Analysis Overview
SHA256
2dd4cf403fe7d85d7d32cfc69239c479f4d25067facf6f38be38593582280b2c
Threat Level: Shows suspicious behavior
The file JaffaCakes118_cfe3ccd4e51148fc43af6918502968ed was found to be: Shows suspicious behavior.
Malicious Activity Summary
Reads user/profile data of web browsers
Loads dropped DLL
Checks computer location settings
Executes dropped EXE
Checks installed software on the system
Installs/modifies Browser Helper Object
Drops file in Program Files directory
Unsigned PE
Enumerates physical storage devices
System Location Discovery: System Language Discovery
NSIS installer
Modifies Internet Explorer start page
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Modifies Internet Explorer settings
Modifies registry class
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2025-01-19 18:43
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2025-01-19 18:43
Reported
2025-01-19 18:46
Platform
win7-20241010-en
Max time kernel
43s
Max time network
50s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\FUN4IM~1\files.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SETUPD~1.EXE | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Searchqu_DM\SearchquMediaBar.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Fun4IM\BandooUI.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\GLJD27D.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\GLJD27D.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\GLJD27D.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\GLJD27D.tmp | N/A |
| N/A | N/A | C:\PROGRA~2\Fun4IM\BndCore.exe | N/A |
| N/A | N/A | C:\PROGRA~2\Fun4IM\Bandoo.exe | N/A |
| N/A | N/A | C:\PROGRA~2\Fun4IM\Bandoo.exe | N/A |
Loads dropped DLL
Reads user/profile data of web browsers
Checks installed software on the system
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{EB5CEE80-030A-4ED8-8E20-454E9C68380F} | C:\Users\Admin\AppData\Local\Temp\GLJD27D.tmp | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{EB5CEE80-030A-4ED8-8E20-454E9C68380F}\ = "Bandoo IE Plugin" | C:\Users\Admin\AppData\Local\Temp\GLJD27D.tmp | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{EB5CEE80-030A-4ED8-8E20-454E9C68380F}\NoExplorer = "1" | C:\Users\Admin\AppData\Local\Temp\GLJD27D.tmp | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7FF99715-3016-4381-84CE-E4E4C9673020} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{7FF99715-3016-4381-84CE-E4E4C9673020}\ = "Searchqu Toolbar" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\Fun4IM\~GLH0008.TMP | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cfe3ccd4e51148fc43af6918502968ed.exe | N/A |
| File created | C:\Program Files (x86)\Fun4IM\~GLH0015.TMP | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cfe3ccd4e51148fc43af6918502968ed.exe | N/A |
| File created | C:\PROGRA~2\WIA6EB~1\ToolBar\chrome\content\preferences.xml | C:\Users\Admin\AppData\Local\Temp\Searchqu_DM\SearchquMediaBar.exe | N/A |
| File created | C:\PROGRA~2\WIA6EB~1\ToolBar\chrome\skin\rss-folder.png | C:\Users\Admin\AppData\Local\Temp\Searchqu_DM\SearchquMediaBar.exe | N/A |
| File created | C:\PROGRA~2\WIA6EB~1\ToolBar\chrome\content\widgets\net.vmn.www.3.Twitter.1227\btn-wide-close-over.PNG | C:\Users\Admin\AppData\Local\Temp\Searchqu_DM\SearchquMediaBar.exe | N/A |
| File created | C:\PROGRA~2\WIA6EB~1\ToolBar\chrome\content\widgets\net.vmn.www.3.Twitter.1227\btn-wide-maximize.png | C:\Users\Admin\AppData\Local\Temp\Searchqu_DM\SearchquMediaBar.exe | N/A |
| File created | C:\PROGRA~2\WIA6EB~1\ToolBar\chrome\content\widgets\net.vmn.www.3.Twitter.1255\btn-wide-maximize-over.png | C:\Users\Admin\AppData\Local\Temp\Searchqu_DM\SearchquMediaBar.exe | N/A |
| File created | C:\PROGRA~2\WIA6EB~1\ToolBar\chrome\content\widgets\net.vmn.www.3.Twitter.1255\widget.js | C:\Users\Admin\AppData\Local\Temp\Searchqu_DM\SearchquMediaBar.exe | N/A |
| File created | C:\PROGRA~2\WIA6EB~1\ToolBar\chrome\skin\options\options-weather.gif | C:\Users\Admin\AppData\Local\Temp\Searchqu_DM\SearchquMediaBar.exe | N/A |
| File created | C:\Program Files (x86)\Fun4IM\~GLH0008.TMP | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cfe3ccd4e51148fc43af6918502968ed.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Fun4IM\Plugins\MSN\Resources\Toolbar\Images\1004.dat | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cfe3ccd4e51148fc43af6918502968ed.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Fun4IM\Plugins\Yahoo\Resources\Toolbar\Images\~GLH002f.TMP | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cfe3ccd4e51148fc43af6918502968ed.exe | N/A |
| File created | C:\PROGRA~2\WIA6EB~1\ToolBar\chrome\content\widgets\net.vmn.www.3.Twitter.1257\btnarrow-previous-off.png | C:\Users\Admin\AppData\Local\Temp\Searchqu_DM\SearchquMediaBar.exe | N/A |
| File created | C:\PROGRA~2\WIA6EB~1\ToolBar\chrome\skin\lib\panels\popupWidgets.html | C:\Users\Admin\AppData\Local\Temp\Searchqu_DM\SearchquMediaBar.exe | N/A |
| File created | C:\PROGRA~2\WIA6EB~1\ToolBar\chrome\skin\lib\weatherbutton\panels\popupWeather.css | C:\Users\Admin\AppData\Local\Temp\Searchqu_DM\SearchquMediaBar.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Fun4IM\Plugins\MSN\~GLH0016.TMP | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cfe3ccd4e51148fc43af6918502968ed.exe | N/A |
| File created | C:\PROGRA~2\WIA6EB~1\ToolBar\chrome\content\lib\about.xml | C:\Users\Admin\AppData\Local\Temp\Searchqu_DM\SearchquMediaBar.exe | N/A |
| File created | C:\PROGRA~2\WIA6EB~1\ToolBar\chrome\skin\youtube.png | C:\Users\Admin\AppData\Local\Temp\Searchqu_DM\SearchquMediaBar.exe | N/A |
| File created | C:\PROGRA~2\WIA6EB~1\ToolBar\chrome\skin\lib\radio\css\slider.css | C:\Users\Admin\AppData\Local\Temp\Searchqu_DM\SearchquMediaBar.exe | N/A |
| File created | C:\Program Files (x86)\Fun4IM\Plugins\MSN\Resources\Toolbar\Images\~GLH0026.TMP | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cfe3ccd4e51148fc43af6918502968ed.exe | N/A |
| File created | C:\Program Files (x86)\Fun4IM\Plugins\MSN\Resources\Toolbar\Images\~GLH0028.TMP | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cfe3ccd4e51148fc43af6918502968ed.exe | N/A |
| File created | C:\PROGRA~2\WIA6EB~1\ToolBar\chrome\content\widgets\net.vmn.www.3.Twitter.1257\panel.html | C:\Users\Admin\AppData\Local\Temp\Searchqu_DM\SearchquMediaBar.exe | N/A |
| File created | C:\PROGRA~2\WIA6EB~1\ToolBar\chrome\skin\logo-about.png | C:\Users\Admin\AppData\Local\Temp\Searchqu_DM\SearchquMediaBar.exe | N/A |
| File created | C:\PROGRA~2\WIA6EB~1\ToolBar\chrome\skin\lib\add.png | C:\Users\Admin\AppData\Local\Temp\Searchqu_DM\SearchquMediaBar.exe | N/A |
| File created | C:\PROGRA~2\WIA6EB~1\ToolBar\chrome\skin\lib\panels\images\scrollb-disable.png | C:\Users\Admin\AppData\Local\Temp\Searchqu_DM\SearchquMediaBar.exe | N/A |
| File created | C:\PROGRA~2\WIA6EB~1\ToolBar\chrome\skin\lib\scroll-left.png | C:\Users\Admin\AppData\Local\Temp\Searchqu_DM\SearchquMediaBar.exe | N/A |
| File created | C:\PROGRA~2\WIA6EB~1\ToolBar\chrome\skin\lib\radio\images\radio-options-design-on.png | C:\Users\Admin\AppData\Local\Temp\Searchqu_DM\SearchquMediaBar.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Fun4IM\Bandoo.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cfe3ccd4e51148fc43af6918502968ed.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Fun4IM\Plugins\Yahoo\Resources\Toolbar\Images\~GLH002e.TMP | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cfe3ccd4e51148fc43af6918502968ed.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Fun4IM\Plugins\IE\Resources\~GLH003f.TMP | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cfe3ccd4e51148fc43af6918502968ed.exe | N/A |
| File created | C:\PROGRA~2\WIA6EB~1\ToolBar\chrome\skin\bluesky.gif | C:\Users\Admin\AppData\Local\Temp\Searchqu_DM\SearchquMediaBar.exe | N/A |
| File created | C:\PROGRA~2\WIA6EB~1\ToolBar\chrome\skin\games.png | C:\Users\Admin\AppData\Local\Temp\Searchqu_DM\SearchquMediaBar.exe | N/A |
| File created | C:\PROGRA~2\WIA6EB~1\ToolBar\chrome\skin\settings.png | C:\Users\Admin\AppData\Local\Temp\Searchqu_DM\SearchquMediaBar.exe | N/A |
| File created | C:\PROGRA~2\WIA6EB~1\ToolBar\chrome\skin\lib\weatherbutton\panels\images\arrowr-bluew5.png | C:\Users\Admin\AppData\Local\Temp\Searchqu_DM\SearchquMediaBar.exe | N/A |
| File created | C:\PROGRA~2\WIA6EB~1\ToolBar\chrome\skin\lib\radio\images\radio-eq-warning.png | C:\Users\Admin\AppData\Local\Temp\Searchqu_DM\SearchquMediaBar.exe | N/A |
| File created | C:\PROGRA~2\WIA6EB~1\ToolBar\chrome\skin\lib\uwa\border_02.png | C:\Users\Admin\AppData\Local\Temp\Searchqu_DM\SearchquMediaBar.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Fun4IM\~GLH0013.TMP | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cfe3ccd4e51148fc43af6918502968ed.exe | N/A |
| File created | C:\PROGRA~2\WIA6EB~1\ToolBar\chrome\content\toolbar.xul | C:\Users\Admin\AppData\Local\Temp\Searchqu_DM\SearchquMediaBar.exe | N/A |
| File created | C:\PROGRA~2\WIA6EB~1\ToolBar\chrome\content\widgets\net.vmn.www.3.Twitter.1255\btn-wide-maximize.png | C:\Users\Admin\AppData\Local\Temp\Searchqu_DM\SearchquMediaBar.exe | N/A |
| File created | C:\PROGRA~2\WIA6EB~1\ToolBar\chrome\skin\widget_todo.png | C:\Users\Admin\AppData\Local\Temp\Searchqu_DM\SearchquMediaBar.exe | N/A |
| File created | C:\PROGRA~2\WIA6EB~1\ToolBar\chrome\skin\widget_uconverter.png | C:\Users\Admin\AppData\Local\Temp\Searchqu_DM\SearchquMediaBar.exe | N/A |
| File created | C:\PROGRA~2\WIA6EB~1\ToolBar\chrome\skin\lib\panels\images\ico-download.png | C:\Users\Admin\AppData\Local\Temp\Searchqu_DM\SearchquMediaBar.exe | N/A |
| File created | C:\Program Files (x86)\Fun4IM\~GLH000a.TMP | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cfe3ccd4e51148fc43af6918502968ed.exe | N/A |
| File created | C:\PROGRA~2\WIA6EB~1\ToolBar\chrome\content\widgets\net.vmn.www.3.Twitter.1257\bg-scalable-mdl.gif | C:\Users\Admin\AppData\Local\Temp\Searchqu_DM\SearchquMediaBar.exe | N/A |
| File created | C:\PROGRA~2\WIA6EB~1\ToolBar\chrome\skin\lib\weatherbutton\panels\images\add.png | C:\Users\Admin\AppData\Local\Temp\Searchqu_DM\SearchquMediaBar.exe | N/A |
| File created | C:\PROGRA~2\WIA6EB~1\ToolBar\chrome\skin\lib\weatherbutton\panels\images\over-blue.png | C:\Users\Admin\AppData\Local\Temp\Searchqu_DM\SearchquMediaBar.exe | N/A |
| File created | C:\PROGRA~2\WIA6EB~1\ToolBar\chrome\skin\lib\weatherbutton\panels\images\btn-close-greyover.png | C:\Users\Admin\AppData\Local\Temp\Searchqu_DM\SearchquMediaBar.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Fun4IM\BandooRes.dll | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cfe3ccd4e51148fc43af6918502968ed.exe | N/A |
| File created | C:\PROGRA~2\WIA6EB~1\ToolBar\chrome\content\modules\datastore.jsm | C:\Users\Admin\AppData\Local\Temp\Searchqu_DM\SearchquMediaBar.exe | N/A |
| File created | C:\PROGRA~2\WIA6EB~1\ToolBar\chrome\content\widgets\net.vmn.www.3.Twitter.1257\btn-wide-minimize-down.PNG | C:\Users\Admin\AppData\Local\Temp\Searchqu_DM\SearchquMediaBar.exe | N/A |
| File created | C:\PROGRA~2\WIA6EB~1\ToolBar\chrome\skin\bluelite.gif | C:\Users\Admin\AppData\Local\Temp\Searchqu_DM\SearchquMediaBar.exe | N/A |
| File created | C:\PROGRA~2\WIA6EB~1\ToolBar\chrome\skin\ca.png | C:\Users\Admin\AppData\Local\Temp\Searchqu_DM\SearchquMediaBar.exe | N/A |
| File created | C:\PROGRA~2\WIA6EB~1\ToolBar\chrome\skin\lib\resize-box.gif | C:\Users\Admin\AppData\Local\Temp\Searchqu_DM\SearchquMediaBar.exe | N/A |
| File created | C:\PROGRA~2\WIA6EB~1\ToolBar\chrome\skin\lib\radio\images\music-note.png | C:\Users\Admin\AppData\Local\Temp\Searchqu_DM\SearchquMediaBar.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Fun4IM\~GLH0006.TMP | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cfe3ccd4e51148fc43af6918502968ed.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Fun4IM\Resources\~GLH0020.TMP | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cfe3ccd4e51148fc43af6918502968ed.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Fun4IM\Plugins\Yahoo\Resources\Toolbar\Images\~GLH0033.TMP | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cfe3ccd4e51148fc43af6918502968ed.exe | N/A |
| File created | C:\PROGRA~2\WIA6EB~1\ToolBar\chrome\content\searchqutb.js | C:\Users\Admin\AppData\Local\Temp\Searchqu_DM\SearchquMediaBar.exe | N/A |
| File created | C:\PROGRA~2\WIA6EB~1\ToolBar\chrome\content\widgets\net.vmn.www.3.Twitter.1227\btn-wide-maximize-down.png | C:\Users\Admin\AppData\Local\Temp\Searchqu_DM\SearchquMediaBar.exe | N/A |
| File created | C:\PROGRA~2\WIA6EB~1\ToolBar\chrome\content\widgets\net.vmn.www.3.Twitter.1227\widget.js | C:\Users\Admin\AppData\Local\Temp\Searchqu_DM\SearchquMediaBar.exe | N/A |
| File created | C:\PROGRA~2\WIA6EB~1\ToolBar\chrome\content\widgets\net.vmn.www.3.YouTube.1217\widget.js | C:\Users\Admin\AppData\Local\Temp\Searchqu_DM\SearchquMediaBar.exe | N/A |
| File created | C:\PROGRA~2\WIA6EB~1\ToolBar\chrome\skin\lib\panels\images\btn-search-pnlbtm-over.png | C:\Users\Admin\AppData\Local\Temp\Searchqu_DM\SearchquMediaBar.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Fun4IM\Plugins\Yahoo\Resources\Toolbar\Images\1001.dat | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cfe3ccd4e51148fc43af6918502968ed.exe | N/A |
| File created | C:\PROGRA~2\WIA6EB~1\ToolBar\chrome\content\widgets\net.vmn.www.3.Twitter.1255\btn-wide-close-down.PNG | C:\Users\Admin\AppData\Local\Temp\Searchqu_DM\SearchquMediaBar.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\FUN4IM~1\files.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\GLJD27D.tmp | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\PROGRA~2\Fun4IM\Bandoo.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\PROGRA~2\Fun4IM\BndCore.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\PROGRA~2\Fun4IM\Bandoo.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\SETUPD~1.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Fun4IM\BandooUI.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\GLJD27D.tmp | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\GLJD27D.tmp | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cfe3ccd4e51148fc43af6918502968ed.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Searchqu_DM\SearchquMediaBar.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\GLJD27D.tmp | N/A |
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\USER PREFERENCES | C:\Users\Admin\AppData\Local\Temp\SETUPD~1.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\OpenInForeground = "0" | C:\Users\Admin\AppData\Local\Temp\SETUPD~1.EXE | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\SearchScopes | C:\Users\Admin\AppData\Local\Temp\SETUPD~1.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPageShowActivities = "1" | C:\Users\Admin\AppData\Local\Temp\SETUPD~1.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\OpenAllHomePages = "1" | C:\Users\Admin\AppData\Local\Temp\SETUPD~1.EXE | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{424624F4-C5DD-4e1d-BDD0-1E9C9B7799CC}\Policy = "3" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cfe3ccd4e51148fc43af6918502968ed.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{424624F4-C5DD-4e1d-BDD0-1E9C9B7799CC}\AppName = "BndCore.exe" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cfe3ccd4e51148fc43af6918502968ed.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{F5379B4B-24D8-432A-9A96-BE75EE5117DB}\Compatibility Flags = "1024" | C:\PROGRA~2\Fun4IM\Bandoo.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Toolbar | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar\{7FF99715-3016-4381-84CE-E4E4C9673020} = "Searchqu Toolbar" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\UseHomepageForNewTab = "1" | C:\Users\Admin\AppData\Local\Temp\SETUPD~1.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{8A96AF9E-4074-43b7-BEA3-87217BDA7402}\URL = "http://www.searchqu.com/web?src=ieb&systemid=402&q={searchTerms}" | C:\Users\Admin\AppData\Local\Temp\SETUPD~1.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{8A96AF9E-4074-43b7-BEA3-87217BDA7402}\SuggestionsURL_JSON = "http://www.searchqu.com/suggest.php?src=ieb&systemid=402&qu={searchTerms}&ft=json" | C:\Users\Admin\AppData\Local\Temp\SETUPD~1.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{27F69C85-64E1-43CE-98B5-3C9F22FB408E} | C:\PROGRA~2\Fun4IM\BndCore.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{F9189560-573A-4fde-B055-AE7B0F4CF080} | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cfe3ccd4e51148fc43af6918502968ed.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{F9189560-573A-4fde-B055-AE7B0F4CF080}\AppPath = "C:\\Program Files (x86)\\Fun4IM" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cfe3ccd4e51148fc43af6918502968ed.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7f000001-db8e-f89c-2fec-49bf726f8c12}\AppPath = "C:\\Program Files (x86)\\Fun4IM" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cfe3ccd4e51148fc43af6918502968ed.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{8A96AF9E-4074-43b7-BEA3-87217BDA7402}\Deleted = "0" | C:\Users\Admin\AppData\Local\Temp\SETUPD~1.EXE | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{B543EF05-9758-464E-9F37-4C28525B4A4C}\Compatibility Flags = "1024" | C:\PROGRA~2\Fun4IM\BndCore.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9C8A3CA5-889E-4554-BEEC-EC0876E4E96A}\AppName = "Bandoo.exe" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cfe3ccd4e51148fc43af6918502968ed.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9C8A3CA5-889E-4554-BEEC-EC0876E4E96A}\AppPath = "C:\\Program Files (x86)\\Fun4IM" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cfe3ccd4e51148fc43af6918502968ed.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9C8A3CA5-889E-4554-BEEC-EC0876E4E96A} | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cfe3ccd4e51148fc43af6918502968ed.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{44CFFEF4-E7E1-44BD-B1F5-29F828ADA1B8} | C:\PROGRA~2\Fun4IM\Bandoo.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{167B2B5F-2757-434A-BBDA-2FDB2003F14F}\Compatibility Flags = "1024" | C:\PROGRA~2\Fun4IM\Bandoo.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{074E4EFE-81BB-4EA4-866E-082CB0E01070}\Compatibility Flags = "1024" | C:\PROGRA~2\Fun4IM\Bandoo.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\Enabled = "1" | C:\Users\Admin\AppData\Local\Temp\SETUPD~1.EXE | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{8A96AF9E-4074-43b7-BEA3-87217BDA7402} | C:\Users\Admin\AppData\Local\Temp\SETUPD~1.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{8A96AF9E-4074-43b7-BEA3-87217BDA7402}\DisplayName = "Web Search" | C:\Users\Admin\AppData\Local\Temp\SETUPD~1.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{424624F4-C5DD-4e1d-BDD0-1E9C9B7799CC}\AppPath = "C:\\Program Files (x86)\\Fun4IM" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cfe3ccd4e51148fc43af6918502968ed.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{F9189560-573A-4fde-B055-AE7B0F4CF080}\Policy = "3" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cfe3ccd4e51148fc43af6918502968ed.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9C8A3CA5-889E-4554-BEEC-EC0876E4E96A}\AppPath = "C:\\Program Files (x86)\\Fun4IM" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cfe3ccd4e51148fc43af6918502968ed.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7f000001-db8e-f89c-2fec-49bf726f8c12}\Policy = "3" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cfe3ccd4e51148fc43af6918502968ed.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\Groups = "1" | C:\Users\Admin\AppData\Local\Temp\SETUPD~1.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{8A96AF9E-4074-43b7-BEA3-87217BDA7402}\ShowSearchSuggestions = "1" | C:\Users\Admin\AppData\Local\Temp\SETUPD~1.EXE | N/A |
| Key created | \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9C8A3CA5-889E-4554-BEEC-EC0876E4E96A} | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cfe3ccd4e51148fc43af6918502968ed.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7f000001-db8e-f89c-2fec-49bf726f8c12} | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cfe3ccd4e51148fc43af6918502968ed.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{44CFFEF4-E7E1-44BD-B1F5-29F828ADA1B8}\Compatibility Flags = "1024" | C:\PROGRA~2\Fun4IM\Bandoo.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{F7FB2BC4-6C27-4EAC-B5E2-037B71FDE101} | C:\PROGRA~2\Fun4IM\Bandoo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7FF99715-3016-4381-84CE-E4E4C9673020}\AppPath = "C:\\PROGRA~2\\WIA6EB~1\\ToolBar" | C:\Users\Admin\AppData\Local\Temp\Searchqu_DM\SearchquMediaBar.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\PopupsUseNewWindow = "1" | C:\Users\Admin\AppData\Local\Temp\SETUPD~1.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\SearchScopes\{8A96AF9E-4074-43b7-BEA3-87217BDA7402}\DisplayName = "Web Search" | C:\Users\Admin\AppData\Local\Temp\SETUPD~1.EXE | N/A |
| Key created | \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{424624F4-C5DD-4e1d-BDD0-1E9C9B7799CC} | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cfe3ccd4e51148fc43af6918502968ed.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{424624F4-C5DD-4e1d-BDD0-1E9C9B7799CC}\AppName = "BndCore.exe" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cfe3ccd4e51148fc43af6918502968ed.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{F9189560-573A-4fde-B055-AE7B0F4CF080} | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cfe3ccd4e51148fc43af6918502968ed.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7f000001-db8e-f89c-2fec-49bf726f8c12}\AppPath = "C:\\Program Files (x86)\\Fun4IM" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cfe3ccd4e51148fc43af6918502968ed.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{0CE5B352-9D9C-41E1-9551-FCCD92820217} | C:\PROGRA~2\Fun4IM\Bandoo.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7f000001-db8e-f89c-2fec-49bf726f8c12}\Policy = "3" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cfe3ccd4e51148fc43af6918502968ed.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\Users\Admin\AppData\Local\Temp\SETUPD~1.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPageShowClosedTabs = "1" | C:\Users\Admin\AppData\Local\Temp\SETUPD~1.EXE | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{27F69C85-64E1-43CE-98B5-3C9F22FB408E}\Compatibility Flags = "1024" | C:\PROGRA~2\Fun4IM\BndCore.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{C3AB94A4-BFD0-4BBA-A331-DE504F07D2DB} | C:\PROGRA~2\Fun4IM\BndCore.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{F9189560-573A-4fde-B055-AE7B0F4CF080}\AppName = "BandooUI.exe" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cfe3ccd4e51148fc43af6918502968ed.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9C8A3CA5-889E-4554-BEEC-EC0876E4E96A}\Policy = "3" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cfe3ccd4e51148fc43af6918502968ed.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9C8A3CA5-889E-4554-BEEC-EC0876E4E96A}\Policy = "3" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cfe3ccd4e51148fc43af6918502968ed.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\QuickTabsThreshold = "1" | C:\Users\Admin\AppData\Local\Temp\SETUPD~1.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\SearchScopes\{8A96AF9E-4074-43b7-BEA3-87217BDA7402}\URL = "http://www.searchqu.com/web?src=ieb&systemid=402&q={searchTerms}" | C:\Users\Admin\AppData\Local\Temp\SETUPD~1.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{424624F4-C5DD-4e1d-BDD0-1E9C9B7799CC}\AppPath = "C:\\Program Files (x86)\\Fun4IM" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cfe3ccd4e51148fc43af6918502968ed.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{167B2B5F-2757-434A-BBDA-2FDB2003F14F} | C:\PROGRA~2\Fun4IM\Bandoo.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{3E63C9BC-DD51-4E83-ABA6-B350EAD28531}\Compatibility Flags = "1024" | C:\PROGRA~2\Fun4IM\Bandoo.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{F5379B4B-24D8-432A-9A96-BE75EE5117DB} | C:\PROGRA~2\Fun4IM\Bandoo.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{3E63C9BC-DD51-4E83-ABA6-B350EAD28531} | C:\PROGRA~2\Fun4IM\Bandoo.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\ShowTabsWelcome = "0" | C:\Users\Admin\AppData\Local\Temp\SETUPD~1.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\DefaultScope = "{8A96AF9E-4074-43b7-BEA3-87217BDA7402}" | C:\Users\Admin\AppData\Local\Temp\SETUPD~1.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\SearchScopes\{8A96AF9E-4074-43b7-BEA3-87217BDA7402} | C:\Users\Admin\AppData\Local\Temp\SETUPD~1.EXE | N/A |
Modifies Internet Explorer start page
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.searchqu.com/402" | C:\Users\Admin\AppData\Local\Temp\SETUPD~1.EXE | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C3AB94A4-BFD0-4BBA-A331-DE504F07D2DB} | C:\PROGRA~2\Fun4IM\BndCore.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\BandooCoordinator.PlugInNotifier\CurVer | C:\PROGRA~2\Fun4IM\Bandoo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E57D3C8D-ADD0-4AE0-8A14-0D0F6A3487FB}\TypeLib\ = "{4410C118-B23C-406C-9F52-9CDABD90A5EA}" | C:\PROGRA~2\Fun4IM\Bandoo.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{518CA0FD-F755-4F98-A2A8-CD450FB203AB} | C:\PROGRA~2\Fun4IM\Bandoo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C29CF951-7F4F-4B8D-ACA8-C4EE934C27DC}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\GLJD27D.tmp | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6087829B-114F-42A1-A72B-B4AEDCEA4E5B}\ = "IFlashAnimatorCtrl" | C:\Users\Admin\AppData\Local\Temp\GLJD27D.tmp | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6F43FA77-C18F-4D0C-9C7E-958876FE2061}\ProxyStubClsid32 | C:\PROGRA~2\Fun4IM\BndCore.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FD53FE35-4368-4B71-89D6-F29F3DB29DF1}\VersionIndependentProgID\ = "CURL.HTTPProxyInfo" | C:\PROGRA~2\Fun4IM\Bandoo.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A5D99259-ADA3-48A5-B861-39813B713DCB}\TypeLib | C:\PROGRA~2\Fun4IM\Bandoo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{33DDFC61-F531-4982-8C32-4212B7835D44}\TypeLib\ = "{4410C118-B23C-406C-9F52-9CDABD90A5EA}" | C:\PROGRA~2\Fun4IM\Bandoo.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A9005ED5-4A1D-4606-A4DF-1A25E7D7B417}\ProxyStubClsid32 | C:\PROGRA~2\Fun4IM\Bandoo.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\BandooCore.ResourcesMngr\CLSID | C:\PROGRA~2\Fun4IM\BndCore.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{06DE5702-44CF-4B79-B4EF-3DDF653358F5}\TypeLib\Version = "1.0" | C:\PROGRA~2\Fun4IM\BndCore.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\BandooCoordinator.BandooCoordinator.1\CLSID\ = "{167B2B5F-2757-434A-BBDA-2FDB2003F14F}" | C:\PROGRA~2\Fun4IM\Bandoo.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F7FB2BC4-6C27-4EAC-B5E2-037B71FDE101}\VersionIndependentProgID | C:\PROGRA~2\Fun4IM\Bandoo.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CURL.HTTPServiceFactory\CLSID | C:\PROGRA~2\Fun4IM\Bandoo.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AFFA986E-4B0F-4F15-9DDC-19FE8129602A}\ProxyStubClsid32 | C:\PROGRA~2\Fun4IM\Bandoo.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A9005ED5-4A1D-4606-A4DF-1A25E7D7B417}\TypeLib | C:\PROGRA~2\Fun4IM\Bandoo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CURL.HTTPProxyInfo.1\ = "HTTPProxyInfo Class" | C:\PROGRA~2\Fun4IM\Bandoo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A288B32D-1001-479F-8DA2-E259010B7A31}\ = "IPluginNotifier" | C:\PROGRA~2\Fun4IM\Bandoo.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3AD7A5B6-610D-4A82-979E-0AED20920690}\1.0\0\win32 | C:\Users\Admin\AppData\Local\Temp\GLJD27D.tmp | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\BandooCore.ResourcesMngr\ = "ResourcesMngr Class" | C:\PROGRA~2\Fun4IM\BndCore.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\BandooCore.StatisticMngr.1 | C:\PROGRA~2\Fun4IM\BndCore.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3E63C9BC-DD51-4E83-ABA6-B350EAD28531} | C:\PROGRA~2\Fun4IM\Bandoo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3E63C9BC-DD51-4E83-ABA6-B350EAD28531}\ = "HTTPFileDownloadService Class" | C:\PROGRA~2\Fun4IM\Bandoo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9C123289-82E1-4DA7-A3C2-B8D28AAD114B}\1.0\0\win32\ = "C:\\Program Files (x86)\\Fun4IM\\GIFAnimator.dll" | C:\Users\Admin\AppData\Local\Temp\GLJD27D.tmp | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{62E5C9E1-A0E8-4F8C-8EAF-0F9250CC5786} | C:\Users\Admin\AppData\Local\Temp\GLJD27D.tmp | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FD53FE35-4368-4B71-89D6-F29F3DB29DF1}\ = "HTTPProxyInfo Class" | C:\PROGRA~2\Fun4IM\Bandoo.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EF2B6317-C367-401B-83B8-80302D6588A7} | C:\PROGRA~2\Fun4IM\Bandoo.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4410C118-B23C-406C-9F52-9CDABD90A5EA}\1.0\HELPDIR | C:\PROGRA~2\Fun4IM\Bandoo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{929FCA79-44E2-4408-83E7-F93AAE0B0909}\ = "IHTTPProxyInfo" | C:\PROGRA~2\Fun4IM\Bandoo.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{33DDFC61-F531-4982-8C32-4212B7835D44}\ProxyStubClsid32 | C:\PROGRA~2\Fun4IM\Bandoo.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EF2B6317-C367-401B-83B8-80302D6588A7}\VersionIndependentProgID | C:\PROGRA~2\Fun4IM\Bandoo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CE1CB632-6817-47b3-8587-D05AF75D6D5A}\Version\ = "1.0" | C:\Users\Admin\AppData\Local\Temp\GLJD27D.tmp | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\BandooCore.ResourcesMngr.1\CLSID\ = "{27F69C85-64E1-43CE-98B5-3C9F22FB408E}" | C:\PROGRA~2\Fun4IM\BndCore.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\BandooCore.StatisticMngr.1\CLSID | C:\PROGRA~2\Fun4IM\BndCore.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\BandooCoordinator.BandooCoordinator.1\CLSID | C:\PROGRA~2\Fun4IM\Bandoo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CURL.HTTPDataAccessor\ = "HTTPDataAccessor Class" | C:\PROGRA~2\Fun4IM\Bandoo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CURL.HTTPFileDownloadService.1\CLSID\ = "{3E63C9BC-DD51-4E83-ABA6-B350EAD28531}" | C:\PROGRA~2\Fun4IM\Bandoo.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CURL.HTTPFileDownloadService | C:\PROGRA~2\Fun4IM\Bandoo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{266294D5-5A0D-46E8-9294-BCB6EAFA478F}\TypeLib\ = "{4410C118-B23C-406C-9F52-9CDABD90A5EA}" | C:\PROGRA~2\Fun4IM\Bandoo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D60A7941-4F69-4A79-BED7-72ADA784B8F7}\TypeLib\Version = "1.0" | C:\PROGRA~2\Fun4IM\Bandoo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4410C118-B23C-406C-9F52-9CDABD90A5EA}\1.0\ = "BandooCoordinator 1.0 Type Library" | C:\PROGRA~2\Fun4IM\Bandoo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\BandooCore.StatisticMngr\CurVer\ = "BandooCore.StatisticMngr.1" | C:\PROGRA~2\Fun4IM\BndCore.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DF948646-8BF4-450E-A059-CF8A4E0FE2BE}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\PROGRA~2\Fun4IM\BndCore.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{167B2B5F-2757-434A-BBDA-2FDB2003F14F}\VersionIndependentProgID\ = "BandooCoordinator.BandooCoordinator" | C:\PROGRA~2\Fun4IM\Bandoo.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\BandooCoordinator.CoordinatorUI\CurVer | C:\PROGRA~2\Fun4IM\Bandoo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{074E4EFE-81BB-4EA4-866E-082CB0E01070}\ = "HTTPDataAccessor Class" | C:\PROGRA~2\Fun4IM\Bandoo.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{074E4EFE-81BB-4EA4-866E-082CB0E01070}\VersionIndependentProgID | C:\PROGRA~2\Fun4IM\Bandoo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\BandooCoordinator.HTTPAsyncResult\CLSID\ = "{F7FB2BC4-6C27-4EAC-B5E2-037B71FDE101}" | C:\PROGRA~2\Fun4IM\Bandoo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DFF35F25-E783-4E26-8DA6-EBB66B8B0E39}\TypeLib\ = "{4410C118-B23C-406C-9F52-9CDABD90A5EA}" | C:\PROGRA~2\Fun4IM\Bandoo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5E9B4D72-C58D-48BF-AC09-68182D472160}\ = "_ICoordinatorUIEvents" | C:\PROGRA~2\Fun4IM\Bandoo.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5E9B4D72-C58D-48BF-AC09-68182D472160}\ProxyStubClsid32 | C:\PROGRA~2\Fun4IM\Bandoo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{33DDFC61-F531-4982-8C32-4212B7835D44}\TypeLib\Version = "1.0" | C:\PROGRA~2\Fun4IM\Bandoo.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EB5CEE80-030A-4ED8-8E20-454E9C68380F}\Programmable | C:\Users\Admin\AppData\Local\Temp\GLJD27D.tmp | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BB76A90B-2B4C-4378-8506-9A2B6E16943C}\AppID = "{1301A8A5-3DFB-4731-A162-B357D00C9644}" | C:\PROGRA~2\Fun4IM\BndCore.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{44CFFEF4-E7E1-44BD-B1F5-29F828ADA1B8}\TypeLib\ = "{4410C118-B23C-406C-9F52-9CDABD90A5EA}" | C:\PROGRA~2\Fun4IM\Bandoo.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4410C118-B23C-406C-9F52-9CDABD90A5EA}\1.0 | C:\PROGRA~2\Fun4IM\Bandoo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{518CA0FD-F755-4F98-A2A8-CD450FB203AB}\TypeLib\Version = "1.0" | C:\PROGRA~2\Fun4IM\Bandoo.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{3AD7A5B6-610D-4A82-979E-0AED20920690} | C:\Users\Admin\AppData\Local\Temp\GLJD27D.tmp | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{27F69C85-64E1-43CE-98B5-3C9F22FB408E}\VersionIndependentProgID\ = "BandooCore.ResourcesMngr" | C:\PROGRA~2\Fun4IM\BndCore.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6F43FA77-C18F-4D0C-9C7E-958876FE2061}\TypeLib\Version = "1.0" | C:\PROGRA~2\Fun4IM\BndCore.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EF2B6317-C367-401B-83B8-80302D6588A7}\ProgID | C:\PROGRA~2\Fun4IM\Bandoo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A5D99259-ADA3-48A5-B861-39813B713DCB}\TypeLib\Version = "1.0" | C:\PROGRA~2\Fun4IM\Bandoo.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cfe3ccd4e51148fc43af6918502968ed.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cfe3ccd4e51148fc43af6918502968ed.exe"
C:\Users\Admin\AppData\Local\Temp\FUN4IM~1\files.exe
"C:\Users\Admin\AppData\Local\Temp\FUN4IM~1\files.exe" "-oC:\Users\Admin\AppData\Local\Temp\Fun4IMFiles" -y
C:\Users\Admin\AppData\Local\Temp\SETUPD~1.EXE
"C:\Users\Admin\AppData\Local\Temp\SETUPD~1.EXE" /S
C:\Users\Admin\AppData\Local\Temp\Searchqu_DM\SearchquMediaBar.exe
"C:\Users\Admin\AppData\Local\Temp\Searchqu_DM\SearchquMediaBar.exe" /S /NOADDREMOVE /D=C:\PROGRA~2\WIA6EB~1\ToolBar
C:\Program Files (x86)\Fun4IM\BandooUI.exe
"C:\Program Files (x86)\Fun4IM\BandooUI.exe" cookie http://fun4im.com
C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /u /s "C:\PROGRA~2\WIA6EB~1\ToolBar\SearchquDx.dll"
C:\Users\Admin\AppData\Local\Temp\GLJD27D.tmp
"C:\Users\Admin\AppData\Local\Temp\GLJD27D.tmp" C:\Program Files (x86)\Fun4IM\GIFAnimator.dll
C:\Users\Admin\AppData\Local\Temp\GLJD27D.tmp
"C:\Users\Admin\AppData\Local\Temp\GLJD27D.tmp" C:\Program Files (x86)\Fun4IM\FlashAnimator.dll
C:\Users\Admin\AppData\Local\Temp\GLJD27D.tmp
"C:\Users\Admin\AppData\Local\Temp\GLJD27D.tmp" C:\Program Files (x86)\Fun4IM\CrashRpt.dll
C:\Users\Admin\AppData\Local\Temp\GLJD27D.tmp
"C:\Users\Admin\AppData\Local\Temp\GLJD27D.tmp" C:\Program Files (x86)\Fun4IM\Plugins\IE\ieplugin.dll
C:\PROGRA~2\Fun4IM\BndCore.exe
"C:\PROGRA~2\Fun4IM\BndCore.exe" /RegServer
C:\PROGRA~2\Fun4IM\Bandoo.exe
"C:\PROGRA~2\Fun4IM\Bandoo.exe" /Service
C:\PROGRA~2\Fun4IM\Bandoo.exe
"C:\PROGRA~2\Fun4IM\Bandoo.exe" /Start
C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /s "C:\PROGRA~2\WIA6EB~1\ToolBar\SearchquDx.dll"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | search.vmn.net | udp |
| US | 8.8.8.8:53 | service.bandoo.com | udp |
| IL | 212.235.109.70:80 | service.bandoo.com | tcp |
Files
\Users\Admin\AppData\Local\Temp\GLCD26C.tmp
| MD5 | 8c97d8bb1470c6498e47b12c5a03ce39 |
| SHA1 | 15d233b22f1c3d756dca29bcc0021e6fb0b8cdf7 |
| SHA256 | a87f19f9fee475d2b2e82acfb4589be6d816b613064cd06826e1d4c147beb50a |
| SHA512 | 7ad0b2b0319da52152c2595ee45045d0c06b157cdaaa56ad57dde9736be3e45fd7357949126f80d3e72b21510f9bf69d010d51b3967a7644662808beed067c3f |
\Users\Admin\AppData\Local\Temp\GLKD480.tmp
| MD5 | 5614b11b85320c6e526b9ccff1fa7448 |
| SHA1 | 1c01ecdc58643d752344c8dd1fd6ff04c554d874 |
| SHA256 | e4993861e8dc24757dd9983086203a078fc48f7a71efd6f3746c23bb12bf9b60 |
| SHA512 | 58cb7cd54a81ae7f40ab0036b8479c18b16536ba4676dabb494b7eeb6c02283c3170b99048dc08476fd7d3b833efcd89842a871a1ed5b89d1ddd3bcb43c98d1e |
\Users\Admin\AppData\Local\Temp\FUN4IM~1\files.exe
| MD5 | f211b2557e7858ae124653d7cb29f0dd |
| SHA1 | d9eb4d799047a942f826d5261a22b0aba1a0d753 |
| SHA256 | 648d2021bcb77c24602f634f7db9c9b190c27df07aa95aa983ff00488ceaf395 |
| SHA512 | a949d67b5899888417648cdaf0fe379960ee74b48e9a2b9e763b3c0b84804dba921e2a45a35b5cc3fc2c9a9fdbfea25157849287a89efe6473a3abf138b26478 |
C:\Users\Admin\AppData\Local\Temp\Fun4IMFiles\Bin\resources\plugins\OE\HTML\blank.html
| MD5 | 8adb616d567aa9bff9e4ae0706bccb3b |
| SHA1 | 0bbf2ce61145358a89cf4af14340071a9c680b8d |
| SHA256 | 5bc3f1f0e802f4143a88186e9eb7a8d0465bf788c04d109512ae73942f378be8 |
| SHA512 | 1d1b08ef9ee0a47ae2888711b042229c66e1d2d1dacb705d820793300670f81de7a62f8f117dfe8de406133d778519519bde3205e9914658256c8f8b6181bcbf |
C:\Users\Admin\AppData\Local\Temp\Fun4IMFiles\Bin\resources\plugins\OE\HTML\error.html
| MD5 | b7c7467f89925c675476492aed843958 |
| SHA1 | 3357ffd23d718bf60ce999a1f82987a40da4ae0e |
| SHA256 | 690db044770f1d0e1d9350ff3bb41a5151a0a75c47d7dbef50e48efbae14d656 |
| SHA512 | cf4ba2f79dc908c8e6d73cb9f7399e2993df47604f7c9f8332c4f1cbcdca6d5756219930c9e526fd0e909be8c60feb13bf16fefc112cb97d47c34939afcacdd1 |
C:\Users\Admin\AppData\Local\Temp\FUN4IM~1\Bin\INSTAL~1.DLL
| MD5 | 8b8d57a7822c281d136813a6a6bee3f5 |
| SHA1 | baaaffa093dcd78d1e33f82aa52d13bd88e7c704 |
| SHA256 | 41a463a7409350e1b937d0e5ed4d6c89addd30b7f582904174b689c6537a4b36 |
| SHA512 | 19d186b668050d1e857f1fd5a210b62db3e84e3b859d99c42be707bf06c6fc362fc920b45b310d480c0811443deff968a6a8348b71d8f4a120d43bddfed21070 |
C:\Users\Admin\AppData\Local\Temp\FUN4IM~1\Static\SETUPD~1.EXE
| MD5 | 5b5555b6af246dfea73b585a1db26c6e |
| SHA1 | ed352d072c5bd309af464986792c09c83b847caf |
| SHA256 | 30818c8c924c4124f3544d4c3e51e597bcae41798c6573329a2d710601521528 |
| SHA512 | 93bcf786041c3f9475eeb0d2419d6f0c4c2e9a3ad7c4a60795ee8ba84d8624af92466b59ef5db649a6b2263dea8685c4456ed695024efaa4e8c0599a63c33b30 |
C:\Users\Admin\AppData\Local\Temp\Searchqu.ini
| MD5 | f680b584d6946840d1ac2dfc145a59bd |
| SHA1 | 9d8f7624f8788af592e8f1cf61f7e5f1f60f3133 |
| SHA256 | dae4d55ef25b9036abca41aaae23563f9153246d9801b07e46ad47393adb929b |
| SHA512 | a7b7adb0831885f5b115926408789e7d4099c5b2f33605ccb5d95ecb3f72cf2515807fa0335b2f3f0369b859614c4163a2d077c5c62d4b94ab6889a28f3c73f6 |
memory/2988-237-0x0000000003360000-0x00000000034AA000-memory.dmp
\Users\Admin\AppData\Local\Temp\GLFD8F6.tmp
| MD5 | 3b2e23d259394c701050486e642d14fa |
| SHA1 | 4e9661c4ba84400146b80b905f46a0f7ef4d62eb |
| SHA256 | 166d7156142f3ee09fa69eb617dd22e4fd248aa80a1ac08767db6ad99a2705c1 |
| SHA512 | 2b792296dffa4e43bc85295dc7691bd29762ce5d9d5eafaa74e199e6a8e5b24aa85d0a1b27776d4719a49b0d29abcf6f240746a209528e608b596b560e5a3b88 |
\Users\Admin\AppData\Local\Temp\nse1F5.tmp\GetVersion.dll
| MD5 | 5264f7d6d89d1dc04955cfb391798446 |
| SHA1 | 211d8d3e7c2b2f57f54a11cb8bc4fa536df08acc |
| SHA256 | 7d76c7dd8f7cd5a87e0118dacb434db3971a049501e22a5f4b947154621ab3d4 |
| SHA512 | 80d27ee2f87e2822bd5c8c55cc3d1e49beebb86d8557c92b52b7cbea9f27882d80e59eefa25e414eecee268a9a6193b6b50b748de33c778b007cde24ef8bcfb7 |
\Users\Admin\AppData\Local\Temp\Searchqu_DM\SearchquMediaBar.exe
| MD5 | 0cc6b522d6d5a0a434cab814b6fc060e |
| SHA1 | 954edee56185e5edb04ed2975831a7b3e359c355 |
| SHA256 | 340b17703b82755262173c8218c4601928244c6dea2d68c53e1b9985c4ca47fa |
| SHA512 | c45c5f47f6b91810ba4e17ddc22646e512062cc0f2044710a2ea813c42132a6221176018a6b16d843651e179026863167f3a52b29989afb13e51974cf8e99c21 |
C:\Users\Admin\AppData\Local\Temp\nse1F5.tmp\System.dll
| MD5 | 00a0194c20ee912257df53bfe258ee4a |
| SHA1 | d7b4e319bc5119024690dc8230b9cc919b1b86b2 |
| SHA256 | dc4da2ccadb11099076926b02764b2b44ad8f97cd32337421a4cc21a3f5448f3 |
| SHA512 | 3b38a2c17996c3b77ebf7b858a6c37415615e756792132878d8eddbd13cb06710b7da0e8b58104768f8e475fc93e8b44b3b1ab6f70ddf52edee111aaf5ef5667 |
\Users\Admin\AppData\Local\Temp\nse418.tmp\UAC.dll
| MD5 | 0d422e0c03a7d9428c6c02175d7dc9f8 |
| SHA1 | 5e13d49521cfbbe52cd74de8e1682789f0268969 |
| SHA256 | 9f47ec720d74e538bbc8d0c1118efcbc52e52050dbe98c27029fc35329996f7c |
| SHA512 | 2edf47b24c4201e082841824d6ad9047a06e9a877d799e87befaf5d54179c924849d2e608cf9f60a1480828edcd98e19f3d139d19bdb4b96ee4939fe58bf0887 |
\Users\Admin\AppData\Local\Temp\nse418.tmp\InetLoad.dll
| MD5 | e241424579fdfd683f0adff02b7483a8 |
| SHA1 | c4cde72b3e5e34730a41d43383d1234279dff1f6 |
| SHA256 | c8601ee8eda1952ac188c05ae0527b51e525ee4ff36f67218dfdd2d48c79fd6a |
| SHA512 | a0c0f4bb55b8c0143266705292805fcb98f72dbdc4b724569cb31bd7488258ded63583e1f060c1d7bf003d3df2018b05a0720cee3064b6f6c60247e959636947 |
C:\PROGRA~2\Fun4IM\UNWISE.EXE
| MD5 | 973567b98cdfc147df4e60471d9df072 |
| SHA1 | 3c4735750c99c63e6861170a8c459a608594211e |
| SHA256 | 69b9dd6160524e0eb44905224f5b1747dfce43243c00c11c87f5c2ec55102876 |
| SHA512 | e891e3a413691eddd895a31293117aec8d151ecf18f84d3aa73bc1c4eb95582df1dfe04d51b7011eb55b5e754e2240de4c6269f9547f3cab3519985da1e07294 |
C:\Users\Admin\AppData\Local\Temp\FUN4IM~1\Bin\BandooGo.exe
| MD5 | a7dea79ec917f96b8cbdec261bd41099 |
| SHA1 | 669557ef4a43b26dbcd5e7ae74bfa22a9c7a7c9a |
| SHA256 | 1d5700fee2fb5419941d9ab6cd591391ea3b312206467ce141d01aa23c446223 |
| SHA512 | b84b170ef6be1c0ebb9814db97fa66b4629f960f8402e6bb2ee99d5606875a8290c5f4631220ad93b40cc70374fc96173bb164e5b03cedbd49e829209cda477a |
C:\Users\Admin\AppData\Local\Temp\FUN4IM~1\Bin\BndCore.exe
| MD5 | d0c1e5654ae09f42dee564572511ef2e |
| SHA1 | e2895459d69e93e944755dc007c612cc777df502 |
| SHA256 | cf3a68d5b82382817679d77f6a1af18ad48dda3d16f52c4cf43e81b54fd463c2 |
| SHA512 | 271e3e76d4a9c199a2487b95f22b0cd589845b41f18e7b283c0f8bbe898b941128b0a6d9773c08d05b5b7f325effabf8eb77b16db96b422a2c7228544bd01c56 |
C:\Users\Admin\AppData\Local\Temp\FUN4IM~1\Bin\GIFANI~1.DLL
| MD5 | a9fd2046ebaed67672113870c545959e |
| SHA1 | c838473ab1d2ba2e7a7a4d71242750d4fe4d3203 |
| SHA256 | 063f9ddadb5a48bc4960dc579bca62cf8a64779d3d34cce2f0a20588b9872a7b |
| SHA512 | a4311f328fd13d3cddc7b4970f59b183d8a72dfe55229584dd4f0a54d233743bfd72ff7642fec368c0ffe4ef29b68fa45bcbbf216202cd237f9123bdd9bb38c5 |
C:\Users\Admin\AppData\Local\Temp\FUN4IM~1\Static\WPSUBS~1.XML
| MD5 | aeb8a0f98aa3c7ab18d5ff3c7adaf12f |
| SHA1 | a10588232218b98bdc57d6a7dc6dbf63b9981ceb |
| SHA256 | a69c0d2985d39d49165cde5c9662ee642526459fb44a0469b1c57b535f0bd730 |
| SHA512 | 0238482a2546528494e977530c165f266ba8bd354d244bbb47af5d61736670e2686278488002d70eeaaab39fba203b1c2b915f4bf51c645bd349e93ea4a9d1de |
C:\Users\Admin\AppData\Local\Temp\FUN4IM~1\Bin\MSNPLU~1.DLL
| MD5 | 7a9f2aff217e8a318659c78ed9dac210 |
| SHA1 | dce41c98488c5e7422ac2a4300a51733ac9ca849 |
| SHA256 | 144852657dda3f989671ee9c4c2122f54bbdfa4a11c502fd8d490c0d8bfafffd |
| SHA512 | cbd93c901eacd3a8d08cc9b6bcaf1979361604eeb73caefee32e3f2c81834334e4f224bffdca20304ce7d326573e407645ce2a14679f2ac5254e4c93a217fa74 |
C:\Users\Admin\AppData\Local\Temp\FUN4IM~1\Bin\YAHOOP~1.DLL
| MD5 | 9185881e390416beb23302bf0d74f44c |
| SHA1 | dd01084315589f18731d81c02181a39c8aedd7c5 |
| SHA256 | 40e3d7c3ad8b68140cca42c4570dd0b5d0ece9610b982da644350e369f622891 |
| SHA512 | 48243048c8702b71c659262a173e050a9b649ed6f9ac1c77df4e19db66087f1425e19d3c610e9065dc4cdd198922edac6e7acff68228591b8a42f69c1a6cc02a |
C:\Users\Admin\AppData\Local\Temp\FUN4IM~1\Bin\BndHook.dll
| MD5 | 8cb713d89900f7e1f0237b4a861954a3 |
| SHA1 | 10340c3f8f98fb29eff9372f3b92a8055760a31d |
| SHA256 | 1e587122f60fedb5c3a733ccea333eb751dd1123e9293e7e4338f69547d8f3f6 |
| SHA512 | 5e250988a93aa24f78fe1a824abd86d2ccb553aac7e55711628810ca43966c4574afd16fa8f0954b096e2990bddff2db9fb61ac04d3eb6ebd2208f1133133e29 |
C:\Program Files (x86)\Fun4IM\Plugins\IE\ieplugin.dll
| MD5 | 2545b89113e0ecbe1df70e27d02b1a11 |
| SHA1 | 6627431addba4d8db91c5a88ca74bf1b7eeeba79 |
| SHA256 | c2199938c3989c3e7471f2a219588a68e4e531742d7246e64ef053e6bfc265ee |
| SHA512 | ba340e293e5107424b9cc22a2a88a6f71b7a39ccf02c7fc6af4a1a3566be5428fe99619392f46ad964d634e4f5239744e843b13918a4a904bc9d5a6b7af692a7 |
C:\Program Files (x86)\Fun4IM\Resources\nudge4.wav
| MD5 | 8ea6b0aec1769520e28c9c4a4ee97011 |
| SHA1 | cf469dd89b588e79f254c41c61a7012adbfbe061 |
| SHA256 | a42a6fae8baef018de0c25d35a3fdfe28abb72066ef7a4169b19748e5e4e1002 |
| SHA512 | 27603c9efc258ff97956a1aeb3a321b921366eb62613fb67f5acb908fcf4b600422b696a97d92f8742a219114b709d340ed853fd7f7d76243c5f21499dd12bad |
C:\Program Files (x86)\Fun4IM\Plugins\MSN\Resources\Toolbar\Images\~GLH0024.TMP
| MD5 | 92b06f6952fd2e0266d5246506515b8b |
| SHA1 | 7ba5807536048f3c5fc0cc76d6e5984f4fab88e5 |
| SHA256 | baeb3bac49604023c3093d1340af6c5c0a9e20c2d479b6141e52ced932dd092c |
| SHA512 | 714098c30460784d99f5aa8b2268dc7820770f3e35d93ad319d8fc319ead6adc1ec8ea30cd535f729165b4d8a4258e5d00f18838c541f36ab71c9e3c0c95ae38 |
C:\Program Files (x86)\Fun4IM\Plugins\MSN\Resources\Toolbar\Images\~GLH002b.TMP
| MD5 | d4c76de55315e8eee5b34ea403af3fd9 |
| SHA1 | 551cca2f1a1cf1f2b71d5a65ee7cf6a391b72f91 |
| SHA256 | 184007ae605ee4ffbdbf779e6275f6a75aa9250cda8652bf9ce73b5dac54d76a |
| SHA512 | 78f3049bfb91e9d43f963f8f1a05ca2fdb867c2ed2661a43787c0066b9f101a0c1adb0bca211ffb0240f33529e8bfed8d4552b4d4f49015b59044a650cef0126 |
C:\Program Files (x86)\Fun4IM\Plugins\MSN\Resources\Toolbar\Images\~GLH002a.TMP
| MD5 | dc77d8c55634ed66b8625c987eb25946 |
| SHA1 | 5ad7bdc1ca076e94d465fa343ab4cbcf9858597c |
| SHA256 | 2b3a45b5f2f7cb5e3f7112e59d4e94ace459d16126a8107a93bad1e6f15b6c5c |
| SHA512 | ea662835239dbf9b2e9ef9965e66984867bf25b7a5698cfa8c97123912622c1e8e1f0b2475ee41f8df5ebd8a217741bc69afd06481a9991f79a15f00eab328e9 |
C:\Program Files (x86)\Fun4IM\Plugins\MSN\Resources\Toolbar\Images\~GLH0029.TMP
| MD5 | bd503fc079afbb9593e01e3f77f684a5 |
| SHA1 | caccaeab77250dc2f3ca6cc37d1efdcf59251997 |
| SHA256 | 5b93440f929865a5d80106358550b64d18df20a42ca5254a2b5a5c6b7653eaa5 |
| SHA512 | b947cb0d4b35a238626448b5b8c081bd2c984b07929523b13e43185e450b269f934084659ec2583f14ceda68d4814f9fe25cbc07d9ef2afad15e2a8d8c8bf8e7 |
C:\Program Files (x86)\Fun4IM\Plugins\MSN\Resources\Toolbar\Images\~GLH0028.TMP
| MD5 | 8b518642a7ed21cb2008ef4ea558aaa2 |
| SHA1 | d811236f78fe3e2f4d7fe93653addd58da6253a1 |
| SHA256 | 411b37dd8a13a1da1cf688ca3a646fef36113956be76c7c6630647fa7382324c |
| SHA512 | 662fea897287ddf520781262c9745f2a6ad508333e0177ca7f18f1a39ef1321ed781648bd77f54d788d2b5ebeb7fb266fa477638363c5eab1a71b5a6eff22663 |
C:\Program Files (x86)\Fun4IM\Plugins\MSN\Resources\Toolbar\Images\~GLH0027.TMP
| MD5 | 71d54a61b44e3aec554f30ba43986a53 |
| SHA1 | d87ac38081c01a8b8dfd50cf129a94692cc84849 |
| SHA256 | 7cb8db9993d52bc66f45e0900e5acc36ad40c2f6b3ac25d7f4aa892a0bf5c0bd |
| SHA512 | 1a6f730801a57d99d995847512c6b079f9f963b968dea49d43e6c45a05018ec8bee2c4b058f847cc245b07667392d5a6aa6908074d3a7d79883980a704fdabb7 |
C:\Program Files (x86)\Fun4IM\Plugins\MSN\Resources\Toolbar\Images\~GLH0023.TMP
| MD5 | e5f04b872687c16acebb60726886b67d |
| SHA1 | 1ab298337ddb7cebc97b03e512ac1257e50dd149 |
| SHA256 | 0f146fae3d2e3aaadb90687dfeccd0a26927254a048be7828bf2b12b6237bed3 |
| SHA512 | 421dd77fee2d065bdc683c5ee3254bce9d6d52aff7190cc15d193590a6e58b92ca3095d143e7a73c993f955c5d2620868f8d566e706df7d97ddbd69302ccfdb0 |
C:\Program Files (x86)\Fun4IM\Plugins\MSN\Resources\Toolbar\Images\~GLH0022.TMP
| MD5 | 4b24730682e1bd265e08bec28bd68c2b |
| SHA1 | a9ada2a9ec74268874601731c7e3b41c7b0846e0 |
| SHA256 | 9c1eff07cf8d7f35bc62238e5c7fc51e413ddc8f80a1071e4ae41411961815ed |
| SHA512 | 90d730486e788f5b1e33cfc9f8ab9946845fd125d6dbe48df9b5b3b128d5236066ff62b9304f32ffdbc3023967046aa83d52e4da99bdf19b9c04d1b0c6a387be |
C:\Program Files (x86)\Fun4IM\Resources\downloading.gif
| MD5 | e57db08b1b405864e28e9282c05a5e26 |
| SHA1 | 761bc01a3fed758253cb32fa9674edaa08a1fe9a |
| SHA256 | 17d73f59930d91b4eeb1abe7695d547a3a7e6d7be419e07b188b95a21236d7fa |
| SHA512 | 7b0b9c3c8811729dfaf4354d79d37f51f4d8accdbed147fe3ed50289bcd328cbad8f87d44d62fad275125e23d63c974f7d48eed3f3350a7f7d3b8c0c672a8f47 |
C:\Program Files (x86)\Fun4IM\Resources\BandooMessages.xml
| MD5 | 97c46521e75a3a738208cf5711782523 |
| SHA1 | d09ec7c63d8bc27bb29c700a4ba73d864bc28d98 |
| SHA256 | e7e326b997de54efeb2c4a260836ca19c24de9f3a3b603aaafb59132db12a1a5 |
| SHA512 | 771234afedd61d13f8caf0744b7416c07bf13ca2cc8f8ae57504a15b4cc1ce867612a5c7531d1360e8bed600b8f6b1790ee80bbee0ad7d860c967df642c12bd0 |
C:\Program Files (x86)\Fun4IM\Resources\nudge5.wav
| MD5 | 2ac2fcfa7469d5fa2d7e6a762aad45a9 |
| SHA1 | 08358fcdf1efcfe6938f5ab0db19a745544f1b79 |
| SHA256 | 627a38c6c239a51d77780bc5bde4cbe6e91d60a43cb2359116295aca766dce90 |
| SHA512 | 3c910b4bdf064f82f3662f6399a3fe7facb9de19202d460fd9f99a3d6de015e46248b325c4902373c195bb62b789315c4c051691b9750ba3dd16f4ee9fae415e |
C:\Program Files (x86)\Fun4IM\Resources\nudge3.wav
| MD5 | db507d76fe5408b3ecab582b545fbd04 |
| SHA1 | 6c32d18157dde92d056a86a4f23c57da5f82d889 |
| SHA256 | d5202d30e318458df7a56605937a20eafa37714884edf43dd4c7a6324794323d |
| SHA512 | 834745c1bcb5482f2d37b821248120fa4b605969e6c381d8c74bcaade63836fd9f627ec386963262b833626f3cfc1fd5bb903a539189c5ddac13808001d7e6cd |
C:\Users\Admin\AppData\Local\Temp\FUN4IM~1\Static\FFSETT~1.EXE
| MD5 | 05406f548d5422924529bb265d616930 |
| SHA1 | aa67ea5ef6557c418ca15adae6f46f7c86e3b86e |
| SHA256 | d23991ad4ad6fd69dc6ff12393ecf388ea862cfecb2c862cffe47c168ea1f138 |
| SHA512 | 75b1b791aaca896121f4ecb881adf79863a5a74ae2fcdbab06c6583800c2102fc56d9ddf31b5a4d236e42c8a2ee0d36e4daffc796ee394e8b84ced62506d6649 |
C:\Users\Admin\AppData\Local\Temp\FUN4IM~1\Bin\BandooUI.exe
| MD5 | 1cb076b06346feee33ec3e409ea0ec42 |
| SHA1 | 8cf322d41f7c8e326c6a0a697b90eb813cf256bc |
| SHA256 | 307f36ef56a1443a22b838e7d5188fe6d6f04a08194c8789285e599096af5605 |
| SHA512 | c9a4ee681ea51c2a3515321a776fe3acc32f9626d0de343a2b12e09095e9e9b3983f7f3b97289033fa8c1e93618194b8ee01bf0d3571aff991e24c8e323c8439 |
C:\Users\Admin\AppData\Local\Temp\FUN4IM~1\Static\LIBUNG~1.DLL
| MD5 | 5395d8552b99dacf6f4cc4610dc317fe |
| SHA1 | 96187f9d487600268428a98c77788f5be9c195c0 |
| SHA256 | f3deaa142f26b1596d73ea7d5f2844ded23265c215f1b0ad435d6203bf1544f5 |
| SHA512 | d1cb0f8a598cbeec8bc954795530e7a41df4f9cca631604ec69c02d4d697fef7ff071446ec29f48370e96bd8a9e151bc0748a33a7d52dd9552ddd6b7f05dd2ae |
C:\Users\Admin\AppData\Local\Temp\FUN4IM~1\Static\LICENS~1.RTF
| MD5 | 6efa068d4c5e66d296249eead5d4588b |
| SHA1 | 798706d0094c74f12f99163987ed324d40dae9dc |
| SHA256 | f91c7ccd4653dc7f91938510434c16031f591bc498254f93125967a5e0b63782 |
| SHA512 | 9dd1675180aa54884e0dcf282408a0b7385079a43e7476dd945edab7fc204a7e09634594971a59821cdee68b2d66bbed023964554f96bd347a73142f394301b5 |
C:\Users\Admin\AppData\Local\Temp\FUN4IM~1\Bin\RESOUR~1\Plugins.ini
| MD5 | b80866b84490c8974ec17ab899bfbe5d |
| SHA1 | 3f1b794e1e035d2d5aa60069ce32af89165692aa |
| SHA256 | f4404b5e92163280a0fb077a1a51c0bf033945f5d6b5b0fb4c7d423aca07a5ad |
| SHA512 | 19a0295bd652f38ad481743b0dbce3a612edf4a57a92a4f2fec4e728f216e85fcdc435529c5886db89996d36a12d974c28d6b053f7761b875e874b1de7dab0db |
C:\Program Files (x86)\Fun4IM\CrashRpt.dll
| MD5 | 6674549585e1adbc9a453d864e0d70be |
| SHA1 | 108dd53d267a3039e8ec61a589e39b55c8c1b664 |
| SHA256 | 8cb8a63fcb283a8b633ddaac0bf54d8ed208d4898388ff980107470b4860fc37 |
| SHA512 | 8be6a47c1c87b12f6426aaca4594c51136ed530028e786dfa7f667392a164b2cf929285df445208b214e4cc57a06ef5e0cfdbec57f7f3dc105de75f7f89496b3 |
C:\Program Files (x86)\Fun4IM\FlashAnimator.dll
| MD5 | 425a1f948efb36e5ed37e7a9a25f357f |
| SHA1 | 67672df006a6313116b5bfa26e493bcc76a720c7 |
| SHA256 | d4bcfd1d80d2dae506cecbd64f43886ff822bc3f17f409017a6e6e2dc687407b |
| SHA512 | b937752c802217d598ba3bae9267429534ca9d57942ce9f806d8231a49a2646189f20678bb6c88ee29499b99abc6840c15a78fab83827237b07f36e919a6a8e0 |
C:\Users\Admin\AppData\Local\Temp\FUN4IM~1\Bin\BANDOO~1.DLL
| MD5 | 232a46f8c6f6cad04924e2099e440b91 |
| SHA1 | 7eb3ae0b0b9fcc485e7d1d3fa73f2e38c6301e62 |
| SHA256 | 8e492251e684f4edd18d7e746ec874999c448d266e94573f3a2233fe68279371 |
| SHA512 | 6bb476730452b930df9a5b0383ad4bdaa5b24fe3203786d8af4c6079eaec773831f844d262b77acfdec1d0085747da7d006ae5f35dc6f39b58ddacab7fd6b469 |
C:\Users\Admin\AppData\Local\Temp\FUN4IM~1\Bin\EXTENS~1.EXE
| MD5 | 8becc2a870db96977054b01cd1409720 |
| SHA1 | 8b4dcd16a8dd63e476ddcdfd0b0c7d838a6651aa |
| SHA256 | 3943ca184a48976a6e61a703c9fb08598f2c3256265461a495fcf9de974ec0c7 |
| SHA512 | 58b7c83b118381b69ffd6509cf2c8782003d0027d4d7663c8c01b3e358625aba681d2142c1136e35efcdc26ef067f04549e17ae8755ec590765d0c1d31249879 |
C:\Users\Admin\AppData\Local\Temp\FUN4IM~1\Bin\Bandoo.exe
| MD5 | 8d7cb5fcdf17a103001382928c52b0d5 |
| SHA1 | 0953c55a825aca3e08816fcded479268628d2870 |
| SHA256 | fa52dd26ac2216eba4c2b55512fff492a916dec3b7d135b5d7f3170e1a05a0b4 |
| SHA512 | b9beaef4cbafc3dd3de8b819230ad8d9e857e004defa07ee964312cce88b20d99ab9ff617eb172b4f9970d3be5e2fd730091a9861d40e3c6ce6f5025f5c04dad |
C:\Users\Admin\AppData\Local\Temp\FUN4IM~1\Bin\PREUNI~1.EXE
| MD5 | 6b4c2474ab43b101158dc9249d625471 |
| SHA1 | e9205b8cbb5eb5a1d0a487c9401023a6ee853cd5 |
| SHA256 | dc5d27aea969527bada1d4cf6080fac59fe497c1f77d36db51deddb2e0047d9e |
| SHA512 | 6b0fb876ebf3270aebae2df530d3591aa90f99432924454b3fcfdf8224895dbe90bdc1ccfc0bd83ae01383d0d89f59fa92fc71d256a5b343848fac071fa4aaef |
memory/1400-497-0x00000000005A0000-0x00000000005AA000-memory.dmp
memory/2988-663-0x0000000003790000-0x00000000038DA000-memory.dmp
C:\PROGRA~2\WIA6EB~1\ToolBar\chrome\skin\lib\weatherbutton\panels\images\btnarrow-next-off.png
| MD5 | ec52771cc9f815db8567ed6d7cfe1b09 |
| SHA1 | e1a93767f8336a722d5f6dc1e24bd0336e34a77e |
| SHA256 | ddc97723151b88824e949b565eab55b2acd9ef0df9b95ad1ee6f0dd1f97bced0 |
| SHA512 | 78f6030e570164703d1e7fb4ed407bed8f7de879c861cc6ab27df6a3919ebb4aff5c1826f3e57c535294bca256336e359564df1ce35b21c7a242b42a40bfbebd |
C:\PROGRA~2\WIA6EB~1\ToolBar\chrome\skin\lib\weatherbutton\panels\images\btnarrow-next.png
| MD5 | 53c02dc4ee48e77ea7e6f15b8cd9b632 |
| SHA1 | 278a37d0be98089abab95b1438082edf21e33b83 |
| SHA256 | d5275d4eacef964ceac13a7c71c25cf8169477df7254e5d672524394e23f4457 |
| SHA512 | 9e953bcec9221e40ee67b1abc2e713064ffc63be5b7727424219a399e4ffecaea53deae1d734cae5354b5aab4f65721e84f7baf4861bc863c3ceb3d28a4d300b |
C:\PROGRA~2\WIA6EB~1\ToolBar\chrome\skin\lib\weatherbutton\panels\images\btnarrow-previous-off.png
| MD5 | 9a8d072191d4e475e5e480fc3543b16b |
| SHA1 | 783592cbcf2d9d9417d1c3ea7e80b8cca46dd590 |
| SHA256 | e7cf677144d89ca7eff48d4179bfff6fa976ef07a7c72c5287a8e64e261dfafb |
| SHA512 | 3ac524ba93c5d0ce3e80dfd251da4cc6bde325d46bd9ef63f24ab442122957e312107053c85fec24d0366767424361fcb0cd162bc6ed769a9025b2b8e1bf1000 |
C:\PROGRA~2\WIA6EB~1\ToolBar\chrome\skin\lib\weatherbutton\panels\images\btnarrow-previous.png
| MD5 | 10783b75928207bf1dd84b5a1f65c7c9 |
| SHA1 | a3d4f71415026150a7e87535e359ca390c2eae1b |
| SHA256 | 6728d4c55ad14ca07fbb022dfb993f677ebd13c6c164db489c5b6c33b443211c |
| SHA512 | 90a4a3bfdc265ba14b27107135eb6ab658d556e3b6198f3e6fb60f035a40dabc73d1a47dc327fd95664d18b624cb5a6cfed1316371e46e127d4eda35d21fab1d |
memory/1400-1010-0x0000000000B00000-0x0000000000B16000-memory.dmp
C:\PROGRA~2\WIA6EB~1\ToolBar\manifest.xml
| MD5 | 809a59f13e2410bc684ba26004c19a26 |
| SHA1 | 73a8d3364be3a2585b4096beeeca8f7ec0e57f87 |
| SHA256 | c734caf5170d50ce5e51b7512c8a795d0ca5aa0a3e201e6a2900967e016afa69 |
| SHA512 | f52e269104480d3979f1245e61bcbc433b39bb0d75ad4e6d4f86627fba1e4a09d24620e0f7cf4570d6d1c89fcdd34af10270738639c51c4f946c9846a7875d5a |
C:\Users\Admin\AppData\Local\Temp\nse418.tmp\xml.dll
| MD5 | fbda05aa26e02d38effb82294e83ea69 |
| SHA1 | aa2291ace177515173315668480c74442e21549d |
| SHA256 | 565e439a6262cbe6c8164312ad330930738efa8d4defcbcdcc1eeb752fdb75b3 |
| SHA512 | 3fd4dcbe059df3078f7709b2b9edbe30744ad7ff6e4cd1c494b40bb796a31838d5c9761fe9db860c38bd929c364df4767435fb85dc4e4115e361dd9d640c256f |
Analysis: behavioral2
Detonation Overview
Submitted
2025-01-19 18:43
Reported
2025-01-19 18:54
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
153s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cfe3ccd4e51148fc43af6918502968ed.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\SETUPD~1.EXE | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\FUN4IM~1\files.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SETUPD~1.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Fun4IM\BandooUI.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\GLJ9BA5.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\GLJ9BA5.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\GLJ9BA5.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\GLJ9BA5.tmp | N/A |
| N/A | N/A | C:\PROGRA~2\Fun4IM\BndCore.exe | N/A |
| N/A | N/A | C:\PROGRA~2\Fun4IM\Bandoo.exe | N/A |
| N/A | N/A | C:\PROGRA~2\Fun4IM\Bandoo.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Searchqu_DM\SearchquMediaBar.exe | N/A |
Loads dropped DLL
Reads user/profile data of web browsers
Checks installed software on the system
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{EB5CEE80-030A-4ED8-8E20-454E9C68380F} | C:\Users\Admin\AppData\Local\Temp\GLJ9BA5.tmp | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{EB5CEE80-030A-4ED8-8E20-454E9C68380F}\ = "Bandoo IE Plugin" | C:\Users\Admin\AppData\Local\Temp\GLJ9BA5.tmp | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{EB5CEE80-030A-4ED8-8E20-454E9C68380F}\NoExplorer = "1" | C:\Users\Admin\AppData\Local\Temp\GLJ9BA5.tmp | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7FF99715-3016-4381-84CE-E4E4C9673020} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7FF99715-3016-4381-84CE-E4E4C9673020}\ = "Searchqu Toolbar" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\Fun4IM\Plugins\Yahoo\Resources\Toolbar\Images\1055.dat | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cfe3ccd4e51148fc43af6918502968ed.exe | N/A |
| File created | C:\PROGRA~2\WIA6EB~1\ToolBar\chrome\skin\button-hover-left.png | C:\Users\Admin\AppData\Local\Temp\Searchqu_DM\SearchquMediaBar.exe | N/A |
| File created | C:\PROGRA~2\WIA6EB~1\ToolBar\chrome\skin\rss.png | C:\Users\Admin\AppData\Local\Temp\Searchqu_DM\SearchquMediaBar.exe | N/A |
| File created | C:\PROGRA~2\WIA6EB~1\ToolBar\chrome\skin\lib\panels\images\star_x_grey.png | C:\Users\Admin\AppData\Local\Temp\Searchqu_DM\SearchquMediaBar.exe | N/A |
| File created | C:\PROGRA~2\WIA6EB~1\ToolBar\chrome\skin\lib\weatherbutton\panels\popupWeather.css | C:\Users\Admin\AppData\Local\Temp\Searchqu_DM\SearchquMediaBar.exe | N/A |
| File created | C:\Program Files (x86)\Fun4IM\Resources\~GLH001f.TMP | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cfe3ccd4e51148fc43af6918502968ed.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Fun4IM\Plugins\MSN\Resources\Toolbar\Images\1004.dat | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cfe3ccd4e51148fc43af6918502968ed.exe | N/A |
| File created | C:\PROGRA~2\WIA6EB~1\ToolBar\chrome\skin\lib\remove.png | C:\Users\Admin\AppData\Local\Temp\Searchqu_DM\SearchquMediaBar.exe | N/A |
| File created | C:\PROGRA~2\WIA6EB~1\ToolBar\chrome\skin\lib\uwa\throbber.gif | C:\Users\Admin\AppData\Local\Temp\Searchqu_DM\SearchquMediaBar.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Fun4IM\FlashAnimator.dll | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cfe3ccd4e51148fc43af6918502968ed.exe | N/A |
| File created | C:\PROGRA~2\WIA6EB~1\ToolBar\chrome\content\widgets\net.vmn.www.3.YouTube.1217\tb_icon.png | C:\Users\Admin\AppData\Local\Temp\Searchqu_DM\SearchquMediaBar.exe | N/A |
| File created | C:\PROGRA~2\WIA6EB~1\ToolBar\chrome\skin\lib\highlight_lime.png | C:\Users\Admin\AppData\Local\Temp\Searchqu_DM\SearchquMediaBar.exe | N/A |
| File created | C:\PROGRA~2\WIA6EB~1\ToolBar\chrome\skin\lib\radio\images\slideron.png | C:\Users\Admin\AppData\Local\Temp\Searchqu_DM\SearchquMediaBar.exe | N/A |
| File created | C:\PROGRA~2\WIA6EB~1\ToolBar\chrome\content\widgets\net.vmn.www.3.Twitter.1255\btn-wide-close-over.PNG | C:\Users\Admin\AppData\Local\Temp\Searchqu_DM\SearchquMediaBar.exe | N/A |
| File created | C:\PROGRA~2\WIA6EB~1\ToolBar\chrome\skin\widget_sudoku.png | C:\Users\Admin\AppData\Local\Temp\Searchqu_DM\SearchquMediaBar.exe | N/A |
| File created | C:\PROGRA~2\WIA6EB~1\ToolBar\chrome\skin\lib\radio\images\radio-volume-0.png | C:\Users\Admin\AppData\Local\Temp\Searchqu_DM\SearchquMediaBar.exe | N/A |
| File created | C:\PROGRA~2\WIA6EB~1\ToolBar\chrome\skin\lib\uwa\border_08.png | C:\Users\Admin\AppData\Local\Temp\Searchqu_DM\SearchquMediaBar.exe | N/A |
| File created | C:\PROGRA~2\WIA6EB~1\ToolBar\chrome\skin\lib\weatherbutton\panels\images\radio-checked.png | C:\Users\Admin\AppData\Local\Temp\Searchqu_DM\SearchquMediaBar.exe | N/A |
| File created | C:\Program Files (x86)\Fun4IM\Plugins\Yahoo\Resources\HTML\~GLH003e.TMP | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cfe3ccd4e51148fc43af6918502968ed.exe | N/A |
| File created | C:\PROGRA~2\WIA6EB~1\ToolBar\chrome\content\widgets\net.vmn.www.3.YouTube.1217.zip | C:\Users\Admin\AppData\Local\Temp\Searchqu_DM\SearchquMediaBar.exe | N/A |
| File created | C:\PROGRA~2\WIA6EB~1\ToolBar\chrome\content\widgets\net.vmn.www.3.Twitter.1257\btnarrow-next-off.png | C:\Users\Admin\AppData\Local\Temp\Searchqu_DM\SearchquMediaBar.exe | N/A |
| File created | C:\PROGRA~2\WIA6EB~1\ToolBar\chrome\skin\lib\blank.gif | C:\Users\Admin\AppData\Local\Temp\Searchqu_DM\SearchquMediaBar.exe | N/A |
| File created | C:\PROGRA~2\WIA6EB~1\ToolBar\chrome\skin\lib\pop.png | C:\Users\Admin\AppData\Local\Temp\Searchqu_DM\SearchquMediaBar.exe | N/A |
| File created | C:\PROGRA~2\WIA6EB~1\ToolBar\chrome\skin\lib\radio\images\radio-options-design-on.png | C:\Users\Admin\AppData\Local\Temp\Searchqu_DM\SearchquMediaBar.exe | N/A |
| File created | C:\PROGRA~2\WIA6EB~1\ToolBar\chrome\skin\lib\radio\images\radio-options.png | C:\Users\Admin\AppData\Local\Temp\Searchqu_DM\SearchquMediaBar.exe | N/A |
| File created | C:\Program Files (x86)\Fun4IM\Plugins\IE\Resources\HTML\~GLH0041.TMP | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cfe3ccd4e51148fc43af6918502968ed.exe | N/A |
| File created | C:\PROGRA~2\WIA6EB~1\ToolBar\chrome\content\modules\datastore.jsm | C:\Users\Admin\AppData\Local\Temp\Searchqu_DM\SearchquMediaBar.exe | N/A |
| File created | C:\PROGRA~2\WIA6EB~1\ToolBar\chrome\skin\logo-about.png | C:\Users\Admin\AppData\Local\Temp\Searchqu_DM\SearchquMediaBar.exe | N/A |
| File created | C:\Program Files (x86)\Fun4IM\Plugins\IE\Resources\~GLH003f.TMP | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cfe3ccd4e51148fc43af6918502968ed.exe | N/A |
| File created | C:\Program Files (x86)\Fun4IM\Plugins\Yahoo\Resources\Toolbar\Images\~GLH0031.TMP | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cfe3ccd4e51148fc43af6918502968ed.exe | N/A |
| File created | C:\PROGRA~2\WIA6EB~1\ToolBar\chrome\skin\youtube.png | C:\Users\Admin\AppData\Local\Temp\Searchqu_DM\SearchquMediaBar.exe | N/A |
| File created | C:\PROGRA~2\WIA6EB~1\ToolBar\chrome\skin\lib\radio\images\radio-btn-pause-on.png | C:\Users\Admin\AppData\Local\Temp\Searchqu_DM\SearchquMediaBar.exe | N/A |
| File created | C:\PROGRA~2\WIA6EB~1\ToolBar\chrome\skin\lib\uwa\border_19.png | C:\Users\Admin\AppData\Local\Temp\Searchqu_DM\SearchquMediaBar.exe | N/A |
| File created | C:\PROGRA~2\WIA6EB~1\ToolBar\chrome\skin\lib\weatherbutton\panels\images\searchbox-pnlbtm.png | C:\Users\Admin\AppData\Local\Temp\Searchqu_DM\SearchquMediaBar.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Fun4IM\BandooGo.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cfe3ccd4e51148fc43af6918502968ed.exe | N/A |
| File created | C:\PROGRA~2\WIA6EB~1\ToolBar\chrome\content\toolbar.htm | C:\Users\Admin\AppData\Local\Temp\Searchqu_DM\SearchquMediaBar.exe | N/A |
| File created | C:\PROGRA~2\WIA6EB~1\ToolBar\chrome\skin\lib\panels\images\scrollt-over.png | C:\Users\Admin\AppData\Local\Temp\Searchqu_DM\SearchquMediaBar.exe | N/A |
| File created | C:\PROGRA~2\WIA6EB~1\ToolBar\chrome\skin\lib\weatherbutton\panels\images\box-check.png | C:\Users\Admin\AppData\Local\Temp\Searchqu_DM\SearchquMediaBar.exe | N/A |
| File created | C:\PROGRA~2\WIA6EB~1\ToolBar\chrome\skin\searchbar\searchbar-background-left.png | C:\Users\Admin\AppData\Local\Temp\Searchqu_DM\SearchquMediaBar.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Fun4IM\~GLH000d.TMP | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cfe3ccd4e51148fc43af6918502968ed.exe | N/A |
| File created | C:\Program Files (x86)\Fun4IM\Plugins\MSN\Resources\Toolbar\~GLH0021.TMP | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cfe3ccd4e51148fc43af6918502968ed.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Fun4IM\Plugins\MSN\Resources\Toolbar\Images\~GLH0023.TMP | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cfe3ccd4e51148fc43af6918502968ed.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Fun4IM\Plugins\MSN\Resources\Toolbar\Images\1011.dat | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cfe3ccd4e51148fc43af6918502968ed.exe | N/A |
| File created | C:\Program Files (x86)\Fun4IM\Plugins\MSN\Resources\HTML\~GLH003b.TMP | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cfe3ccd4e51148fc43af6918502968ed.exe | N/A |
| File created | C:\PROGRA~2\WIA6EB~1\ToolBar\chrome\content\widgets\net.vmn.www.3.Twitter.1257\powered-mystart.gif | C:\Users\Admin\AppData\Local\Temp\Searchqu_DM\SearchquMediaBar.exe | N/A |
| File created | C:\PROGRA~2\WIA6EB~1\ToolBar\chrome\content\widgets\net.vmn.www.3.YouTube.1217\widget.xml | C:\Users\Admin\AppData\Local\Temp\Searchqu_DM\SearchquMediaBar.exe | N/A |
| File created | C:\PROGRA~2\WIA6EB~1\ToolBar\chrome\skin\button-down-splitter.png | C:\Users\Admin\AppData\Local\Temp\Searchqu_DM\SearchquMediaBar.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Fun4IM\Resources\~GLH001d.TMP | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cfe3ccd4e51148fc43af6918502968ed.exe | N/A |
| File created | C:\PROGRA~2\WIA6EB~1\ToolBar\chrome\skin\lib\uwa\templateFF.html | C:\Users\Admin\AppData\Local\Temp\Searchqu_DM\SearchquMediaBar.exe | N/A |
| File created | C:\PROGRA~2\WIA6EB~1\ToolBar\chrome\skin\rsstopback.gif | C:\Users\Admin\AppData\Local\Temp\Searchqu_DM\SearchquMediaBar.exe | N/A |
| File created | C:\PROGRA~2\WIA6EB~1\ToolBar\chrome\skin\yellow.gif | C:\Users\Admin\AppData\Local\Temp\Searchqu_DM\SearchquMediaBar.exe | N/A |
| File created | C:\PROGRA~2\WIA6EB~1\ToolBar\chrome\skin\lib\panels\images\arrowr-bluew5.png | C:\Users\Admin\AppData\Local\Temp\Searchqu_DM\SearchquMediaBar.exe | N/A |
| File created | C:\PROGRA~2\WIA6EB~1\ToolBar\chrome\content\widgets\net.vmn.www.3.YouTube.1217\btn-wide-minimize.PNG | C:\Users\Admin\AppData\Local\Temp\Searchqu_DM\SearchquMediaBar.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Fun4IM\Plugins\Yahoo\Resources\Toolbar\Images\~GLH0039.TMP | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cfe3ccd4e51148fc43af6918502968ed.exe | N/A |
| File created | C:\PROGRA~2\WIA6EB~1\ToolBar\chrome\content\lib\external.js | C:\Users\Admin\AppData\Local\Temp\Searchqu_DM\SearchquMediaBar.exe | N/A |
| File created | C:\PROGRA~2\WIA6EB~1\ToolBar\chrome\skin\graphred0_5.png | C:\Users\Admin\AppData\Local\Temp\Searchqu_DM\SearchquMediaBar.exe | N/A |
| File created | C:\PROGRA~2\WIA6EB~1\ToolBar\chrome\skin\lib\radio\images\radio-volume-mute.png | C:\Users\Admin\AppData\Local\Temp\Searchqu_DM\SearchquMediaBar.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Fun4IM\InstallerHelper.dll | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cfe3ccd4e51148fc43af6918502968ed.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Fun4IM\~GLH0010.TMP | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cfe3ccd4e51148fc43af6918502968ed.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Fun4IM\Plugins\MSN\Resources\Toolbar\Images\~GLH0024.TMP | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cfe3ccd4e51148fc43af6918502968ed.exe | N/A |
| File created | C:\PROGRA~2\WIA6EB~1\ToolBar\chrome\content\widgets\net.vmn.www.3.YouTube.1217\btnarrow-previous-off.png | C:\Users\Admin\AppData\Local\Temp\Searchqu_DM\SearchquMediaBar.exe | N/A |
| File created | C:\PROGRA~2\WIA6EB~1\ToolBar\chrome\skin\lib\scroll-right.png | C:\Users\Admin\AppData\Local\Temp\Searchqu_DM\SearchquMediaBar.exe | N/A |
| File created | C:\PROGRA~2\WIA6EB~1\ToolBar\chrome\skin\lib\panels\images\icon-Add.png | C:\Users\Admin\AppData\Local\Temp\Searchqu_DM\SearchquMediaBar.exe | N/A |
| File created | C:\PROGRA~2\WIA6EB~1\ToolBar\chrome\skin\lib\weatherbutton\panels\images\btn-delete.png | C:\Users\Admin\AppData\Local\Temp\Searchqu_DM\SearchquMediaBar.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\GLJ9BA5.tmp | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Searchqu_DM\SearchquMediaBar.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\GLJ9BA5.tmp | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\SETUPD~1.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\PROGRA~2\Fun4IM\BndCore.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\PROGRA~2\Fun4IM\Bandoo.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cfe3ccd4e51148fc43af6918502968ed.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\FUN4IM~1\files.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Fun4IM\BandooUI.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\GLJ9BA5.tmp | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\GLJ9BA5.tmp | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\PROGRA~2\Fun4IM\Bandoo.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regsvr32.exe | N/A |
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9C8A3CA5-889E-4554-BEEC-EC0876E4E96A}\AppName = "Bandoo.exe" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cfe3ccd4e51148fc43af6918502968ed.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9C8A3CA5-889E-4554-BEEC-EC0876E4E96A}\AppPath = "C:\\Program Files (x86)\\Fun4IM" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cfe3ccd4e51148fc43af6918502968ed.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{424624F4-C5DD-4e1d-BDD0-1E9C9B7799CC}\AppName = "BndCore.exe" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cfe3ccd4e51148fc43af6918502968ed.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{F9189560-573A-4fde-B055-AE7B0F4CF080} | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cfe3ccd4e51148fc43af6918502968ed.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{F9189560-573A-4fde-B055-AE7B0F4CF080}\AppName = "BandooUI.exe" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cfe3ccd4e51148fc43af6918502968ed.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{F9189560-573A-4fde-B055-AE7B0F4CF080}\Policy = "3" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cfe3ccd4e51148fc43af6918502968ed.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{F9189560-573A-4fde-B055-AE7B0F4CF080}\AppPath = "C:\\Program Files (x86)\\Fun4IM" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cfe3ccd4e51148fc43af6918502968ed.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9C8A3CA5-889E-4554-BEEC-EC0876E4E96A}\AppPath = "C:\\Program Files (x86)\\Fun4IM" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cfe3ccd4e51148fc43af6918502968ed.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\Enabled = "1" | C:\Users\Admin\AppData\Local\Temp\SETUPD~1.EXE | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\SearchScopes | C:\Users\Admin\AppData\Local\Temp\SETUPD~1.EXE | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{167B2B5F-2757-434A-BBDA-2FDB2003F14F}\Compatibility Flags = "1024" | C:\PROGRA~2\Fun4IM\Bandoo.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{2E9A60EA-5554-49C3-BC9D-D0404DBACC62}\Compatibility Flags = "1024" | C:\PROGRA~2\Fun4IM\Bandoo.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\WarnOnClose = "1" | C:\Users\Admin\AppData\Local\Temp\SETUPD~1.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\SearchScopes | C:\Users\Admin\AppData\Local\Temp\SETUPD~1.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\DefaultScope = "{8A96AF9E-4074-43b7-BEA3-87217BDA7402}" | C:\Users\Admin\AppData\Local\Temp\SETUPD~1.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Toolbar\{7FF99715-3016-4381-84CE-E4E4C9673020} = "Searchqu Toolbar" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\SearchScopes\DefaultScope = "{8A96AF9E-4074-43b7-BEA3-87217BDA7402}" | C:\Users\Admin\AppData\Local\Temp\SETUPD~1.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{8A96AF9E-4074-43b7-BEA3-87217BDA7402}\DisplayName = "Web Search" | C:\Users\Admin\AppData\Local\Temp\SETUPD~1.EXE | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{F9189560-573A-4fde-B055-AE7B0F4CF080}\Policy = "3" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cfe3ccd4e51148fc43af6918502968ed.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7f000001-db8e-f89c-2fec-49bf726f8c12}\AppName = "ExtensionsManager.exe" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cfe3ccd4e51148fc43af6918502968ed.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{3E63C9BC-DD51-4E83-ABA6-B350EAD28531}\Compatibility Flags = "1024" | C:\PROGRA~2\Fun4IM\Bandoo.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{F5379B4B-24D8-432A-9A96-BE75EE5117DB}\Compatibility Flags = "1024" | C:\PROGRA~2\Fun4IM\Bandoo.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\OpenInForeground = "0" | C:\Users\Admin\AppData\Local\Temp\SETUPD~1.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\PopupsUseNewWindow = "1" | C:\Users\Admin\AppData\Local\Temp\SETUPD~1.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{8A96AF9E-4074-43b7-BEA3-87217BDA7402}\Deleted = "0" | C:\Users\Admin\AppData\Local\Temp\SETUPD~1.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{8A96AF9E-4074-43b7-BEA3-87217BDA7402}\SuggestionsURL_JSON = "http://www.searchqu.com/suggest.php?src=ieb&systemid=402&qu={searchTerms}&ft=json" | C:\Users\Admin\AppData\Local\Temp\SETUPD~1.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{424624F4-C5DD-4e1d-BDD0-1E9C9B7799CC}\AppName = "BndCore.exe" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cfe3ccd4e51148fc43af6918502968ed.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9C8A3CA5-889E-4554-BEEC-EC0876E4E96A} | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cfe3ccd4e51148fc43af6918502968ed.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{074E4EFE-81BB-4EA4-866E-082CB0E01070}\Compatibility Flags = "1024" | C:\PROGRA~2\Fun4IM\Bandoo.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{F5379B4B-24D8-432A-9A96-BE75EE5117DB} | C:\PROGRA~2\Fun4IM\Bandoo.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\Groups = "1" | C:\Users\Admin\AppData\Local\Temp\SETUPD~1.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\ShowTabsWelcome = "0" | C:\Users\Admin\AppData\Local\Temp\SETUPD~1.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{424624F4-C5DD-4e1d-BDD0-1E9C9B7799CC}\AppPath = "C:\\Program Files (x86)\\Fun4IM" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cfe3ccd4e51148fc43af6918502968ed.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7f000001-db8e-f89c-2fec-49bf726f8c12} | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cfe3ccd4e51148fc43af6918502968ed.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPageShowClosedTabs = "1" | C:\Users\Admin\AppData\Local\Temp\SETUPD~1.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\ShortcutBehavior = "1" | C:\Users\Admin\AppData\Local\Temp\SETUPD~1.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\UseHomepageForNewTab = "1" | C:\Users\Admin\AppData\Local\Temp\SETUPD~1.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\SearchScopes\{8A96AF9E-4074-43b7-BEA3-87217BDA7402}\DisplayName = "Web Search" | C:\Users\Admin\AppData\Local\Temp\SETUPD~1.EXE | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{424624F4-C5DD-4e1d-BDD0-1E9C9B7799CC} | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cfe3ccd4e51148fc43af6918502968ed.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{F7FB2BC4-6C27-4EAC-B5E2-037B71FDE101} | C:\PROGRA~2\Fun4IM\Bandoo.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{FD53FE35-4368-4B71-89D6-F29F3DB29DF1} | C:\PROGRA~2\Fun4IM\Bandoo.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\QuickTabsThreshold = "1" | C:\Users\Admin\AppData\Local\Temp\SETUPD~1.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\SearchScopes\{8A96AF9E-4074-43b7-BEA3-87217BDA7402}\URL = "http://www.searchqu.com/web?src=ieb&systemid=402&q={searchTerms}" | C:\Users\Admin\AppData\Local\Temp\SETUPD~1.EXE | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{27F69C85-64E1-43CE-98B5-3C9F22FB408E}\Compatibility Flags = "1024" | C:\PROGRA~2\Fun4IM\BndCore.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9C8A3CA5-889E-4554-BEEC-EC0876E4E96A}\Policy = "3" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cfe3ccd4e51148fc43af6918502968ed.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\MICROSOFT\INTERNET EXPLORER\USER PREFERENCES | C:\Users\Admin\AppData\Local\Temp\SETUPD~1.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\SearchScopes\{8A96AF9E-4074-43b7-BEA3-87217BDA7402}\Deleted = "0" | C:\Users\Admin\AppData\Local\Temp\SETUPD~1.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\SearchScopes\{8A96AF9E-4074-43b7-BEA3-87217BDA7402}\SuggestionsURL_JSON = "http://www.searchqu.com/suggest.php?src=ieb&systemid=402&qu={searchTerms}&ft=json" | C:\Users\Admin\AppData\Local\Temp\SETUPD~1.EXE | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Toolbar | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{C3AB94A4-BFD0-4BBA-A331-DE504F07D2DB}\Compatibility Flags = "1024" | C:\PROGRA~2\Fun4IM\BndCore.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{424624F4-C5DD-4e1d-BDD0-1E9C9B7799CC}\Policy = "3" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cfe3ccd4e51148fc43af6918502968ed.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7f000001-db8e-f89c-2fec-49bf726f8c12}\AppPath = "C:\\Program Files (x86)\\Fun4IM" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cfe3ccd4e51148fc43af6918502968ed.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\Users\Admin\AppData\Local\Temp\SETUPD~1.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\SearchScopes\{8A96AF9E-4074-43b7-BEA3-87217BDA7402}\ShowSearchSuggestions = "1" | C:\Users\Admin\AppData\Local\Temp\SETUPD~1.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7FF99715-3016-4381-84CE-E4E4C9673020}\AppName = "uninstall.exe" | C:\Users\Admin\AppData\Local\Temp\Searchqu_DM\SearchquMediaBar.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7FF99715-3016-4381-84CE-E4E4C9673020}\AppPath = "C:\\PROGRA~2\\WIA6EB~1\\ToolBar" | C:\Users\Admin\AppData\Local\Temp\Searchqu_DM\SearchquMediaBar.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{424624F4-C5DD-4e1d-BDD0-1E9C9B7799CC} | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cfe3ccd4e51148fc43af6918502968ed.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{F9189560-573A-4fde-B055-AE7B0F4CF080}\AppName = "BandooUI.exe" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cfe3ccd4e51148fc43af6918502968ed.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{44CFFEF4-E7E1-44BD-B1F5-29F828ADA1B8} | C:\PROGRA~2\Fun4IM\Bandoo.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{074E4EFE-81BB-4EA4-866E-082CB0E01070} | C:\PROGRA~2\Fun4IM\Bandoo.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{0CE5B352-9D9C-41E1-9551-FCCD92820217} | C:\PROGRA~2\Fun4IM\Bandoo.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{EF2B6317-C367-401B-83B8-80302D6588A7}\Compatibility Flags = "1024" | C:\PROGRA~2\Fun4IM\Bandoo.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{C3AB94A4-BFD0-4BBA-A331-DE504F07D2DB} | C:\PROGRA~2\Fun4IM\BndCore.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7f000001-db8e-f89c-2fec-49bf726f8c12}\AppName = "ExtensionsManager.exe" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cfe3ccd4e51148fc43af6918502968ed.exe | N/A |
Modifies Internet Explorer start page
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.searchqu.com/402" | C:\Users\Admin\AppData\Local\Temp\SETUPD~1.EXE | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CURL.HTTPDataAccessor | C:\PROGRA~2\Fun4IM\Bandoo.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0CE5B352-9D9C-41E1-9551-FCCD92820217} | C:\PROGRA~2\Fun4IM\Bandoo.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C29CF951-7F4F-4B8D-ACA8-C4EE934C27DC}\TypeLib | C:\Users\Admin\AppData\Local\Temp\GLJ9BA5.tmp | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\BandooCore.StatisticMngr.1\CLSID | C:\PROGRA~2\Fun4IM\BndCore.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\BandooCore.ResourcesMngr\CLSID\ = "{27F69C85-64E1-43CE-98B5-3C9F22FB408E}" | C:\PROGRA~2\Fun4IM\BndCore.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{06DE5702-44CF-4B79-B4EF-3DDF653358F5} | C:\PROGRA~2\Fun4IM\BndCore.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2E9A60EA-5554-49C3-BC9D-D0404DBACC62}\TypeLib | C:\PROGRA~2\Fun4IM\Bandoo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DFF35F25-E783-4E26-8DA6-EBB66B8B0E39}\TypeLib\ = "{4410C118-B23C-406C-9F52-9CDABD90A5EA}" | C:\PROGRA~2\Fun4IM\Bandoo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CE1CB632-6817-47b3-8587-D05AF75D6D5A}\InprocServer32\ = "C:\\Program Files (x86)\\Fun4IM\\FlashAnimator.dll" | C:\Users\Admin\AppData\Local\Temp\GLJ9BA5.tmp | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{62E5C9E1-A0E8-4F8C-8EAF-0F9250CC5786}\1.0\0\win32 | C:\Users\Admin\AppData\Local\Temp\GLJ9BA5.tmp | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\BandooCoordinator.CoordinatorUI\ = "CoordinatorUI Class" | C:\PROGRA~2\Fun4IM\Bandoo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CURL.HTTPProxyInfo\CLSID\ = "{FD53FE35-4368-4B71-89D6-F29F3DB29DF1}" | C:\PROGRA~2\Fun4IM\Bandoo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D60A7941-4F69-4A79-BED7-72ADA784B8F7}\TypeLib\Version = "1.0" | C:\PROGRA~2\Fun4IM\Bandoo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A9005ED5-4A1D-4606-A4DF-1A25E7D7B417}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\PROGRA~2\Fun4IM\Bandoo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7FF99715-3016-4381-84CE-E4E4C9673020}\ = "Searchqu Toolbar" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\BFlashAnimator.BFlashAnimatorCtrl\CLSID\ = "{CE1CB632-6817-47b3-8587-D05AF75D6D5A}" | C:\Users\Admin\AppData\Local\Temp\GLJ9BA5.tmp | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\BandooIEPlugin.BandooIEPlugin\CLSID\ = "{EB5CEE80-030A-4ED8-8E20-454E9C68380F}" | C:\Users\Admin\AppData\Local\Temp\GLJ9BA5.tmp | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A9005ED5-4A1D-4606-A4DF-1A25E7D7B417}\TypeLib\ = "{4410C118-B23C-406C-9F52-9CDABD90A5EA}" | C:\PROGRA~2\Fun4IM\Bandoo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{44CFFEF4-E7E1-44BD-B1F5-29F828ADA1B8}\LocalServer32\ = "\"C:\\PROGRA~2\\Fun4IM\\Bandoo.exe\"" | C:\PROGRA~2\Fun4IM\Bandoo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{72434BC1-E46D-47A1-A597-8749DFBCC24A}\TypeLib\Version = "1.0" | C:\PROGRA~2\Fun4IM\Bandoo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FD53FE35-4368-4B71-89D6-F29F3DB29DF1}\TypeLib\ = "{B59DD5A8-33B8-4525-8A2B-B0943736F927}" | C:\PROGRA~2\Fun4IM\Bandoo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E96B49B0-E11F-48FC-984A-EEC29A4F57E1}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\PROGRA~2\Fun4IM\BndCore.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{44CFFEF4-E7E1-44BD-B1F5-29F828ADA1B8}\ = "PlugInNotifier Class" | C:\PROGRA~2\Fun4IM\Bandoo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CURL.HTTPProxyInfo.1\CLSID\ = "{FD53FE35-4368-4B71-89D6-F29F3DB29DF1}" | C:\PROGRA~2\Fun4IM\Bandoo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A288B32D-1001-479F-8DA2-E259010B7A31}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\PROGRA~2\Fun4IM\Bandoo.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CE1CB632-6817-47b3-8587-D05AF75D6D5A}\ProgID | C:\Users\Admin\AppData\Local\Temp\GLJ9BA5.tmp | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\BandooIEPlugin.BandooIEPlugin\CurVer\ = "BandooIEPlugin.BandooIEPlugin.1" | C:\Users\Admin\AppData\Local\Temp\GLJ9BA5.tmp | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DFF35F25-E783-4E26-8DA6-EBB66B8B0E39} | C:\PROGRA~2\Fun4IM\Bandoo.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{72434BC1-E46D-47A1-A597-8749DFBCC24A}\ProxyStubClsid32 | C:\PROGRA~2\Fun4IM\Bandoo.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{94FBDF11-676E-42E5-A516-1FD39970386B}\ProxyStubClsid32 | C:\PROGRA~2\Fun4IM\Bandoo.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A288B32D-1001-479F-8DA2-E259010B7A31}\TypeLib | C:\PROGRA~2\Fun4IM\Bandoo.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C3AB94A4-BFD0-4BBA-A331-DE504F07D2DB} | C:\PROGRA~2\Fun4IM\BndCore.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B543EF05-9758-464E-9F37-4C28525B4A4C}\Programmable | C:\PROGRA~2\Fun4IM\BndCore.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E96B49B0-E11F-48FC-984A-EEC29A4F57E1}\ = "IStatisticMngr" | C:\PROGRA~2\Fun4IM\BndCore.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\BandooCoordinator.CoordinatorUI\CLSID\ = "{2E9A60EA-5554-49C3-BC9D-D0404DBACC62}" | C:\PROGRA~2\Fun4IM\Bandoo.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F7FB2BC4-6C27-4EAC-B5E2-037B71FDE101}\ProgID | C:\PROGRA~2\Fun4IM\Bandoo.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AFFA986E-4B0F-4F15-9DDC-19FE8129602A}\ProxyStubClsid32 | C:\PROGRA~2\Fun4IM\Bandoo.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A288B32D-1001-479F-8DA2-E259010B7A31} | C:\PROGRA~2\Fun4IM\Bandoo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7FF99715-3016-4381-84CE-E4E4C9673020}\InprocServer32\ = "C:\\PROGRA~2\\WIA6EB~1\\ToolBar\\SearchquDx.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EB5CEE80-030A-4ED8-8E20-454E9C68380F} | C:\Users\Admin\AppData\Local\Temp\GLJ9BA5.tmp | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\BandooCore.SettingsMngr\CurVer | C:\PROGRA~2\Fun4IM\BndCore.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{72434BC1-E46D-47A1-A597-8749DFBCC24A}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\PROGRA~2\Fun4IM\Bandoo.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5E9B4D72-C58D-48BF-AC09-68182D472160}\ProxyStubClsid32 | C:\PROGRA~2\Fun4IM\Bandoo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{9C123289-82E1-4da7-A3C2-B8D28AAD114B}\ = "GIFAnimator" | C:\Users\Admin\AppData\Local\Temp\GLJ9BA5.tmp | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3AD7A5B6-610D-4A82-979E-0AED20920690}\1.0\HELPDIR | C:\Users\Admin\AppData\Local\Temp\GLJ9BA5.tmp | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CURL.HTTPDownloadStatus | C:\PROGRA~2\Fun4IM\Bandoo.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FD53FE35-4368-4B71-89D6-F29F3DB29DF1}\ProgID | C:\PROGRA~2\Fun4IM\Bandoo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{929FCA79-44E2-4408-83E7-F93AAE0B0909}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\PROGRA~2\Fun4IM\Bandoo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E96B49B0-E11F-48FC-984A-EEC29A4F57E1}\TypeLib\Version = "1.0" | C:\PROGRA~2\Fun4IM\BndCore.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{074E4EFE-81BB-4EA4-866E-082CB0E01070}\ = "HTTPDataAccessor Class" | C:\PROGRA~2\Fun4IM\Bandoo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EF2B6317-C367-401B-83B8-80302D6588A7}\ = "HTTPServiceFactory Class" | C:\PROGRA~2\Fun4IM\Bandoo.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{01222E21-6BD0-4EB3-94F1-967EB09CCED5} | C:\PROGRA~2\Fun4IM\Bandoo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A5D99259-ADA3-48A5-B861-39813B713DCB}\ = "IHTTPDataAccessor" | C:\PROGRA~2\Fun4IM\Bandoo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CE1CB632-6817-47b3-8587-D05AF75D6D5A}\ = "CFlashAnimatorCtrl Object" | C:\Users\Admin\AppData\Local\Temp\GLJ9BA5.tmp | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CE1CB632-6817-47b3-8587-D05AF75D6D5A}\MiscStatus\1 | C:\Users\Admin\AppData\Local\Temp\GLJ9BA5.tmp | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CURL.HTTPProxyInfo\CurVer | C:\PROGRA~2\Fun4IM\Bandoo.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AFFA986E-4B0F-4F15-9DDC-19FE8129602A} | C:\PROGRA~2\Fun4IM\Bandoo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5E9B4D72-C58D-48BF-AC09-68182D472160}\ = "_ICoordinatorUIEvents" | C:\PROGRA~2\Fun4IM\Bandoo.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\BGIFAnimator.BGIFAnimatorCtrl.1 | C:\Users\Admin\AppData\Local\Temp\GLJ9BA5.tmp | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{62E5C9E1-A0E8-4F8C-8EAF-0F9250CC5786}\1.0\FLAGS | C:\Users\Admin\AppData\Local\Temp\GLJ9BA5.tmp | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EF2B6317-C367-401B-83B8-80302D6588A7}\TypeLib\ = "{B59DD5A8-33B8-4525-8A2B-B0943736F927}" | C:\PROGRA~2\Fun4IM\Bandoo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4410C118-B23C-406C-9F52-9CDABD90A5EA}\1.0\ = "BandooCoordinator 1.0 Type Library" | C:\PROGRA~2\Fun4IM\Bandoo.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{01222E21-6BD0-4EB3-94F1-967EB09CCED5}\TypeLib | C:\PROGRA~2\Fun4IM\Bandoo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{72434BC1-E46D-47A1-A597-8749DFBCC24A}\TypeLib\ = "{4410C118-B23C-406C-9F52-9CDABD90A5EA}" | C:\PROGRA~2\Fun4IM\Bandoo.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cfe3ccd4e51148fc43af6918502968ed.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cfe3ccd4e51148fc43af6918502968ed.exe"
C:\Users\Admin\AppData\Local\Temp\FUN4IM~1\files.exe
"C:\Users\Admin\AppData\Local\Temp\FUN4IM~1\files.exe" "-oC:\Users\Admin\AppData\Local\Temp\Fun4IMFiles" -y
C:\Users\Admin\AppData\Local\Temp\SETUPD~1.EXE
"C:\Users\Admin\AppData\Local\Temp\SETUPD~1.EXE" /S
C:\Program Files (x86)\Fun4IM\BandooUI.exe
"C:\Program Files (x86)\Fun4IM\BandooUI.exe" cookie http://fun4im.com
C:\Users\Admin\AppData\Local\Temp\GLJ9BA5.tmp
"C:\Users\Admin\AppData\Local\Temp\GLJ9BA5.tmp" C:\Program Files (x86)\Fun4IM\GIFAnimator.dll
C:\Users\Admin\AppData\Local\Temp\GLJ9BA5.tmp
"C:\Users\Admin\AppData\Local\Temp\GLJ9BA5.tmp" C:\Program Files (x86)\Fun4IM\FlashAnimator.dll
C:\Users\Admin\AppData\Local\Temp\GLJ9BA5.tmp
"C:\Users\Admin\AppData\Local\Temp\GLJ9BA5.tmp" C:\Program Files (x86)\Fun4IM\CrashRpt.dll
C:\Users\Admin\AppData\Local\Temp\GLJ9BA5.tmp
"C:\Users\Admin\AppData\Local\Temp\GLJ9BA5.tmp" C:\Program Files (x86)\Fun4IM\Plugins\IE\ieplugin.dll
C:\PROGRA~2\Fun4IM\BndCore.exe
"C:\PROGRA~2\Fun4IM\BndCore.exe" /RegServer
C:\PROGRA~2\Fun4IM\Bandoo.exe
"C:\PROGRA~2\Fun4IM\Bandoo.exe" /Service
C:\PROGRA~2\Fun4IM\Bandoo.exe
"C:\PROGRA~2\Fun4IM\Bandoo.exe" /Start
C:\Users\Admin\AppData\Local\Temp\Searchqu_DM\SearchquMediaBar.exe
"C:\Users\Admin\AppData\Local\Temp\Searchqu_DM\SearchquMediaBar.exe" /S /NOADDREMOVE /D=C:\PROGRA~2\WIA6EB~1\ToolBar
C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /u /s "C:\PROGRA~2\WIA6EB~1\ToolBar\SearchquDx.dll"
C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /s "C:\PROGRA~2\WIA6EB~1\ToolBar\SearchquDx.dll"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.49.80.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 167.173.78.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | service.bandoo.com | udp |
| IL | 212.235.109.70:80 | service.bandoo.com | tcp |
| US | 8.8.8.8:53 | search.vmn.net | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.73.42.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 245.131.30.184.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\GLC9B84.tmp
| MD5 | 8c97d8bb1470c6498e47b12c5a03ce39 |
| SHA1 | 15d233b22f1c3d756dca29bcc0021e6fb0b8cdf7 |
| SHA256 | a87f19f9fee475d2b2e82acfb4589be6d816b613064cd06826e1d4c147beb50a |
| SHA512 | 7ad0b2b0319da52152c2595ee45045d0c06b157cdaaa56ad57dde9736be3e45fd7357949126f80d3e72b21510f9bf69d010d51b3967a7644662808beed067c3f |
C:\Users\Admin\AppData\Local\Temp\GLK9DA9.tmp
| MD5 | 5614b11b85320c6e526b9ccff1fa7448 |
| SHA1 | 1c01ecdc58643d752344c8dd1fd6ff04c554d874 |
| SHA256 | e4993861e8dc24757dd9983086203a078fc48f7a71efd6f3746c23bb12bf9b60 |
| SHA512 | 58cb7cd54a81ae7f40ab0036b8479c18b16536ba4676dabb494b7eeb6c02283c3170b99048dc08476fd7d3b833efcd89842a871a1ed5b89d1ddd3bcb43c98d1e |
C:\Users\Admin\AppData\Local\Temp\FUN4IM~1\files.exe
| MD5 | f211b2557e7858ae124653d7cb29f0dd |
| SHA1 | d9eb4d799047a942f826d5261a22b0aba1a0d753 |
| SHA256 | 648d2021bcb77c24602f634f7db9c9b190c27df07aa95aa983ff00488ceaf395 |
| SHA512 | a949d67b5899888417648cdaf0fe379960ee74b48e9a2b9e763b3c0b84804dba921e2a45a35b5cc3fc2c9a9fdbfea25157849287a89efe6473a3abf138b26478 |
C:\Users\Admin\AppData\Local\Temp\Fun4IMFiles\Bin\resources\plugins\OE\HTML\blank.html
| MD5 | 8adb616d567aa9bff9e4ae0706bccb3b |
| SHA1 | 0bbf2ce61145358a89cf4af14340071a9c680b8d |
| SHA256 | 5bc3f1f0e802f4143a88186e9eb7a8d0465bf788c04d109512ae73942f378be8 |
| SHA512 | 1d1b08ef9ee0a47ae2888711b042229c66e1d2d1dacb705d820793300670f81de7a62f8f117dfe8de406133d778519519bde3205e9914658256c8f8b6181bcbf |
C:\Users\Admin\AppData\Local\Temp\Fun4IMFiles\Bin\resources\plugins\OE\HTML\error.html
| MD5 | b7c7467f89925c675476492aed843958 |
| SHA1 | 3357ffd23d718bf60ce999a1f82987a40da4ae0e |
| SHA256 | 690db044770f1d0e1d9350ff3bb41a5151a0a75c47d7dbef50e48efbae14d656 |
| SHA512 | cf4ba2f79dc908c8e6d73cb9f7399e2993df47604f7c9f8332c4f1cbcdca6d5756219930c9e526fd0e909be8c60feb13bf16fefc112cb97d47c34939afcacdd1 |
C:\Users\Admin\AppData\Local\Temp\FUN4IM~1\Bin\INSTAL~1.DLL
| MD5 | 8b8d57a7822c281d136813a6a6bee3f5 |
| SHA1 | baaaffa093dcd78d1e33f82aa52d13bd88e7c704 |
| SHA256 | 41a463a7409350e1b937d0e5ed4d6c89addd30b7f582904174b689c6537a4b36 |
| SHA512 | 19d186b668050d1e857f1fd5a210b62db3e84e3b859d99c42be707bf06c6fc362fc920b45b310d480c0811443deff968a6a8348b71d8f4a120d43bddfed21070 |
C:\Users\Admin\AppData\Local\Temp\FUN4IM~1\Static\SETUPD~1.EXE
| MD5 | 5b5555b6af246dfea73b585a1db26c6e |
| SHA1 | ed352d072c5bd309af464986792c09c83b847caf |
| SHA256 | 30818c8c924c4124f3544d4c3e51e597bcae41798c6573329a2d710601521528 |
| SHA512 | 93bcf786041c3f9475eeb0d2419d6f0c4c2e9a3ad7c4a60795ee8ba84d8624af92466b59ef5db649a6b2263dea8685c4456ed695024efaa4e8c0599a63c33b30 |
C:\Users\Admin\AppData\Local\Temp\Searchqu.ini
| MD5 | f680b584d6946840d1ac2dfc145a59bd |
| SHA1 | 9d8f7624f8788af592e8f1cf61f7e5f1f60f3133 |
| SHA256 | dae4d55ef25b9036abca41aaae23563f9153246d9801b07e46ad47393adb929b |
| SHA512 | a7b7adb0831885f5b115926408789e7d4099c5b2f33605ccb5d95ecb3f72cf2515807fa0335b2f3f0369b859614c4163a2d077c5c62d4b94ab6889a28f3c73f6 |
memory/4488-229-0x0000000003AD0000-0x0000000003C1A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\GLFA1B3.tmp
| MD5 | 3b2e23d259394c701050486e642d14fa |
| SHA1 | 4e9661c4ba84400146b80b905f46a0f7ef4d62eb |
| SHA256 | 166d7156142f3ee09fa69eb617dd22e4fd248aa80a1ac08767db6ad99a2705c1 |
| SHA512 | 2b792296dffa4e43bc85295dc7691bd29762ce5d9d5eafaa74e199e6a8e5b24aa85d0a1b27776d4719a49b0d29abcf6f240746a209528e608b596b560e5a3b88 |
C:\Users\Admin\AppData\Local\Temp\nsuAA99.tmp\System.dll
| MD5 | 00a0194c20ee912257df53bfe258ee4a |
| SHA1 | d7b4e319bc5119024690dc8230b9cc919b1b86b2 |
| SHA256 | dc4da2ccadb11099076926b02764b2b44ad8f97cd32337421a4cc21a3f5448f3 |
| SHA512 | 3b38a2c17996c3b77ebf7b858a6c37415615e756792132878d8eddbd13cb06710b7da0e8b58104768f8e475fc93e8b44b3b1ab6f70ddf52edee111aaf5ef5667 |
C:\Users\Admin\AppData\Local\Temp\FUN4IM~1\Static\WPSUBS~1.XML
| MD5 | aeb8a0f98aa3c7ab18d5ff3c7adaf12f |
| SHA1 | a10588232218b98bdc57d6a7dc6dbf63b9981ceb |
| SHA256 | a69c0d2985d39d49165cde5c9662ee642526459fb44a0469b1c57b535f0bd730 |
| SHA512 | 0238482a2546528494e977530c165f266ba8bd354d244bbb47af5d61736670e2686278488002d70eeaaab39fba203b1c2b915f4bf51c645bd349e93ea4a9d1de |
C:\Program Files (x86)\Fun4IM\Plugins\MSN\Resources\Toolbar\Images\~GLH002b.TMP
| MD5 | d4c76de55315e8eee5b34ea403af3fd9 |
| SHA1 | 551cca2f1a1cf1f2b71d5a65ee7cf6a391b72f91 |
| SHA256 | 184007ae605ee4ffbdbf779e6275f6a75aa9250cda8652bf9ce73b5dac54d76a |
| SHA512 | 78f3049bfb91e9d43f963f8f1a05ca2fdb867c2ed2661a43787c0066b9f101a0c1adb0bca211ffb0240f33529e8bfed8d4552b4d4f49015b59044a650cef0126 |
C:\PROGRA~2\Fun4IM\Bandoo.exe
| MD5 | 8d7cb5fcdf17a103001382928c52b0d5 |
| SHA1 | 0953c55a825aca3e08816fcded479268628d2870 |
| SHA256 | fa52dd26ac2216eba4c2b55512fff492a916dec3b7d135b5d7f3170e1a05a0b4 |
| SHA512 | b9beaef4cbafc3dd3de8b819230ad8d9e857e004defa07ee964312cce88b20d99ab9ff617eb172b4f9970d3be5e2fd730091a9861d40e3c6ce6f5025f5c04dad |
memory/4488-514-0x0000000004020000-0x000000000416A000-memory.dmp
C:\PROGRA~2\Fun4IM\BndCore.exe
| MD5 | d0c1e5654ae09f42dee564572511ef2e |
| SHA1 | e2895459d69e93e944755dc007c612cc777df502 |
| SHA256 | cf3a68d5b82382817679d77f6a1af18ad48dda3d16f52c4cf43e81b54fd463c2 |
| SHA512 | 271e3e76d4a9c199a2487b95f22b0cd589845b41f18e7b283c0f8bbe898b941128b0a6d9773c08d05b5b7f325effabf8eb77b16db96b422a2c7228544bd01c56 |
C:\Program Files (x86)\Fun4IM\ExtensionsManager.exe
| MD5 | 8becc2a870db96977054b01cd1409720 |
| SHA1 | 8b4dcd16a8dd63e476ddcdfd0b0c7d838a6651aa |
| SHA256 | 3943ca184a48976a6e61a703c9fb08598f2c3256265461a495fcf9de974ec0c7 |
| SHA512 | 58b7c83b118381b69ffd6509cf2c8782003d0027d4d7663c8c01b3e358625aba681d2142c1136e35efcdc26ef067f04549e17ae8755ec590765d0c1d31249879 |
C:\Program Files (x86)\Fun4IM\license.rtf
| MD5 | 6efa068d4c5e66d296249eead5d4588b |
| SHA1 | 798706d0094c74f12f99163987ed324d40dae9dc |
| SHA256 | f91c7ccd4653dc7f91938510434c16031f591bc498254f93125967a5e0b63782 |
| SHA512 | 9dd1675180aa54884e0dcf282408a0b7385079a43e7476dd945edab7fc204a7e09634594971a59821cdee68b2d66bbed023964554f96bd347a73142f394301b5 |
C:\Program Files (x86)\Fun4IM\BandooUI.exe
| MD5 | 1cb076b06346feee33ec3e409ea0ec42 |
| SHA1 | 8cf322d41f7c8e326c6a0a697b90eb813cf256bc |
| SHA256 | 307f36ef56a1443a22b838e7d5188fe6d6f04a08194c8789285e599096af5605 |
| SHA512 | c9a4ee681ea51c2a3515321a776fe3acc32f9626d0de343a2b12e09095e9e9b3983f7f3b97289033fa8c1e93618194b8ee01bf0d3571aff991e24c8e323c8439 |
C:\Program Files (x86)\Fun4IM\Plugins\MSN\Resources\Toolbar\Images\~GLH002a.TMP
| MD5 | dc77d8c55634ed66b8625c987eb25946 |
| SHA1 | 5ad7bdc1ca076e94d465fa343ab4cbcf9858597c |
| SHA256 | 2b3a45b5f2f7cb5e3f7112e59d4e94ace459d16126a8107a93bad1e6f15b6c5c |
| SHA512 | ea662835239dbf9b2e9ef9965e66984867bf25b7a5698cfa8c97123912622c1e8e1f0b2475ee41f8df5ebd8a217741bc69afd06481a9991f79a15f00eab328e9 |
C:\Program Files (x86)\Fun4IM\Plugins\MSN\Resources\Toolbar\Images\~GLH0029.TMP
| MD5 | bd503fc079afbb9593e01e3f77f684a5 |
| SHA1 | caccaeab77250dc2f3ca6cc37d1efdcf59251997 |
| SHA256 | 5b93440f929865a5d80106358550b64d18df20a42ca5254a2b5a5c6b7653eaa5 |
| SHA512 | b947cb0d4b35a238626448b5b8c081bd2c984b07929523b13e43185e450b269f934084659ec2583f14ceda68d4814f9fe25cbc07d9ef2afad15e2a8d8c8bf8e7 |
C:\Program Files (x86)\Fun4IM\Plugins\MSN\Resources\Toolbar\Images\~GLH0028.TMP
| MD5 | 8b518642a7ed21cb2008ef4ea558aaa2 |
| SHA1 | d811236f78fe3e2f4d7fe93653addd58da6253a1 |
| SHA256 | 411b37dd8a13a1da1cf688ca3a646fef36113956be76c7c6630647fa7382324c |
| SHA512 | 662fea897287ddf520781262c9745f2a6ad508333e0177ca7f18f1a39ef1321ed781648bd77f54d788d2b5ebeb7fb266fa477638363c5eab1a71b5a6eff22663 |
C:\Program Files (x86)\Fun4IM\Plugins\MSN\Resources\Toolbar\Images\~GLH0027.TMP
| MD5 | 71d54a61b44e3aec554f30ba43986a53 |
| SHA1 | d87ac38081c01a8b8dfd50cf129a94692cc84849 |
| SHA256 | 7cb8db9993d52bc66f45e0900e5acc36ad40c2f6b3ac25d7f4aa892a0bf5c0bd |
| SHA512 | 1a6f730801a57d99d995847512c6b079f9f963b968dea49d43e6c45a05018ec8bee2c4b058f847cc245b07667392d5a6aa6908074d3a7d79883980a704fdabb7 |
C:\Program Files (x86)\Fun4IM\Plugins\MSN\Resources\Toolbar\Images\~GLH0024.TMP
| MD5 | 92b06f6952fd2e0266d5246506515b8b |
| SHA1 | 7ba5807536048f3c5fc0cc76d6e5984f4fab88e5 |
| SHA256 | baeb3bac49604023c3093d1340af6c5c0a9e20c2d479b6141e52ced932dd092c |
| SHA512 | 714098c30460784d99f5aa8b2268dc7820770f3e35d93ad319d8fc319ead6adc1ec8ea30cd535f729165b4d8a4258e5d00f18838c541f36ab71c9e3c0c95ae38 |
C:\Program Files (x86)\Fun4IM\Plugins\MSN\Resources\Toolbar\Images\~GLH0023.TMP
| MD5 | e5f04b872687c16acebb60726886b67d |
| SHA1 | 1ab298337ddb7cebc97b03e512ac1257e50dd149 |
| SHA256 | 0f146fae3d2e3aaadb90687dfeccd0a26927254a048be7828bf2b12b6237bed3 |
| SHA512 | 421dd77fee2d065bdc683c5ee3254bce9d6d52aff7190cc15d193590a6e58b92ca3095d143e7a73c993f955c5d2620868f8d566e706df7d97ddbd69302ccfdb0 |
C:\Program Files (x86)\Fun4IM\Plugins\MSN\Resources\Toolbar\Images\~GLH0022.TMP
| MD5 | 4b24730682e1bd265e08bec28bd68c2b |
| SHA1 | a9ada2a9ec74268874601731c7e3b41c7b0846e0 |
| SHA256 | 9c1eff07cf8d7f35bc62238e5c7fc51e413ddc8f80a1071e4ae41411961815ed |
| SHA512 | 90d730486e788f5b1e33cfc9f8ab9946845fd125d6dbe48df9b5b3b128d5236066ff62b9304f32ffdbc3023967046aa83d52e4da99bdf19b9c04d1b0c6a387be |
C:\Users\Admin\AppData\Local\Temp\FUN4IM~1\Bin\RESOUR~1\plugins\MSN\Toolbar\BANDOO~1.XML
| MD5 | bc362084976315380681b927283baedd |
| SHA1 | 105d4921ed9a5509acdf9084f6dc0944d8c10091 |
| SHA256 | 9dd81522c42dd6f9e8cdcb9d127d812408d9853a9d9ce058e761c56348b39576 |
| SHA512 | b5f661600922de63798d642db3abcac493275ad24e8badb8aefe4b9e02333dd1fb1ebc9a02d8705a2ac7415f6beb768357b93cb7136cbea2f6da511afaa3d203 |
C:\Program Files (x86)\Fun4IM\Resources\downloading.gif
| MD5 | e57db08b1b405864e28e9282c05a5e26 |
| SHA1 | 761bc01a3fed758253cb32fa9674edaa08a1fe9a |
| SHA256 | 17d73f59930d91b4eeb1abe7695d547a3a7e6d7be419e07b188b95a21236d7fa |
| SHA512 | 7b0b9c3c8811729dfaf4354d79d37f51f4d8accdbed147fe3ed50289bcd328cbad8f87d44d62fad275125e23d63c974f7d48eed3f3350a7f7d3b8c0c672a8f47 |
C:\Program Files (x86)\Fun4IM\Resources\BandooMessages.xml
| MD5 | 97c46521e75a3a738208cf5711782523 |
| SHA1 | d09ec7c63d8bc27bb29c700a4ba73d864bc28d98 |
| SHA256 | e7e326b997de54efeb2c4a260836ca19c24de9f3a3b603aaafb59132db12a1a5 |
| SHA512 | 771234afedd61d13f8caf0744b7416c07bf13ca2cc8f8ae57504a15b4cc1ce867612a5c7531d1360e8bed600b8f6b1790ee80bbee0ad7d860c967df642c12bd0 |
C:\Program Files (x86)\Fun4IM\Resources\nudge5.wav
| MD5 | 2ac2fcfa7469d5fa2d7e6a762aad45a9 |
| SHA1 | 08358fcdf1efcfe6938f5ab0db19a745544f1b79 |
| SHA256 | 627a38c6c239a51d77780bc5bde4cbe6e91d60a43cb2359116295aca766dce90 |
| SHA512 | 3c910b4bdf064f82f3662f6399a3fe7facb9de19202d460fd9f99a3d6de015e46248b325c4902373c195bb62b789315c4c051691b9750ba3dd16f4ee9fae415e |
C:\Program Files (x86)\Fun4IM\Resources\nudge4.wav
| MD5 | 8ea6b0aec1769520e28c9c4a4ee97011 |
| SHA1 | cf469dd89b588e79f254c41c61a7012adbfbe061 |
| SHA256 | a42a6fae8baef018de0c25d35a3fdfe28abb72066ef7a4169b19748e5e4e1002 |
| SHA512 | 27603c9efc258ff97956a1aeb3a321b921366eb62613fb67f5acb908fcf4b600422b696a97d92f8742a219114b709d340ed853fd7f7d76243c5f21499dd12bad |
C:\Program Files (x86)\Fun4IM\Resources\nudge3.wav
| MD5 | db507d76fe5408b3ecab582b545fbd04 |
| SHA1 | 6c32d18157dde92d056a86a4f23c57da5f82d889 |
| SHA256 | d5202d30e318458df7a56605937a20eafa37714884edf43dd4c7a6324794323d |
| SHA512 | 834745c1bcb5482f2d37b821248120fa4b605969e6c381d8c74bcaade63836fd9f627ec386963262b833626f3cfc1fd5bb903a539189c5ddac13808001d7e6cd |
C:\Users\Admin\AppData\Local\Temp\FUN4IM~1\Bin\RESOUR~1\nudge2.wav
| MD5 | 4e32717c73d79a7d6a6c070cc603a039 |
| SHA1 | c8ccfec55fac31756d55795f6d91d3f1314a8580 |
| SHA256 | 70c7247a884aa000d618eacdb55abfd7647956ec736065e816533b362249b9a3 |
| SHA512 | 097137c44f7f47b10661ddc93e76060d163b96d4a2ab8da6281f20ef4ddadacc8b3029296f5fac173e7137f8e94a78cb18751d496a9289d400e7b98ca00eb1ca |
C:\Users\Admin\AppData\Local\Temp\FUN4IM~1\Bin\RESOUR~1\nudge1.wav
| MD5 | a28a7e96196efea17fa5ca7d2a58f5bf |
| SHA1 | 2521a16cb673df46a691e9627bc9ccb87bcfa6da |
| SHA256 | 0ad6f4b78a6f6ecbd194c3d2ce99346400141ba495bd3beb103d03282b30dd69 |
| SHA512 | 770127ee43bfe8370676c9b5c82f4961bb8914842553dcb0482da0dd2a1c996a59fdcbd583d0b0b4e3b64ddc4de86af373dd1fb192d428a130d6fa3d73ab1980 |
C:\Users\Admin\AppData\Local\Temp\FUN4IM~1\Bin\RESOUR~1\nudge0.wav
| MD5 | f96b12eff2e280fa46bcc195d2d057cc |
| SHA1 | fa5a8151ad4f5389bd212ec9dcd038c6eb9c5805 |
| SHA256 | 54d7ac010bcfbd438f1d5c0d0c499490868eeb554391080eecf1080631f97f04 |
| SHA512 | 5ced80ac083a32783e833244d6396868a307556a87af687cdcc6757278ecf49badbd388a4c667567dd9a05fa179187ce1b95f0cc5922deb56207dd5d34a48168 |
C:\Program Files (x86)\Fun4IM\Plugins\IE\ieplugin.dll
| MD5 | 2545b89113e0ecbe1df70e27d02b1a11 |
| SHA1 | 6627431addba4d8db91c5a88ca74bf1b7eeeba79 |
| SHA256 | c2199938c3989c3e7471f2a219588a68e4e531742d7246e64ef053e6bfc265ee |
| SHA512 | ba340e293e5107424b9cc22a2a88a6f71b7a39ccf02c7fc6af4a1a3566be5428fe99619392f46ad964d634e4f5239744e843b13918a4a904bc9d5a6b7af692a7 |
C:\Users\Admin\AppData\Local\Temp\FUN4IM~1\Bin\YAHOOP~1.DLL
| MD5 | 9185881e390416beb23302bf0d74f44c |
| SHA1 | dd01084315589f18731d81c02181a39c8aedd7c5 |
| SHA256 | 40e3d7c3ad8b68140cca42c4570dd0b5d0ece9610b982da644350e369f622891 |
| SHA512 | 48243048c8702b71c659262a173e050a9b649ed6f9ac1c77df4e19db66087f1425e19d3c610e9065dc4cdd198922edac6e7acff68228591b8a42f69c1a6cc02a |
C:\Users\Admin\AppData\Local\Temp\FUN4IM~1\Bin\MSNPLU~1.DLL
| MD5 | 7a9f2aff217e8a318659c78ed9dac210 |
| SHA1 | dce41c98488c5e7422ac2a4300a51733ac9ca849 |
| SHA256 | 144852657dda3f989671ee9c4c2122f54bbdfa4a11c502fd8d490c0d8bfafffd |
| SHA512 | cbd93c901eacd3a8d08cc9b6bcaf1979361604eeb73caefee32e3f2c81834334e4f224bffdca20304ce7d326573e407645ce2a14679f2ac5254e4c93a217fa74 |
C:\Users\Admin\AppData\Local\Temp\FUN4IM~1\Bin\BndHook.dll
| MD5 | 8cb713d89900f7e1f0237b4a861954a3 |
| SHA1 | 10340c3f8f98fb29eff9372f3b92a8055760a31d |
| SHA256 | 1e587122f60fedb5c3a733ccea333eb751dd1123e9293e7e4338f69547d8f3f6 |
| SHA512 | 5e250988a93aa24f78fe1a824abd86d2ccb553aac7e55711628810ca43966c4574afd16fa8f0954b096e2990bddff2db9fb61ac04d3eb6ebd2208f1133133e29 |
C:\Users\Admin\AppData\Local\Temp\FUN4IM~1\Static\FFSETT~1.EXE
| MD5 | 05406f548d5422924529bb265d616930 |
| SHA1 | aa67ea5ef6557c418ca15adae6f46f7c86e3b86e |
| SHA256 | d23991ad4ad6fd69dc6ff12393ecf388ea862cfecb2c862cffe47c168ea1f138 |
| SHA512 | 75b1b791aaca896121f4ecb881adf79863a5a74ae2fcdbab06c6583800c2102fc56d9ddf31b5a4d236e42c8a2ee0d36e4daffc796ee394e8b84ced62506d6649 |
C:\Users\Admin\AppData\Local\Temp\FUN4IM~1\Static\LIBUNG~1.DLL
| MD5 | 5395d8552b99dacf6f4cc4610dc317fe |
| SHA1 | 96187f9d487600268428a98c77788f5be9c195c0 |
| SHA256 | f3deaa142f26b1596d73ea7d5f2844ded23265c215f1b0ad435d6203bf1544f5 |
| SHA512 | d1cb0f8a598cbeec8bc954795530e7a41df4f9cca631604ec69c02d4d697fef7ff071446ec29f48370e96bd8a9e151bc0748a33a7d52dd9552ddd6b7f05dd2ae |
C:\Users\Admin\AppData\Local\Temp\FUN4IM~1\Bin\RESOUR~1\Plugins.ini
| MD5 | b80866b84490c8974ec17ab899bfbe5d |
| SHA1 | 3f1b794e1e035d2d5aa60069ce32af89165692aa |
| SHA256 | f4404b5e92163280a0fb077a1a51c0bf033945f5d6b5b0fb4c7d423aca07a5ad |
| SHA512 | 19a0295bd652f38ad481743b0dbce3a612edf4a57a92a4f2fec4e728f216e85fcdc435529c5886db89996d36a12d974c28d6b053f7761b875e874b1de7dab0db |
C:\Program Files (x86)\Fun4IM\CrashRpt.dll
| MD5 | 6674549585e1adbc9a453d864e0d70be |
| SHA1 | 108dd53d267a3039e8ec61a589e39b55c8c1b664 |
| SHA256 | 8cb8a63fcb283a8b633ddaac0bf54d8ed208d4898388ff980107470b4860fc37 |
| SHA512 | 8be6a47c1c87b12f6426aaca4594c51136ed530028e786dfa7f667392a164b2cf929285df445208b214e4cc57a06ef5e0cfdbec57f7f3dc105de75f7f89496b3 |
C:\Program Files (x86)\Fun4IM\FlashAnimator.dll
| MD5 | 425a1f948efb36e5ed37e7a9a25f357f |
| SHA1 | 67672df006a6313116b5bfa26e493bcc76a720c7 |
| SHA256 | d4bcfd1d80d2dae506cecbd64f43886ff822bc3f17f409017a6e6e2dc687407b |
| SHA512 | b937752c802217d598ba3bae9267429534ca9d57942ce9f806d8231a49a2646189f20678bb6c88ee29499b99abc6840c15a78fab83827237b07f36e919a6a8e0 |
C:\Program Files (x86)\Fun4IM\GIFAnimator.dll
| MD5 | a9fd2046ebaed67672113870c545959e |
| SHA1 | c838473ab1d2ba2e7a7a4d71242750d4fe4d3203 |
| SHA256 | 063f9ddadb5a48bc4960dc579bca62cf8a64779d3d34cce2f0a20588b9872a7b |
| SHA512 | a4311f328fd13d3cddc7b4970f59b183d8a72dfe55229584dd4f0a54d233743bfd72ff7642fec368c0ffe4ef29b68fa45bcbbf216202cd237f9123bdd9bb38c5 |
C:\Users\Admin\AppData\Local\Temp\FUN4IM~1\Bin\BANDOO~1.DLL
| MD5 | 232a46f8c6f6cad04924e2099e440b91 |
| SHA1 | 7eb3ae0b0b9fcc485e7d1d3fa73f2e38c6301e62 |
| SHA256 | 8e492251e684f4edd18d7e746ec874999c448d266e94573f3a2233fe68279371 |
| SHA512 | 6bb476730452b930df9a5b0383ad4bdaa5b24fe3203786d8af4c6079eaec773831f844d262b77acfdec1d0085747da7d006ae5f35dc6f39b58ddacab7fd6b469 |
C:\Users\Admin\AppData\Local\Temp\FUN4IM~1\Bin\BandooGo.exe
| MD5 | a7dea79ec917f96b8cbdec261bd41099 |
| SHA1 | 669557ef4a43b26dbcd5e7ae74bfa22a9c7a7c9a |
| SHA256 | 1d5700fee2fb5419941d9ab6cd591391ea3b312206467ce141d01aa23c446223 |
| SHA512 | b84b170ef6be1c0ebb9814db97fa66b4629f960f8402e6bb2ee99d5606875a8290c5f4631220ad93b40cc70374fc96173bb164e5b03cedbd49e829209cda477a |
C:\Users\Admin\AppData\Local\Temp\FUN4IM~1\Bin\PREUNI~1.EXE
| MD5 | 6b4c2474ab43b101158dc9249d625471 |
| SHA1 | e9205b8cbb5eb5a1d0a487c9401023a6ee853cd5 |
| SHA256 | dc5d27aea969527bada1d4cf6080fac59fe497c1f77d36db51deddb2e0047d9e |
| SHA512 | 6b0fb876ebf3270aebae2df530d3591aa90f99432924454b3fcfdf8224895dbe90bdc1ccfc0bd83ae01383d0d89f59fa92fc71d256a5b343848fac071fa4aaef |
C:\PROGRA~2\Fun4IM\UNWISE.EXE
| MD5 | 973567b98cdfc147df4e60471d9df072 |
| SHA1 | 3c4735750c99c63e6861170a8c459a608594211e |
| SHA256 | 69b9dd6160524e0eb44905224f5b1747dfce43243c00c11c87f5c2ec55102876 |
| SHA512 | e891e3a413691eddd895a31293117aec8d151ecf18f84d3aa73bc1c4eb95582df1dfe04d51b7011eb55b5e754e2240de4c6269f9547f3cab3519985da1e07294 |
C:\Users\Admin\AppData\Local\Temp\nsuAA99.tmp\GetVersion.dll
| MD5 | 5264f7d6d89d1dc04955cfb391798446 |
| SHA1 | 211d8d3e7c2b2f57f54a11cb8bc4fa536df08acc |
| SHA256 | 7d76c7dd8f7cd5a87e0118dacb434db3971a049501e22a5f4b947154621ab3d4 |
| SHA512 | 80d27ee2f87e2822bd5c8c55cc3d1e49beebb86d8557c92b52b7cbea9f27882d80e59eefa25e414eecee268a9a6193b6b50b748de33c778b007cde24ef8bcfb7 |
C:\Users\Admin\AppData\Local\Temp\Searchqu_DM\SearchquMediaBar.exe
| MD5 | 0cc6b522d6d5a0a434cab814b6fc060e |
| SHA1 | 954edee56185e5edb04ed2975831a7b3e359c355 |
| SHA256 | 340b17703b82755262173c8218c4601928244c6dea2d68c53e1b9985c4ca47fa |
| SHA512 | c45c5f47f6b91810ba4e17ddc22646e512062cc0f2044710a2ea813c42132a6221176018a6b16d843651e179026863167f3a52b29989afb13e51974cf8e99c21 |
C:\Users\Admin\AppData\Local\Temp\nsjB671.tmp\UAC.dll
| MD5 | 0d422e0c03a7d9428c6c02175d7dc9f8 |
| SHA1 | 5e13d49521cfbbe52cd74de8e1682789f0268969 |
| SHA256 | 9f47ec720d74e538bbc8d0c1118efcbc52e52050dbe98c27029fc35329996f7c |
| SHA512 | 2edf47b24c4201e082841824d6ad9047a06e9a877d799e87befaf5d54179c924849d2e608cf9f60a1480828edcd98e19f3d139d19bdb4b96ee4939fe58bf0887 |
C:\Users\Admin\AppData\Local\Temp\nsjB671.tmp\InetLoad.dll
| MD5 | e241424579fdfd683f0adff02b7483a8 |
| SHA1 | c4cde72b3e5e34730a41d43383d1234279dff1f6 |
| SHA256 | c8601ee8eda1952ac188c05ae0527b51e525ee4ff36f67218dfdd2d48c79fd6a |
| SHA512 | a0c0f4bb55b8c0143266705292805fcb98f72dbdc4b724569cb31bd7488258ded63583e1f060c1d7bf003d3df2018b05a0720cee3064b6f6c60247e959636947 |
C:\Users\Admin\AppData\Local\Temp\nsjB671.tmp\xml.dll
| MD5 | fbda05aa26e02d38effb82294e83ea69 |
| SHA1 | aa2291ace177515173315668480c74442e21549d |
| SHA256 | 565e439a6262cbe6c8164312ad330930738efa8d4defcbcdcc1eeb752fdb75b3 |
| SHA512 | 3fd4dcbe059df3078f7709b2b9edbe30744ad7ff6e4cd1c494b40bb796a31838d5c9761fe9db860c38bd929c364df4767435fb85dc4e4115e361dd9d640c256f |
memory/3052-603-0x0000000002EC0000-0x0000000002ECA000-memory.dmp
C:\PROGRA~2\WIA6EB~1\ToolBar\chrome\skin\lib\weatherbutton\panels\images\btnarrow-previous.png
| MD5 | 10783b75928207bf1dd84b5a1f65c7c9 |
| SHA1 | a3d4f71415026150a7e87535e359ca390c2eae1b |
| SHA256 | 6728d4c55ad14ca07fbb022dfb993f677ebd13c6c164db489c5b6c33b443211c |
| SHA512 | 90a4a3bfdc265ba14b27107135eb6ab658d556e3b6198f3e6fb60f035a40dabc73d1a47dc327fd95664d18b624cb5a6cfed1316371e46e127d4eda35d21fab1d |
C:\PROGRA~2\WIA6EB~1\ToolBar\chrome\skin\lib\weatherbutton\panels\images\btnarrow-previous-off.png
| MD5 | 9a8d072191d4e475e5e480fc3543b16b |
| SHA1 | 783592cbcf2d9d9417d1c3ea7e80b8cca46dd590 |
| SHA256 | e7cf677144d89ca7eff48d4179bfff6fa976ef07a7c72c5287a8e64e261dfafb |
| SHA512 | 3ac524ba93c5d0ce3e80dfd251da4cc6bde325d46bd9ef63f24ab442122957e312107053c85fec24d0366767424361fcb0cd162bc6ed769a9025b2b8e1bf1000 |
C:\PROGRA~2\WIA6EB~1\ToolBar\chrome\skin\lib\weatherbutton\panels\images\btnarrow-next.png
| MD5 | 53c02dc4ee48e77ea7e6f15b8cd9b632 |
| SHA1 | 278a37d0be98089abab95b1438082edf21e33b83 |
| SHA256 | d5275d4eacef964ceac13a7c71c25cf8169477df7254e5d672524394e23f4457 |
| SHA512 | 9e953bcec9221e40ee67b1abc2e713064ffc63be5b7727424219a399e4ffecaea53deae1d734cae5354b5aab4f65721e84f7baf4861bc863c3ceb3d28a4d300b |
C:\PROGRA~2\WIA6EB~1\ToolBar\chrome\skin\lib\weatherbutton\panels\images\btnarrow-next-off.png
| MD5 | ec52771cc9f815db8567ed6d7cfe1b09 |
| SHA1 | e1a93767f8336a722d5f6dc1e24bd0336e34a77e |
| SHA256 | ddc97723151b88824e949b565eab55b2acd9ef0df9b95ad1ee6f0dd1f97bced0 |
| SHA512 | 78f6030e570164703d1e7fb4ed407bed8f7de879c861cc6ab27df6a3919ebb4aff5c1826f3e57c535294bca256336e359564df1ce35b21c7a242b42a40bfbebd |
memory/3052-1062-0x00000000038A0000-0x00000000038B6000-memory.dmp
C:\PROGRA~2\WIA6EB~1\ToolBar\SearchquDx.dll
| MD5 | 5341d89ccc497fcdb3cb2b0ee447af2c |
| SHA1 | 21569742db2e4b878560c81b1c4d660aa411f2ee |
| SHA256 | 6cbf7ea6d40cf18fd45be290cf450fa49ca589603c36b193a43d40479b2053a6 |
| SHA512 | 5cb97e4c32c5086358611323be03ee831667ed980e5b7315d51533724f4459099cb5993a44d644d6c59670e297870cd52e0693f7a78f6485cd19349c7e16bef4 |
C:\PROGRA~2\WIA6EB~1\ToolBar\manifest.xml
| MD5 | 809a59f13e2410bc684ba26004c19a26 |
| SHA1 | 73a8d3364be3a2585b4096beeeca8f7ec0e57f87 |
| SHA256 | c734caf5170d50ce5e51b7512c8a795d0ca5aa0a3e201e6a2900967e016afa69 |
| SHA512 | f52e269104480d3979f1245e61bcbc433b39bb0d75ad4e6d4f86627fba1e4a09d24620e0f7cf4570d6d1c89fcdd34af10270738639c51c4f946c9846a7875d5a |