.TMP

          Filesize

          1KB

          MD5

          e5f04b872687c16acebb60726886b67d

          SHA1

          1ab298337ddb7cebc97b03e512ac1257e50dd149

          SHA256

          0f146fae3d2e3aaadb90687dfeccd0a26927254a048be7828bf2b12b6237bed3

          SHA512

          421dd77fee2d065bdc683c5ee3254bce9d6d52aff7190cc15d193590a6e58b92ca3095d143e7a73c993f955c5d2620868f8d566e706df7d97ddbd69302ccfdb0

        • C:\Program Files (x86)\Fun4IM\Plugins\MSN\Resources\Toolbar\Images\~GLH0024.TMP

          Filesize

          1KB

          MD5

          92b06f6952fd2e0266d5246506515b8b

          SHA1

          7ba5807536048f3c5fc0cc76d6e5984f4fab88e5

          SHA256

          baeb3bac49604023c3093d1340af6c5c0a9e20c2d479b6141e52ced932dd092c

          SHA512

          714098c30460784d99f5aa8b2268dc7820770f3e35d93ad319d8fc319ead6adc1ec8ea30cd535f729165b4d8a4258e5d00f18838c541f36ab71c9e3c0c95ae38

        • C:\Program Files (x86)\Fun4IM\Plugins\MSN\Resources\Toolbar\Images\~GLH0027.TMP

          Filesize

          3KB

          MD5

          71d54a61b44e3aec554f30ba43986a53

          SHA1

          d87ac38081c01a8b8dfd50cf129a94692cc84849

          SHA256

          7cb8db9993d52bc66f45e0900e5acc36ad40c2f6b3ac25d7f4aa892a0bf5c0bd

          SHA512

          1a6f730801a57d99d995847512c6b079f9f963b968dea49d43e6c45a05018ec8bee2c4b058f847cc245b07667392d5a6aa6908074d3a7d79883980a704fdabb7

        • C:\Program Files (x86)\Fun4IM\Plugins\MSN\Resources\Toolbar\Images\~GLH0028.TMP

          Filesize

          3KB

          MD5

          8b518642a7ed21cb2008ef4ea558aaa2

          SHA1

          d811236f78fe3e2f4d7fe93653addd58da6253a1

          SHA256

          411b37dd8a13a1da1cf688ca3a646fef36113956be76c7c6630647fa7382324c

          SHA512

          662fea897287ddf520781262c9745f2a6ad508333e0177ca7f18f1a39ef1321ed781648bd77f54d788d2b5ebeb7fb266fa477638363c5eab1a71b5a6eff22663

        • C:\Program Files (x86)\Fun4IM\Plugins\MSN\Resources\Toolbar\Images\~GLH0029.TMP

          Filesize

          3KB

          MD5

          bd503fc079afbb9593e01e3f77f684a5

          SHA1

          caccaeab77250dc2f3ca6cc37d1efdcf59251997

          SHA256

          5b93440f929865a5d80106358550b64d18df20a42ca5254a2b5a5c6b7653eaa5

          SHA512

          b947cb0d4b35a238626448b5b8c081bd2c984b07929523b13e43185e450b269f934084659ec2583f14ceda68d4814f9fe25cbc07d9ef2afad15e2a8d8c8bf8e7

        • C:\Program Files (x86)\Fun4IM\Plugins\MSN\Resources\Toolbar\Images\~GLH002a.TMP

          Filesize

          1KB

          MD5

          dc77d8c55634ed66b8625c987eb25946

          SHA1

          5ad7bdc1ca076e94d465fa343ab4cbcf9858597c

          SHA256

          2b3a45b5f2f7cb5e3f7112e59d4e94ace459d16126a8107a93bad1e6f15b6c5c

          SHA512

          ea662835239dbf9b2e9ef9965e66984867bf25b7a5698cfa8c97123912622c1e8e1f0b2475ee41f8df5ebd8a217741bc69afd06481a9991f79a15f00eab328e9

        • C:\Program Files (x86)\Fun4IM\Plugins\MSN\Resources\Toolbar\Images\~GLH002b.TMP

          Filesize

          1KB

          MD5

          d4c76de55315e8eee5b34ea403af3fd9

          SHA1

          551cca2f1a1cf1f2b71d5a65ee7cf6a391b72f91

          SHA256

          184007ae605ee4ffbdbf779e6275f6a75aa9250cda8652bf9ce73b5dac54d76a

          SHA512

          78f3049bfb91e9d43f963f8f1a05ca2fdb867c2ed2661a43787c0066b9f101a0c1adb0bca211ffb0240f33529e8bfed8d4552b4d4f49015b59044a650cef0126

        • C:\Program Files (x86)\Fun4IM\Resources\BandooMessages.xml

          Filesize

          10KB

          MD5

          97c46521e75a3a738208cf5711782523

          SHA1

          d09ec7c63d8bc27bb29c700a4ba73d864bc28d98

          SHA256

          e7e326b997de54efeb2c4a260836ca19c24de9f3a3b603aaafb59132db12a1a5

          SHA512

          771234afedd61d13f8caf0744b7416c07bf13ca2cc8f8ae57504a15b4cc1ce867612a5c7531d1360e8bed600b8f6b1790ee80bbee0ad7d860c967df642c12bd0

        • C:\Program Files (x86)\Fun4IM\Resources\downloading.gif

          Filesize

          1KB

          MD5

          e57db08b1b405864e28e9282c05a5e26

          SHA1

          761bc01a3fed758253cb32fa9674edaa08a1fe9a

          SHA256

          17d73f59930d91b4eeb1abe7695d547a3a7e6d7be419e07b188b95a21236d7fa

          SHA512

          7b0b9c3c8811729dfaf4354d79d37f51f4d8accdbed147fe3ed50289bcd328cbad8f87d44d62fad275125e23d63c974f7d48eed3f3350a7f7d3b8c0c672a8f47

        • C:\Program Files (x86)\Fun4IM\Resources\nudge3.wav

          Filesize

          21KB

          MD5

          db507d76fe5408b3ecab582b545fbd04

          SHA1

          6c32d18157dde92d056a86a4f23c57da5f82d889

          SHA256

          d5202d30e318458df7a56605937a20eafa37714884edf43dd4c7a6324794323d

          SHA512

          834745c1bcb5482f2d37b821248120fa4b605969e6c381d8c74bcaade63836fd9f627ec386963262b833626f3cfc1fd5bb903a539189c5ddac13808001d7e6cd

        • C:\Program Files (x86)\Fun4IM\Resources\nudge4.wav

          Filesize

          53KB

          MD5

          8ea6b0aec1769520e28c9c4a4ee97011

          SHA1

          cf469dd89b588e79f254c41c61a7012adbfbe061

          SHA256

          a42a6fae8baef018de0c25d35a3fdfe28abb72066ef7a4169b19748e5e4e1002

          SHA512

          27603c9efc258ff97956a1aeb3a321b921366eb62613fb67f5acb908fcf4b600422b696a97d92f8742a219114b709d340ed853fd7f7d76243c5f21499dd12bad

        • C:\Program Files (x86)\Fun4IM\Resources\nudge5.wav

          Filesize

          32KB

          MD5

          2ac2fcfa7469d5fa2d7e6a762aad45a9

          SHA1

          08358fcdf1efcfe6938f5ab0db19a745544f1b79

          SHA256

          627a38c6c239a51d77780bc5bde4cbe6e91d60a43cb2359116295aca766dce90

          SHA512

          3c910b4bdf064f82f3662f6399a3fe7facb9de19202d460fd9f99a3d6de015e46248b325c4902373c195bb62b789315c4c051691b9750ba3dd16f4ee9fae415e

        • C:\Users\Admin\AppData\Local\Temp\FUN4IM~1\Bin\BANDOO~1.DLL

          Filesize

          368KB

          MD5

          232a46f8c6f6cad04924e2099e440b91

          SHA1

          7eb3ae0b0b9fcc485e7d1d3fa73f2e38c6301e62

          SHA256

          8e492251e684f4edd18d7e746ec874999c448d266e94573f3a2233fe68279371

          SHA512

          6bb476730452b930df9a5b0383ad4bdaa5b24fe3203786d8af4c6079eaec773831f844d262b77acfdec1d0085747da7d006ae5f35dc6f39b58ddacab7fd6b469

        • C:\Users\Admin\AppData\Local\Temp\FUN4IM~1\Bin\Bandoo.exe

          Filesize

          1.8MB

          MD5

          8d7cb5fcdf17a103001382928c52b0d5

          SHA1

          0953c55a825aca3e08816fcded479268628d2870

          SHA256

          fa52dd26ac2216eba4c2b55512fff492a916dec3b7d135b5d7f3170e1a05a0b4

          SHA512

          b9beaef4cbafc3dd3de8b819230ad8d9e857e004defa07ee964312cce88b20d99ab9ff617eb172b4f9970d3be5e2fd730091a9861d40e3c6ce6f5025f5c04dad

        • C:\Users\Admin\AppData\Local\Temp\FUN4IM~1\Bin\BandooGo.exe

          Filesize

          1.0MB

          MD5

          a7dea79ec917f96b8cbdec261bd41099

          SHA1

          669557ef4a43b26dbcd5e7ae74bfa22a9c7a7c9a

          SHA256

          1d5700fee2fb5419941d9ab6cd591391ea3b312206467ce141d01aa23c446223

          SHA512

          b84b170ef6be1c0ebb9814db97fa66b4629f960f8402e6bb2ee99d5606875a8290c5f4631220ad93b40cc70374fc96173bb164e5b03cedbd49e829209cda477a

        • C:\Users\Admin\AppData\Local\Temp\FUN4IM~1\Bin\BandooUI.exe

          Filesize

          1.7MB

          MD5

          1cb076b06346feee33ec3e409ea0ec42

          SHA1

          8cf322d41f7c8e326c6a0a697b90eb813cf256bc

          SHA256

          307f36ef56a1443a22b838e7d5188fe6d6f04a08194c8789285e599096af5605

          SHA512

          c9a4ee681ea51c2a3515321a776fe3acc32f9626d0de343a2b12e09095e9e9b3983f7f3b97289033fa8c1e93618194b8ee01bf0d3571aff991e24c8e323c8439

        • C:\Users\Admin\AppData\Local\Temp\FUN4IM~1\Bin\BndCore.exe

          Filesize

          1.5MB

          MD5

          d0c1e5654ae09f42dee564572511ef2e

          SHA1

          e2895459d69e93e944755dc007c612cc777df502

          SHA256

          cf3a68d5b82382817679d77f6a1af18ad48dda3d16f52c4cf43e81b54fd463c2

          SHA512

          271e3e76d4a9c199a2487b95f22b0cd589845b41f18e7b283c0f8bbe898b941128b0a6d9773c08d05b5b7f325effabf8eb77b16db96b422a2c7228544bd01c56

        • C:\Users\Admin\AppData\Local\Temp\FUN4IM~1\Bin\BndHook.dll

          Filesize

          66KB

          MD5

          8cb713d89900f7e1f0237b4a861954a3

          SHA1

          10340c3f8f98fb29eff9372f3b92a8055760a31d

          SHA256

          1e587122f60fedb5c3a733ccea333eb751dd1123e9293e7e4338f69547d8f3f6

          SHA512

          5e250988a93aa24f78fe1a824abd86d2ccb553aac7e55711628810ca43966c4574afd16fa8f0954b096e2990bddff2db9fb61ac04d3eb6ebd2208f1133133e29

        • C:\Users\Admin\AppData\Local\Temp\FUN4IM~1\Bin\EXTENS~1.EXE

          Filesize

          1.1MB

          MD5

          8becc2a870db96977054b01cd1409720

          SHA1

          8b4dcd16a8dd63e476ddcdfd0b0c7d838a6651aa

          SHA256

          3943ca184a48976a6e61a703c9fb08598f2c3256265461a495fcf9de974ec0c7

          SHA512

          58b7c83b118381b69ffd6509cf2c8782003d0027d4d7663c8c01b3e358625aba681d2142c1136e35efcdc26ef067f04549e17ae8755ec590765d0c1d31249879

        • C:\Users\Admin\AppData\Local\Temp\FUN4IM~1\Bin\GIFANI~1.DLL

          Filesize

          161KB

          MD5

          a9fd2046ebaed67672113870c545959e

          SHA1

          c838473ab1d2ba2e7a7a4d71242750d4fe4d3203

          SHA256

          063f9ddadb5a48bc4960dc579bca62cf8a64779d3d34cce2f0a20588b9872a7b

          SHA512

          a4311f328fd13d3cddc7b4970f59b183d8a72dfe55229584dd4f0a54d233743bfd72ff7642fec368c0ffe4ef29b68fa45bcbbf216202cd237f9123bdd9bb38c5

        • C:\Users\Admin\AppData\Local\Temp\FUN4IM~1\Bin\INSTAL~1.DLL

          Filesize

          1.3MB

          MD5

          8b8d57a7822c281d136813a6a6bee3f5

          SHA1

          baaaffa093dcd78d1e33f82aa52d13bd88e7c704

          SHA256

          41a463a7409350e1b937d0e5ed4d6c89addd30b7f582904174b689c6537a4b36

          SHA512

          19d186b668050d1e857f1fd5a210b62db3e84e3b859d99c42be707bf06c6fc362fc920b45b310d480c0811443deff968a6a8348b71d8f4a120d43bddfed21070

        • C:\Users\Admin\AppData\Local\Temp\FUN4IM~1\Bin\MSNPLU~1.DLL

          Filesize

          2.3MB

          MD5

          7a9f2aff217e8a318659c78ed9dac210

          SHA1

          dce41c98488c5e7422ac2a4300a51733ac9ca849

          SHA256

          144852657dda3f989671ee9c4c2122f54bbdfa4a11c502fd8d490c0d8bfafffd

          SHA512

          cbd93c901eacd3a8d08cc9b6bcaf1979361604eeb73caefee32e3f2c81834334e4f224bffdca20304ce7d326573e407645ce2a14679f2ac5254e4c93a217fa74

        • C:\Users\Admin\AppData\Local\Temp\FUN4IM~1\Bin\PREUNI~1.EXE

          Filesize

          185KB

          MD5

          6b4c2474ab43b101158dc9249d625471

          SHA1

          e9205b8cbb5eb5a1d0a487c9401023a6ee853cd5

          SHA256

          dc5d27aea969527bada1d4cf6080fac59fe497c1f77d36db51deddb2e0047d9e

          SHA512

          6b0fb876ebf3270aebae2df530d3591aa90f99432924454b3fcfdf8224895dbe90bdc1ccfc0bd83ae01383d0d89f59fa92fc71d256a5b343848fac071fa4aaef

        • C:\Users\Admin\AppData\Local\Temp\FUN4IM~1\Bin\RESOUR~1\Plugins.ini

          Filesize

          222B

          MD5

          b80866b84490c8974ec17ab899bfbe5d

          SHA1

          3f1b794e1e035d2d5aa60069ce32af89165692aa

          SHA256

          f4404b5e92163280a0fb077a1a51c0bf033945f5d6b5b0fb4c7d423aca07a5ad

          SHA512

          19a0295bd652f38ad481743b0dbce3a612edf4a57a92a4f2fec4e728f216e85fcdc435529c5886db89996d36a12d974c28d6b053f7761b875e874b1de7dab0db

        • C:\Users\Admin\AppData\Local\Temp\FUN4IM~1\Bin\YAHOOP~1.DLL

          Filesize

          2.1MB

          MD5

          9185881e390416beb23302bf0d74f44c

          SHA1

          dd01084315589f18731d81c02181a39c8aedd7c5

          SHA256

          40e3d7c3ad8b68140cca42c4570dd0b5d0ece9610b982da644350e369f622891

          SHA512

          48243048c8702b71c659262a173e050a9b649ed6f9ac1c77df4e19db66087f1425e19d3c610e9065dc4cdd198922edac6e7acff68228591b8a42f69c1a6cc02a

        • C:\Users\Admin\AppData\Local\Temp\FUN4IM~1\Static\FFSETT~1.EXE

          Filesize

          137KB

          MD5

          05406f548d5422924529bb265d616930

          SHA1

          aa67ea5ef6557c418ca15adae6f46f7c86e3b86e

          SHA256

          d23991ad4ad6fd69dc6ff12393ecf388ea862cfecb2c862cffe47c168ea1f138

          SHA512

          75b1b791aaca896121f4ecb881adf79863a5a74ae2fcdbab06c6583800c2102fc56d9ddf31b5a4d236e42c8a2ee0d36e4daffc796ee394e8b84ced62506d6649

        • C:\Users\Admin\AppData\Local\Temp\FUN4IM~1\Static\LIBUNG~1.DLL

          Filesize

          30KB

          MD5

          5395d8552b99dacf6f4cc4610dc317fe

          SHA1

          96187f9d487600268428a98c77788f5be9c195c0

          SHA256

          f3deaa142f26b1596d73ea7d5f2844ded23265c215f1b0ad435d6203bf1544f5

          SHA512

          d1cb0f8a598cbeec8bc954795530e7a41df4f9cca631604ec69c02d4d697fef7ff071446ec29f48370e96bd8a9e151bc0748a33a7d52dd9552ddd6b7f05dd2ae

        • C:\Users\Admin\AppData\Local\Temp\FUN4IM~1\Static\LICENS~1.RTF

          Filesize

          43KB

          MD5

          6efa068d4c5e66d296249eead5d4588b

          SHA1

          798706d0094c74f12f99163987ed324d40dae9dc

          SHA256

          f91c7ccd4653dc7f91938510434c16031f591bc498254f93125967a5e0b63782

          SHA512

          9dd1675180aa54884e0dcf282408a0b7385079a43e7476dd945edab7fc204a7e09634594971a59821cdee68b2d66bbed023964554f96bd347a73142f394301b5

        • C:\Users\Admin\AppData\Local\Temp\FUN4IM~1\Static\SETUPD~1.EXE

          Filesize

          2.0MB

          MD5

          5b5555b6af246dfea73b585a1db26c6e

          SHA1

          ed352d072c5bd309af464986792c09c83b847caf

          SHA256

          30818c8c924c4124f3544d4c3e51e597bcae41798c6573329a2d710601521528

          SHA512

          93bcf786041c3f9475eeb0d2419d6f0c4c2e9a3ad7c4a60795ee8ba84d8624af92466b59ef5db649a6b2263dea8685c4456ed695024efaa4e8c0599a63c33b30

        • C:\Users\Admin\AppData\Local\Temp\FUN4IM~1\Static\WPSUBS~1.XML

          Filesize

          1KB

          MD5

          aeb8a0f98aa3c7ab18d5ff3c7adaf12f

          SHA1

          a10588232218b98bdc57d6a7dc6dbf63b9981ceb

          SHA256

          a69c0d2985d39d49165cde5c9662ee642526459fb44a0469b1c57b535f0bd730

          SHA512

          0238482a2546528494e977530c165f266ba8bd354d244bbb47af5d61736670e2686278488002d70eeaaab39fba203b1c2b915f4bf51c645bd349e93ea4a9d1de

        • C:\Users\Admin\AppData\Local\Temp\Fun4IMFiles\Bin\resources\plugins\OE\HTML\blank.html

          Filesize

          471B

          MD5

          8adb616d567aa9bff9e4ae0706bccb3b

          SHA1

          0bbf2ce61145358a89cf4af14340071a9c680b8d

          SHA256

          5bc3f1f0e802f4143a88186e9eb7a8d0465bf788c04d109512ae73942f378be8

          SHA512

          1d1b08ef9ee0a47ae2888711b042229c66e1d2d1dacb705d820793300670f81de7a62f8f117dfe8de406133d778519519bde3205e9914658256c8f8b6181bcbf

        • C:\Users\Admin\AppData\Local\Temp\Fun4IMFiles\Bin\resources\plugins\OE\HTML\error.html

          Filesize

          723B

          MD5

          b7c7467f89925c675476492aed843958

          SHA1

          3357ffd23d718bf60ce999a1f82987a40da4ae0e

          SHA256

          690db044770f1d0e1d9350ff3bb41a5151a0a75c47d7dbef50e48efbae14d656

          SHA512

          cf4ba2f79dc908c8e6d73cb9f7399e2993df47604f7c9f8332c4f1cbcdca6d5756219930c9e526fd0e909be8c60feb13bf16fefc112cb97d47c34939afcacdd1

        • C:\Users\Admin\AppData\Local\Temp\Searchqu.ini

          Filesize

          232B

          MD5

          f680b584d6946840d1ac2dfc145a59bd

          SHA1

          9d8f7624f8788af592e8f1cf61f7e5f1f60f3133

          SHA256

          dae4d55ef25b9036abca41aaae23563f9153246d9801b07e46ad47393adb929b

          SHA512

          a7b7adb0831885f5b115926408789e7d4099c5b2f33605ccb5d95ecb3f72cf2515807fa0335b2f3f0369b859614c4163a2d077c5c62d4b94ab6889a28f3c73f6

        • C:\Users\Admin\AppData\Local\Temp\nse1F5.tmp\System.dll

          Filesize

          11KB

          MD5

          00a0194c20ee912257df53bfe258ee4a

          SHA1

          d7b4e319bc5119024690dc8230b9cc919b1b86b2

          SHA256

          dc4da2ccadb11099076926b02764b2b44ad8f97cd32337421a4cc21a3f5448f3

          SHA512

          3b38a2c17996c3b77ebf7b858a6c37415615e756792132878d8eddbd13cb06710b7da0e8b58104768f8e475fc93e8b44b3b1ab6f70ddf52edee111aaf5ef5667

        • C:\Users\Admin\AppData\Local\Temp\nse418.tmp\xml.dll

          Filesize

          26KB

          MD5

          fbda05aa26e02d38effb82294e83ea69

          SHA1

          aa2291ace177515173315668480c74442e21549d

          SHA256

          565e439a6262cbe6c8164312ad330930738efa8d4defcbcdcc1eeb752fdb75b3

          SHA512

          3fd4dcbe059df3078f7709b2b9edbe30744ad7ff6e4cd1c494b40bb796a31838d5c9761fe9db860c38bd929c364df4767435fb85dc4e4115e361dd9d640c256f

        • \Users\Admin\AppData\Local\Temp\FUN4IM~1\files.exe

          Filesize

          6.4MB

          MD5

          f211b2557e7858ae124653d7cb29f0dd

          SHA1

          d9eb4d799047a942f826d5261a22b0aba1a0d753

          SHA256

          648d2021bcb77c24602f634f7db9c9b190c27df07aa95aa983ff00488ceaf395

          SHA512

          a949d67b5899888417648cdaf0fe379960ee74b48e9a2b9e763b3c0b84804dba921e2a45a35b5cc3fc2c9a9fdbfea25157849287a89efe6473a3abf138b26478

        • \Users\Admin\AppData\Local\Temp\GLCD26C.tmp

          Filesize

          161KB

          MD5

          8c97d8bb1470c6498e47b12c5a03ce39

          SHA1

          15d233b22f1c3d756dca29bcc0021e6fb0b8cdf7

          SHA256

          a87f19f9fee475d2b2e82acfb4589be6d816b613064cd06826e1d4c147beb50a

          SHA512

          7ad0b2b0319da52152c2595ee45045d0c06b157cdaaa56ad57dde9736be3e45fd7357949126f80d3e72b21510f9bf69d010d51b3967a7644662808beed067c3f

        • \Users\Admin\AppData\Local\Temp\GLFD8F6.tmp

          Filesize

          10KB

          MD5

          3b2e23d259394c701050486e642d14fa

          SHA1

          4e9661c4ba84400146b80b905f46a0f7ef4d62eb

          SHA256

          166d7156142f3ee09fa69eb617dd22e4fd248aa80a1ac08767db6ad99a2705c1

          SHA512

          2b792296dffa4e43bc85295dc7691bd29762ce5d9d5eafaa74e199e6a8e5b24aa85d0a1b27776d4719a49b0d29abcf6f240746a209528e608b596b560e5a3b88

        • \Users\Admin\AppData\Local\Temp\GLKD480.tmp

          Filesize

          35KB

          MD5

          5614b11b85320c6e526b9ccff1fa7448

          SHA1

          1c01ecdc58643d752344c8dd1fd6ff04c554d874

          SHA256

          e4993861e8dc24757dd9983086203a078fc48f7a71efd6f3746c23bb12bf9b60

          SHA512

          58cb7cd54a81ae7f40ab0036b8479c18b16536ba4676dabb494b7eeb6c02283c3170b99048dc08476fd7d3b833efcd89842a871a1ed5b89d1ddd3bcb43c98d1e

        • \Users\Admin\AppData\Local\Temp\Searchqu_DM\SearchquMediaBar.exe

          Filesize

          985KB

          MD5

          0cc6b522d6d5a0a434cab814b6fc060e

          SHA1

          954edee56185e5edb04ed2975831a7b3e359c355

          SHA256

          340b17703b82755262173c8218c4601928244c6dea2d68c53e1b9985c4ca47fa

          SHA512

          c45c5f47f6b91810ba4e17ddc22646e512062cc0f2044710a2ea813c42132a6221176018a6b16d843651e179026863167f3a52b29989afb13e51974cf8e99c21

        • \Users\Admin\AppData\Local\Temp\nse1F5.tmp\GetVersion.dll

          Filesize

          6KB

          MD5

          5264f7d6d89d1dc04955cfb391798446

          SHA1

          211d8d3e7c2b2f57f54a11cb8bc4fa536df08acc

          SHA256

          7d76c7dd8f7cd5a87e0118dacb434db3971a049501e22a5f4b947154621ab3d4

          SHA512

          80d27ee2f87e2822bd5c8c55cc3d1e49beebb86d8557c92b52b7cbea9f27882d80e59eefa25e414eecee268a9a6193b6b50b748de33c778b007cde24ef8bcfb7

        • \Users\Admin\AppData\Local\Temp\nse418.tmp\InetLoad.dll

          Filesize

          17KB

          MD5

          e241424579fdfd683f0adff02b7483a8

          SHA1

          c4cde72b3e5e34730a41d43383d1234279dff1f6

          SHA256

          c8601ee8eda1952ac188c05ae0527b51e525ee4ff36f67218dfdd2d48c79fd6a

          SHA512

          a0c0f4bb55b8c0143266705292805fcb98f72dbdc4b724569cb31bd7488258ded63583e1f060c1d7bf003d3df2018b05a0720cee3064b6f6c60247e959636947

        • \Users\Admin\AppData\Local\Temp\nse418.tmp\UAC.dll

          Filesize

          16KB

          MD5

          0d422e0c03a7d9428c6c02175d7dc9f8

          SHA1

          5e13d49521cfbbe52cd74de8e1682789f0268969

          SHA256

          9f47ec720d74e538bbc8d0c1118efcbc52e52050dbe98c27029fc35329996f7c

          SHA512

          2edf47b24c4201e082841824d6ad9047a06e9a877d799e87befaf5d54179c924849d2e608cf9f60a1480828edcd98e19f3d139d19bdb4b96ee4939fe58bf0887

        • memory/1400-497-0x00000000005A0000-0x00000000005AA000-memory.dmp

          Filesize

          40KB

        • memory/1400-1010-0x0000000000B00000-0x0000000000B16000-memory.dmp

          Filesize

          88KB

        • memory/2988-663-0x0000000003790000-0x00000000038DA000-memory.dmp

          Filesize

          1.3MB

        • memory/2988-237-0x0000000003360000-0x00000000034AA000-memory.dmp

          Filesize

          1.3MB