banload | 9183b8178cc8412a505fdd0a3209afba89e67e388fef51c222f20f20d483029d

Analysis

max time kernel
149s
max time network
122s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
05-10-2024 05:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

166480b160f6013cbc67e8c1dc7a937b_JaffaCakes118.exe
Size

73KB
MD5

166480b160f6013cbc67e8c1dc7a937b
SHA1

6488c38bbf570691456f0639039138ca4fbd5b48
SHA256

9183b8178cc8412a505fdd0a3209afba89e67e388fef51c222f20f20d483029d
SHA512

58f5f61ca47c0374b58251e60a38d672aa17a748e7c8993e794bde89351e839be33a33b9ff4b8e268ab62c0cdae9e19df5655d4e1924573b8d1920262cd9916d
SSDEEP

1536:KCaIoX1oYOcbTMV88TXJLEu42EsCGu3SzRH:KCaZ2Yrb0VTXJYWEsCGuiN

Score

10^/10

banload discovery downloader dropper evasion trojan

Malware Config

Signatures

Banload
Banload variants download malicious files, then install and execute the files.
trojan dropper downloader banload
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

GLWorker.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ GLWorker.exe
Downloads MZ/PE file

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	GLWorker.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

GLWorker.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	GLWorker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	GLWorker.exe

Executes dropped EXE 13 IoCs

Processes:

MSNGamesSetup.exeInstGameInfoHelperMSN.exeAdminWorker.exeAdminWorker.exeiWinTrusted.exeMSNGames.exeiWinTrusted.exeAdminWorker.exeiWinTrusted.exeAdminWorker.exeiWinGames - Infinite Crosswords.exeiWinInstallOptions.exeGLWorker.exe

pid	process
2332	MSNGamesSetup.exe
2780	InstGameInfoHelperMSN.exe
1048	AdminWorker.exe
884	AdminWorker.exe
1868	iWinTrusted.exe
1716	MSNGames.exe
2708	iWinTrusted.exe
2704	AdminWorker.exe
2688	iWinTrusted.exe
1872	AdminWorker.exe
1736	iWinGames - Infinite Crosswords.exe
2516	iWinInstallOptions.exe
2736	GLWorker.exe

Loads dropped DLL 39 IoCs

Processes:

166480b160f6013cbc67e8c1dc7a937b_JaffaCakes118.exeMSNGamesSetup.exeMSNGames.exeAdminWorker.exeiWinGames - Infinite Crosswords.exeiWinInstallOptions.exe

pid	process
2972	166480b160f6013cbc67e8c1dc7a937b_JaffaCakes118.exe
2972	166480b160f6013cbc67e8c1dc7a937b_JaffaCakes118.exe
2972	166480b160f6013cbc67e8c1dc7a937b_JaffaCakes118.exe
2332	MSNGamesSetup.exe
2332	MSNGamesSetup.exe
2332	MSNGamesSetup.exe
2332	MSNGamesSetup.exe
2332	MSNGamesSetup.exe
2332	MSNGamesSetup.exe
2332	MSNGamesSetup.exe
2332	MSNGamesSetup.exe
2332	MSNGamesSetup.exe
2332	MSNGamesSetup.exe
2332	MSNGamesSetup.exe
2332	MSNGamesSetup.exe
1716	MSNGames.exe
1716	MSNGames.exe
1716	MSNGames.exe
1716	MSNGames.exe
1716	MSNGames.exe
1716	MSNGames.exe
1716	MSNGames.exe
1716	MSNGames.exe
1716	MSNGames.exe
1716	MSNGames.exe
1872	AdminWorker.exe
1736	iWinGames - Infinite Crosswords.exe
1736	iWinGames - Infinite Crosswords.exe
1736	iWinGames - Infinite Crosswords.exe
1736	iWinGames - Infinite Crosswords.exe
1736	iWinGames - Infinite Crosswords.exe
2516	iWinInstallOptions.exe
1872	AdminWorker.exe
1872	AdminWorker.exe
1872	AdminWorker.exe
1716	MSNGames.exe
1716	MSNGames.exe
1716	MSNGames.exe
1716	MSNGames.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

MSNGames.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA MSNGames.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	MSNGames.exe

Drops file in Program Files directory 64 IoCs

Processes:

MSNGamesSetup.exe

description	ioc	process
File created	C:\Program Files (x86)\MSN Games\gamepage\images\ous\hotel-iwin.gif	MSNGamesSetup.exe
File created	C:\Program Files (x86)\MSN Games\pepflashplayer.dll	MSNGamesSetup.exe
File created	C:\Program Files (x86)\MSN Games\gamepage\disconnected-upsell.html	MSNGamesSetup.exe
File created	C:\Program Files (x86)\MSN Games\gamepage\images\global\page-bg.gif	MSNGamesSetup.exe
File created	C:\Program Files (x86)\MSN Games\libEGL.dll	MSNGamesSetup.exe
File created	C:\Program Files (x86)\MSN Games\gamepage\images\global\logo.gif	MSNGamesSetup.exe
File created	C:\Program Files (x86)\MSN Games\gamepage\styles\shoppingcart.css	MSNGamesSetup.exe
File created	C:\Program Files (x86)\MSN Games\locales\fa.pak	MSNGamesSetup.exe
File created	C:\Program Files (x86)\MSN Games\browser_cef_dll.dll	MSNGamesSetup.exe
File created	C:\Program Files (x86)\MSN Games\cef.pak	MSNGamesSetup.exe
File created	C:\Program Files (x86)\MSN Games\gamepage\success.html	MSNGamesSetup.exe
File created	C:\Program Files (x86)\MSN Games\gamepage\scripts\prototype-1.6.js	MSNGamesSetup.exe
File created	C:\Program Files (x86)\MSN Games\pages\alert32x32.gif	MSNGamesSetup.exe
File created	C:\Program Files (x86)\MSN Games\locales\hi.pak	MSNGamesSetup.exe
File created	C:\Program Files (x86)\MSN Games\locales\it.pak	MSNGamesSetup.exe
File created	C:\Program Files (x86)\MSN Games\AdminWorker.exe	MSNGamesSetup.exe
File created	C:\Program Files (x86)\MSN Games\gamepage\images\plans\plan1.gif	MSNGamesSetup.exe
File created	C:\Program Files (x86)\MSN Games\locales\et.pak	MSNGamesSetup.exe
File created	C:\Program Files (x86)\MSN Games\gamepage\images\buttons\close-blue-28.gif	MSNGamesSetup.exe
File created	C:\Program Files (x86)\MSN Games\gamepage\images\misc\information.gif	MSNGamesSetup.exe
File created	C:\Program Files (x86)\MSN Games\locales\ja.pak	MSNGamesSetup.exe
File created	C:\Program Files (x86)\MSN Games\locales\ko.pak	MSNGamesSetup.exe
File created	C:\Program Files (x86)\MSN Games\locales\pl.pak	MSNGamesSetup.exe
File created	C:\Program Files (x86)\MSN Games\locales\te.pak	MSNGamesSetup.exe
File created	C:\Program Files (x86)\MSN Games\gamepage\images\common\header-small-bg.gif	MSNGamesSetup.exe
File created	C:\Program Files (x86)\MSN Games\ftdownload.dat	MSNGamesSetup.exe
File created	C:\Program Files (x86)\MSN Games\locales\ca.pak	MSNGamesSetup.exe
File created	C:\Program Files (x86)\MSN Games\locales\el.pak	MSNGamesSetup.exe
File created	C:\Program Files (x86)\MSN Games\pages\login.html	MSNGamesSetup.exe
File created	C:\Program Files (x86)\MSN Games\gamepage\images\product\feature.jpg	MSNGamesSetup.exe
File created	C:\Program Files (x86)\MSN Games\locales\tr.pak	MSNGamesSetup.exe
File created	C:\Program Files (x86)\MSN Games\cef_200_percent.pak	MSNGamesSetup.exe
File created	C:\Program Files (x86)\MSN Games\natives_blob.bin	MSNGamesSetup.exe
File created	C:\Program Files (x86)\MSN Games\gamepage\images\ous\opal.gif	MSNGamesSetup.exe
File created	C:\Program Files (x86)\MSN Games\gamepage\scripts\disconnected-upsell.js	MSNGamesSetup.exe
File created	C:\Program Files (x86)\MSN Games\pages\error404.css	MSNGamesSetup.exe
File created	C:\Program Files (x86)\MSN Games\locales\en-GB.pak	MSNGamesSetup.exe
File created	C:\Program Files (x86)\MSN Games\locales\fi.pak	MSNGamesSetup.exe
File created	C:\Program Files (x86)\MSN Games\gamepage\images\alert32x32.gif	MSNGamesSetup.exe
File created	C:\Program Files (x86)\MSN Games\locales\ar.pak	MSNGamesSetup.exe
File created	C:\Program Files (x86)\MSN Games\locales\sw.pak	MSNGamesSetup.exe
File created	C:\Program Files (x86)\MSN Games\cef_100_percent.pak	MSNGamesSetup.exe
File created	C:\Program Files (x86)\MSN Games\gamepage\scripts\popups.js	MSNGamesSetup.exe
File created	C:\Program Files (x86)\MSN Games\pages\iwgm.loading.jpg	MSNGamesSetup.exe
File created	C:\Program Files (x86)\MSN Games\locales\bg.pak	MSNGamesSetup.exe
File created	C:\Program Files (x86)\MSN Games\locales\fr.pak	MSNGamesSetup.exe
File created	C:\Program Files (x86)\MSN Games\locales\ru.pak	MSNGamesSetup.exe
File created	C:\Program Files (x86)\MSN Games\locales\am.pak	MSNGamesSetup.exe
File created	C:\Program Files (x86)\MSN Games\gamepage\images\ous\hotel-bg.gif	MSNGamesSetup.exe
File created	C:\Program Files (x86)\MSN Games\sounds\slideout.wav	MSNGamesSetup.exe
File created	C:\Program Files (x86)\MSN Games\locales\fil.pak	MSNGamesSetup.exe
File created	C:\Program Files (x86)\MSN Games\locales\ml.pak	MSNGamesSetup.exe
File created	C:\Program Files (x86)\MSN Games\locales\zh-CN.pak	MSNGamesSetup.exe
File created	C:\Program Files (x86)\MSN Games\cef_extensions.pak	MSNGamesSetup.exe
File created	C:\Program Files (x86)\MSN Games\gamepage\images\global\page-header-small-bg.jpg	MSNGamesSetup.exe
File created	C:\Program Files (x86)\MSN Games\pages\offline.css	MSNGamesSetup.exe
File created	C:\Program Files (x86)\MSN Games\locales\lt.pak	MSNGamesSetup.exe
File created	C:\Program Files (x86)\MSN Games\gamepage\styles\base.css	MSNGamesSetup.exe
File created	C:\Program Files (x86)\MSN Games\gamepage\end.html	MSNGamesSetup.exe
File created	C:\Program Files (x86)\MSN Games\gamepage\images\logo.jpg	MSNGamesSetup.exe
File created	C:\Program Files (x86)\MSN Games\gamepage\images\ous\opalbox.jpg	MSNGamesSetup.exe
File created	C:\Program Files (x86)\MSN Games\pages\iwin_logo.gif	MSNGamesSetup.exe
File created	C:\Program Files (x86)\MSN Games\locales\de.pak	MSNGamesSetup.exe
File created	C:\Program Files (x86)\MSN Games\locales\nb.pak	MSNGamesSetup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 14 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

InstGameInfoHelperMSN.exeiWinTrusted.exeAdminWorker.exeiWinInstallOptions.exe166480b160f6013cbc67e8c1dc7a937b_JaffaCakes118.exeAdminWorker.exeMSNGames.exeiWinGames - Infinite Crosswords.exeAdminWorker.exeiWinTrusted.exeMSNGamesSetup.exeAdminWorker.exeiWinTrusted.exeGLWorker.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	InstGameInfoHelperMSN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iWinTrusted.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AdminWorker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iWinInstallOptions.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	166480b160f6013cbc67e8c1dc7a937b_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AdminWorker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSNGames.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iWinGames - Infinite Crosswords.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AdminWorker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iWinTrusted.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSNGamesSetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AdminWorker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iWinTrusted.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GLWorker.exe

NSIS installer 6 IoCs

installer

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\nsoBAF7.tmp\MSNGamesSetup.exe	nsis_installer_1
\Users\Admin\AppData\Local\Temp\nsoBAF7.tmp\MSNGamesSetup.exe	nsis_installer_2
\Users\Admin\AppData\Local\Temp\MSNGames\Downloads\iWinGames - Infinite Crosswords.exe	nsis_installer_1
\Users\Admin\AppData\Local\Temp\MSNGames\Downloads\iWinGames - Infinite Crosswords.exe	nsis_installer_2
\Users\Admin\AppData\Local\Temp\nso5A9F.tmp\iWinInstallOptions.exe	nsis_installer_1
\Users\Admin\AppData\Local\Temp\nso5A9F.tmp\iWinInstallOptions.exe	nsis_installer_2

Modifies Internet Explorer settings 1 TTPs 8 IoCs

adware spyware

Modify Registry

T1112

Processes:

MSNGamesSetup.exeMSNGames.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION\MSNGames.exe = "8000"	MSNGamesSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main	MSNGames.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	MSNGames.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	MSNGames.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\DOMStorage\iwin.com	MSNGames.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\DOMStorage	MSNGames.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\DOMStorage\iwin.com\NumberOfSubdomains = "1"	MSNGames.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	MSNGamesSetup.exe

Modifies registry class 64 IoCs

Processes:

iWinTrusted.exeGLWorker.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\iWinTrusted.CoiWinTrusted.1\CLSID	iWinTrusted.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{44E6B68E-8DA5-4093-921B-7275E5B3906A}\1.0	iWinTrusted.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F155C40F-4FF8-0928-4EF2-F3B10A8361EB}\InprocServer32\2.0.0.0	GLWorker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F155C40F-4FF8-0928-4EF2-F3B10A8361EB}\InprocServer32\2.0.0.0\Assembly = "mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"	GLWorker.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{635ADC07-6F19-42a7-8043-EDD19678CE14}\Programmable	iWinTrusted.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3B16338D-AFD9-46FF-8BEE-4FEC95946937}	iWinTrusted.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F155C40F-4FF8-0928-4EF2-F3B10A8361EB}\InprocServer32\RuntimeVersion = "v1.1.4322"	GLWorker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F155C40F-4FF8-0928-4EF2-F3B10A8361EB}\InprocServer32\2.0.0.0\Class = "System.Security.Policy.AllMembershipCondition"	GLWorker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\iWinTrusted.CoiWinTrusted.1\CLSID\ = "{635ADC07-6F19-42a7-8043-EDD19678CE14}"	iWinTrusted.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\iWinTrusted.CoiWinTrusted\ = "iWinTrusted Class"	iWinTrusted.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3B16338D-AFD9-46FF-8BEE-4FEC95946937}\ProxyStubClsid32	iWinTrusted.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3B16338D-AFD9-46FF-8BEE-4FEC95946937}\TypeLib\ = "{44E6B68E-8DA5-4093-921B-7275E5B3906A}"	iWinTrusted.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F155C40F-4FF8-0928-4EF2-F3B10A8361EB}\InprocServer32\ThreadingModel = "Both"	GLWorker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\iWinTrusted.CoiWinTrusted\CLSID\ = "{635ADC07-6F19-42a7-8043-EDD19678CE14}"	iWinTrusted.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{635ADC07-6F19-42a7-8043-EDD19678CE14}\ = "iWinTrusted"	iWinTrusted.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{635ADC07-6F19-42a7-8043-EDD19678CE14}	iWinTrusted.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{44E6B68E-8DA5-4093-921B-7275E5B3906A}\1.0\ = "iWinTrusted 1.1 Type Library"	iWinTrusted.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{44E6B68E-8DA5-4093-921B-7275E5B3906A}\1.0\FLAGS\ = "0"	iWinTrusted.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{635ADC07-6F19-42a7-8043-EDD19678CE14}\VersionIndependentProgID	iWinTrusted.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{44E6B68E-8DA5-4093-921B-7275E5B3906A}\1.0\0\win32\ = "C:\\Program Files (x86)\\MSN Games\\iWinTrusted.exe"	iWinTrusted.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3B16338D-AFD9-46FF-8BEE-4FEC95946937}\ = "IiWinTrusted"	iWinTrusted.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{44E6B68E-8DA5-4093-921B-7275E5B3906A}\1.0\FLAGS	iWinTrusted.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{44E6B68E-8DA5-4093-921B-7275E5B3906A}\1.0\HELPDIR	iWinTrusted.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3B16338D-AFD9-46FF-8BEE-4FEC95946937}	iWinTrusted.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3B16338D-AFD9-46FF-8BEE-4FEC95946937}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	iWinTrusted.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3B16338D-AFD9-46FF-8BEE-4FEC95946937}\TypeLib\ = "{44E6B68E-8DA5-4093-921B-7275E5B3906A}"	iWinTrusted.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{635ADC07-6F19-42a7-8043-EDD19678CE14}\ = "iWinTrusted Class"	iWinTrusted.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3B16338D-AFD9-46FF-8BEE-4FEC95946937}\ = "IiWinTrusted"	iWinTrusted.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\iWinTrusted.EXE\AppID = "{635ADC07-6F19-42a7-8043-EDD19678CE14}"	iWinTrusted.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F155C40F-4FF8-0928-4EF2-F3B10A8361EB}\Implemented Categories	GLWorker.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F155C40F-4FF8-0928-4EF2-F3B10A8361EB}\Implemented Categories\{62C8FE65-4EBB-45E7-B440-6E39B2CDBF29}	GLWorker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F155C40F-4FF8-0928-4EF2-F3B10A8361EB}\InprocServer32\2.0.0.0\RuntimeVersion = "v2.0.50727"	GLWorker.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\iWinTrusted.CoiWinTrusted\CLSID	iWinTrusted.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{635ADC07-6F19-42a7-8043-EDD19678CE14}\LocalService = "iWinTrusted"	iWinTrusted.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{635ADC07-6F19-42a7-8043-EDD19678CE14}	iWinTrusted.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{635ADC07-6F19-42a7-8043-EDD19678CE14}\TypeLib\ = "{44E6B68E-8DA5-4093-921B-7275E5B3906A}"	iWinTrusted.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3B16338D-AFD9-46FF-8BEE-4FEC95946937}\TypeLib	iWinTrusted.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F155C40F-4FF8-0928-4EF2-F3B10A8361EB}\InprocServer32	GLWorker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F155C40F-4FF8-0928-4EF2-F3B10A8361EB}\InprocServer32\ = "mscoree.dll"	GLWorker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F155C40F-4FF8-0928-4EF2-F3B10A8361EB}\InprocServer32\Assembly = "mscorlib, Version=1.0.5000.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"	GLWorker.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\iWinTrusted.CoiWinTrusted\CurVer	iWinTrusted.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{635ADC07-6F19-42a7-8043-EDD19678CE14}\AppID = "{635ADC07-6F19-42a7-8043-EDD19678CE14}"	iWinTrusted.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3B16338D-AFD9-46FF-8BEE-4FEC95946937}\ProxyStubClsid32	iWinTrusted.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3B16338D-AFD9-46FF-8BEE-4FEC95946937}\TypeLib\Version = "1.0"	iWinTrusted.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F155C40F-4FF8-0928-4EF2-F3B10A8361EB}	GLWorker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{44E6B68E-8DA5-4093-921B-7275E5B3906A}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\MSN Games"	iWinTrusted.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F155C40F-4FF8-0928-4EF2-F3B10A8361EB}\ProgId	GLWorker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{635ADC07-6F19-42a7-8043-EDD19678CE14}\ProgID\ = "iWinTrusted.CoiWinTrusted.1"	iWinTrusted.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{635ADC07-6F19-42a7-8043-EDD19678CE14}\VersionIndependentProgID\ = "iWinTrusted.CoiWinTrusted"	iWinTrusted.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{635ADC07-6F19-42a7-8043-EDD19678CE14}\LocalServer32	iWinTrusted.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{635ADC07-6F19-42a7-8043-EDD19678CE14}\LocalServer32\ = "\"C:\\Program Files (x86)\\MSN Games\\iWinTrusted.exe\" /server"	iWinTrusted.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{44E6B68E-8DA5-4093-921B-7275E5B3906A}	iWinTrusted.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{44E6B68E-8DA5-4093-921B-7275E5B3906A}\1.0\0	iWinTrusted.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3B16338D-AFD9-46FF-8BEE-4FEC95946937}\TypeLib\Version = "1.0"	iWinTrusted.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3B16338D-AFD9-46FF-8BEE-4FEC95946937}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	iWinTrusted.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\iWinTrusted.CoiWinTrusted.1	iWinTrusted.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\iWinTrusted.CoiWinTrusted.1\ = "iWinTrusted Class"	iWinTrusted.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\iWinTrusted.CoiWinTrusted\CurVer\ = "iWinTrusted.CoiWinTrusted.1"	iWinTrusted.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\ForseRemove	iWinTrusted.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\iWinTrusted.EXE	iWinTrusted.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F155C40F-4FF8-0928-4EF2-F3B10A8361EB}\ = "System.Security.Policy.AllMembershipCondition"	GLWorker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F155C40F-4FF8-0928-4EF2-F3B10A8361EB}\InprocServer32\Class = "System.Security.Policy.AllMembershipCondition"	GLWorker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F155C40F-4FF8-0928-4EF2-F3B10A8361EB}\ProgId\ = "System.Security.Policy.AllMembershipCondition"	GLWorker.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\iWinTrusted.CoiWinTrusted	iWinTrusted.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

MSNGamesSetup.exeMSNGames.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81\Blob = 0f000000010000001400000085fef11b4f47fe3952f98301c9f98976fefee0ce09000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000002500000030233021060b6086480186f8450107300130123010060a2b0601040182373c0101030200c01400000001000000140000007b5b45cfafcecb7afd31921a6ab6f346eb5748501d00000001000000100000005b3b67000eeb80022e42605b6b3b72400b000000010000000e000000740068006100770074006500000003000000010000001400000091c6d6ee3e8ac86384e548c299295c756c817b812000000001000000240400003082042030820308a0030201020210344ed55720d5edec49f42fce37db2b6d300d06092a864886f70d01010505003081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f74204341301e170d3036313131373030303030305a170d3336303731363233353935395a3081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100aca0f0fb8059d49cc7a4cf9da159730910450c0d2c6e68f16c5b4868495937fc0b3319c2777fcc102d95341ce6eb4d09a71cd2b8c9973602b789d4245f06c0cc4494948d02626feb5add118d289a5c8490107a0dbd74662f6a38a0e2d55444eb1d079f07ba6feee9fd4e0b29f53e84a001f19cabf81c7e89a4e8a1d871650da3517beebcd222600db95b9ddfbafc515b0baf98b2e92ee904e86287de2bc8d74ec14c641eddcf8758ba4a4fca68071d1c9d4ac6d52f91cc7c71721cc5c067eb32fdc9925c94da85c09bbf537d2b09f48c9d911f976a52cbde0936a477d87b875044d53e6e2969fb3949261e09a5807b402debe82785c9fe61fd7ee67c971dd59d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604147b5b45cfafcecb7afd31921a6ab6f346eb574850300d06092a864886f70d010105050003820101007911c04bb391b6fcf0e967d40d6e45be55e893d2ce033fedda25b01d57cb1e3a76a04cec5076e864720ca4a9f1b88bd6d68784bb32e54111c077d9b3609deb1bd5d16e4444a9a601ec55621d77b85c8e48497c9c3b5711acad73378e2f785c906847d96060e6fc073d222017c4f716e9c4d872f9c8737cdf162f15a93efd6a27b6a1eb5aba981fd5e34d640a9d13c861baf5391c87bab8bd7b227ff6feac4079e5ac106f3d8f1b79768bc437b3211884e53600eb632099b9e9fe3304bb41c8c102f94463209e81ce42d3d63f2c76d3639c59dd8fa6e10ea02e41f72e9547cfbcfd33f3f60b617e7e912b8147c22730eea7105d378f5c392be404f07b8d568c68	MSNGamesSetup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81\Blob = 190000000100000010000000dc73f9b71e16d51d26527d32b11a6a3d03000000010000001400000091c6d6ee3e8ac86384e548c299295c756c817b810b000000010000000e00000074006800610077007400650000001d00000001000000100000005b3b67000eeb80022e42605b6b3b72401400000001000000140000007b5b45cfafcecb7afd31921a6ab6f346eb57485053000000010000002500000030233021060b6086480186f8450107300130123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b060105050703030f000000010000001400000085fef11b4f47fe3952f98301c9f98976fefee0ce2000000001000000240400003082042030820308a0030201020210344ed55720d5edec49f42fce37db2b6d300d06092a864886f70d01010505003081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f74204341301e170d3036313131373030303030305a170d3336303731363233353935395a3081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100aca0f0fb8059d49cc7a4cf9da159730910450c0d2c6e68f16c5b4868495937fc0b3319c2777fcc102d95341ce6eb4d09a71cd2b8c9973602b789d4245f06c0cc4494948d02626feb5add118d289a5c8490107a0dbd74662f6a38a0e2d55444eb1d079f07ba6feee9fd4e0b29f53e84a001f19cabf81c7e89a4e8a1d871650da3517beebcd222600db95b9ddfbafc515b0baf98b2e92ee904e86287de2bc8d74ec14c641eddcf8758ba4a4fca68071d1c9d4ac6d52f91cc7c71721cc5c067eb32fdc9925c94da85c09bbf537d2b09f48c9d911f976a52cbde0936a477d87b875044d53e6e2969fb3949261e09a5807b402debe82785c9fe61fd7ee67c971dd59d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604147b5b45cfafcecb7afd31921a6ab6f346eb574850300d06092a864886f70d010105050003820101007911c04bb391b6fcf0e967d40d6e45be55e893d2ce033fedda25b01d57cb1e3a76a04cec5076e864720ca4a9f1b88bd6d68784bb32e54111c077d9b3609deb1bd5d16e4444a9a601ec55621d77b85c8e48497c9c3b5711acad73378e2f785c906847d96060e6fc073d222017c4f716e9c4d872f9c8737cdf162f15a93efd6a27b6a1eb5aba981fd5e34d640a9d13c861baf5391c87bab8bd7b227ff6feac4079e5ac106f3d8f1b79768bc437b3211884e53600eb632099b9e9fe3304bb41c8c102f94463209e81ce42d3d63f2c76d3639c59dd8fa6e10ea02e41f72e9547cfbcfd33f3f60b617e7e912b8147c22730eea7105d378f5c392be404f07b8d568c68	MSNGamesSetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	MSNGames.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	MSNGames.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	MSNGames.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81	MSNGamesSetup.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

MSNGames.exe

pid process

1716 MSNGames.exe
1716 MSNGames.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

GLWorker.exe

description pid process

Token: 33 2736 GLWorker.exe
Token: SeIncBasePriorityPrivilege 2736 GLWorker.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

MSNGames.exe

pid process

1716 MSNGames.exe
Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

MSNGames.exe

pid process

1716 MSNGames.exe
1716 MSNGames.exe
1716 MSNGames.exe
1716 MSNGames.exe
1716 MSNGames.exe

pid	process
1716	MSNGames.exe
1716	MSNGames.exe

description	pid	process
Token: 33	2736	GLWorker.exe
Token: SeIncBasePriorityPrivilege	2736	GLWorker.exe

pid	process
1716	MSNGames.exe

pid	process
1716	MSNGames.exe
1716	MSNGames.exe
1716	MSNGames.exe
1716	MSNGames.exe
1716	MSNGames.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

166480b160f6013cbc67e8c1dc7a937b_JaffaCakes118.exeMSNGamesSetup.exeMSNGames.exeAdminWorker.exeAdminWorker.exeiWinGames - Infinite Crosswords.exe

description	pid	process	target process
PID 2972 wrote to memory of 2332	2972	166480b160f6013cbc67e8c1dc7a937b_JaffaCakes118.exe	MSNGamesSetup.exe
PID 2972 wrote to memory of 2332	2972	166480b160f6013cbc67e8c1dc7a937b_JaffaCakes118.exe	MSNGamesSetup.exe
PID 2972 wrote to memory of 2332	2972	166480b160f6013cbc67e8c1dc7a937b_JaffaCakes118.exe	MSNGamesSetup.exe
PID 2972 wrote to memory of 2332	2972	166480b160f6013cbc67e8c1dc7a937b_JaffaCakes118.exe	MSNGamesSetup.exe
PID 2972 wrote to memory of 2332	2972	166480b160f6013cbc67e8c1dc7a937b_JaffaCakes118.exe	MSNGamesSetup.exe
PID 2972 wrote to memory of 2332	2972	166480b160f6013cbc67e8c1dc7a937b_JaffaCakes118.exe	MSNGamesSetup.exe
PID 2972 wrote to memory of 2332	2972	166480b160f6013cbc67e8c1dc7a937b_JaffaCakes118.exe	MSNGamesSetup.exe
PID 2332 wrote to memory of 2780	2332	MSNGamesSetup.exe	InstGameInfoHelperMSN.exe
PID 2332 wrote to memory of 2780	2332	MSNGamesSetup.exe	InstGameInfoHelperMSN.exe
PID 2332 wrote to memory of 2780	2332	MSNGamesSetup.exe	InstGameInfoHelperMSN.exe
PID 2332 wrote to memory of 2780	2332	MSNGamesSetup.exe	InstGameInfoHelperMSN.exe
PID 2332 wrote to memory of 2780	2332	MSNGamesSetup.exe	InstGameInfoHelperMSN.exe
PID 2332 wrote to memory of 2780	2332	MSNGamesSetup.exe	InstGameInfoHelperMSN.exe
PID 2332 wrote to memory of 2780	2332	MSNGamesSetup.exe	InstGameInfoHelperMSN.exe
PID 2332 wrote to memory of 292	2332	MSNGamesSetup.exe	RegisterMCEApp.exe
PID 2332 wrote to memory of 292	2332	MSNGamesSetup.exe	RegisterMCEApp.exe
PID 2332 wrote to memory of 292	2332	MSNGamesSetup.exe	RegisterMCEApp.exe
PID 2332 wrote to memory of 292	2332	MSNGamesSetup.exe	RegisterMCEApp.exe
PID 2332 wrote to memory of 1048	2332	MSNGamesSetup.exe	AdminWorker.exe
PID 2332 wrote to memory of 1048	2332	MSNGamesSetup.exe	AdminWorker.exe
PID 2332 wrote to memory of 1048	2332	MSNGamesSetup.exe	AdminWorker.exe
PID 2332 wrote to memory of 1048	2332	MSNGamesSetup.exe	AdminWorker.exe
PID 2332 wrote to memory of 884	2332	MSNGamesSetup.exe	AdminWorker.exe
PID 2332 wrote to memory of 884	2332	MSNGamesSetup.exe	AdminWorker.exe
PID 2332 wrote to memory of 884	2332	MSNGamesSetup.exe	AdminWorker.exe
PID 2332 wrote to memory of 884	2332	MSNGamesSetup.exe	AdminWorker.exe
PID 2332 wrote to memory of 1868	2332	MSNGamesSetup.exe	iWinTrusted.exe
PID 2332 wrote to memory of 1868	2332	MSNGamesSetup.exe	iWinTrusted.exe
PID 2332 wrote to memory of 1868	2332	MSNGamesSetup.exe	iWinTrusted.exe
PID 2332 wrote to memory of 1868	2332	MSNGamesSetup.exe	iWinTrusted.exe
PID 2332 wrote to memory of 1716	2332	MSNGamesSetup.exe	MSNGames.exe
PID 2332 wrote to memory of 1716	2332	MSNGamesSetup.exe	MSNGames.exe
PID 2332 wrote to memory of 1716	2332	MSNGamesSetup.exe	MSNGames.exe
PID 2332 wrote to memory of 1716	2332	MSNGamesSetup.exe	MSNGames.exe
PID 1716 wrote to memory of 2708	1716	MSNGames.exe	iWinTrusted.exe
PID 1716 wrote to memory of 2708	1716	MSNGames.exe	iWinTrusted.exe
PID 1716 wrote to memory of 2708	1716	MSNGames.exe	iWinTrusted.exe
PID 1716 wrote to memory of 2708	1716	MSNGames.exe	iWinTrusted.exe
PID 1716 wrote to memory of 2704	1716	MSNGames.exe	AdminWorker.exe
PID 1716 wrote to memory of 2704	1716	MSNGames.exe	AdminWorker.exe
PID 1716 wrote to memory of 2704	1716	MSNGames.exe	AdminWorker.exe
PID 1716 wrote to memory of 2704	1716	MSNGames.exe	AdminWorker.exe
PID 2704 wrote to memory of 2688	2704	AdminWorker.exe	iWinTrusted.exe
PID 2704 wrote to memory of 2688	2704	AdminWorker.exe	iWinTrusted.exe
PID 2704 wrote to memory of 2688	2704	AdminWorker.exe	iWinTrusted.exe
PID 2704 wrote to memory of 2688	2704	AdminWorker.exe	iWinTrusted.exe
PID 1716 wrote to memory of 1872	1716	MSNGames.exe	AdminWorker.exe
PID 1716 wrote to memory of 1872	1716	MSNGames.exe	AdminWorker.exe
PID 1716 wrote to memory of 1872	1716	MSNGames.exe	AdminWorker.exe
PID 1716 wrote to memory of 1872	1716	MSNGames.exe	AdminWorker.exe
PID 1872 wrote to memory of 1736	1872	AdminWorker.exe	iWinGames - Infinite Crosswords.exe
PID 1872 wrote to memory of 1736	1872	AdminWorker.exe	iWinGames - Infinite Crosswords.exe
PID 1872 wrote to memory of 1736	1872	AdminWorker.exe	iWinGames - Infinite Crosswords.exe
PID 1872 wrote to memory of 1736	1872	AdminWorker.exe	iWinGames - Infinite Crosswords.exe
PID 1736 wrote to memory of 2516	1736	iWinGames - Infinite Crosswords.exe	iWinInstallOptions.exe
PID 1736 wrote to memory of 2516	1736	iWinGames - Infinite Crosswords.exe	iWinInstallOptions.exe
PID 1736 wrote to memory of 2516	1736	iWinGames - Infinite Crosswords.exe	iWinInstallOptions.exe
PID 1736 wrote to memory of 2516	1736	iWinGames - Infinite Crosswords.exe	iWinInstallOptions.exe
PID 1736 wrote to memory of 2516	1736	iWinGames - Infinite Crosswords.exe	iWinInstallOptions.exe
PID 1736 wrote to memory of 2516	1736	iWinGames - Infinite Crosswords.exe	iWinInstallOptions.exe
PID 1736 wrote to memory of 2516	1736	iWinGames - Infinite Crosswords.exe	iWinInstallOptions.exe
PID 1716 wrote to memory of 2736	1716	MSNGames.exe	GLWorker.exe
PID 1716 wrote to memory of 2736	1716	MSNGames.exe	GLWorker.exe
PID 1716 wrote to memory of 2736	1716	MSNGames.exe	GLWorker.exe

C:\Users\Admin\AppData\Local\Temp\166480b160f6013cbc67e8c1dc7a937b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\166480b160f6013cbc67e8c1dc7a937b_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2972
- C:\Users\Admin\AppData\Local\Temp\nsoBAF7.tmp\MSNGamesSetup.exe
  C:\Users\Admin\AppData\Local\Temp\nsoBAF7.tmp\MSNGamesSetup.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Modifies system certificate store
  - Suspicious use of WriteProcessMemory
  PID:2332
- - C:\Users\Admin\AppData\Local\Temp\nsoE59F.tmp\InstGameInfoHelperMSN.exe
    "C:\Users\Admin\AppData\Local\Temp\nsoE59F.tmp\InstGameInfoHelperMSN.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2780
- - C:\Windows\ehome\RegisterMCEApp.exe
    "C:\Windows\ehome\RegisterMCEApp.exe" /allusers "C:\Program Files (x86)\MSN Games\MSNGames-MCE.xml"
    3⤵
    PID:292
- - C:\Program Files (x86)\MSN Games\AdminWorker.exe
    "C:\Program Files (x86)\MSN Games\AdminWorker.exe" AddArcadeToFireWallExceptions
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1048
- - C:\Program Files (x86)\MSN Games\AdminWorker.exe
    "C:\Program Files (x86)\MSN Games\AdminWorker.exe" restoreShortcutsPathes
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:884
- - C:\Program Files (x86)\MSN Games\iWinTrusted.exe
    "C:\Program Files (x86)\MSN Games\iWinTrusted.exe" -install
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    PID:1868
- - C:\Program Files (x86)\MSN Games\MSNGames.exe
    "C:\Program Files (x86)\MSN Games\MSNGames.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks whether UAC is enabled
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Modifies system certificate store
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1716
  - - C:\Program Files (x86)\MSN Games\iWinTrusted.exe
      "C:\Program Files (x86)\MSN Games\iWinTrusted.exe" -install
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2708
  - - C:\Program Files (x86)\MSN Games\AdminWorker.exe
      "C:\Program Files (x86)\MSN Games\AdminWorker.exe" StartProcessNoWait "C:\Program Files (x86)\MSN Games\\iWinTrusted.exe" "-install"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2704
    - - C:\Program Files (x86)\MSN Games\iWinTrusted.exe
        
        "C:\Program Files (x86)\MSN Games\iWinTrusted.exe" -install
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2688
  - - C:\Program Files (x86)\MSN Games\AdminWorker.exe
      "C:\Program Files (x86)\MSN Games\AdminWorker.exe" StartProcessAndWait "C:\Users\Admin\AppData\Local\Temp\MSNGames\Downloads\iWinGames - Infinite Crosswords.exe" "/S" "6577137636012359169" "6577137643961526784" "" "" "price|999|gameSKU|6577137643961526784";PogoInstall;Infinite Crosswords
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1872
    - - C:\Users\Admin\AppData\Local\Temp\MSNGames\Downloads\iWinGames - Infinite Crosswords.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MSNGames\Downloads\iWinGames - Infinite Crosswords.exe" /S
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1736
      - C:\Users\Admin\AppData\Local\Temp\nso5A9F.tmp\iWinInstallOptions.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nso5A9F.tmp\iWinInstallOptions.exe" /S
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2516
  - - C:\Games\MSN\Infinite Crosswords\GLWorker.exe
      "C:\Games\MSN\Infinite Crosswords\GLWorker.exe" ALTUSERNAME;DAYSLEFT;TIMELEFTTOTAL;gid6577137636012359169
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of AdjustPrivilegeToken
      PID:2736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\MSN Games\AdminWorker.exe

Filesize
617KB

MD5
6772fdec98b776314724f63be2f657b3

SHA1
6014eb84c278072a501790a9be7c061156c4b824

SHA256
8265375aa8916022cddaf5921f034b787416af5be65526f0a15e5791ebd257ed

SHA512
0bad9e075ff4df3606ae7efc3ad8e2038e0b7f69379b72bfbe2686ba6d92a7b3251b0cf021af9b9231b60b92d42a0af2f0e8a150e44b5410dab7e4b8b9a2273a

Download Submit
C:\Program Files (x86)\MSN Games\MSNGames-MCE.xml

Filesize
1KB

MD5
db3daf15dfd20f564e59e58d6ffae077

SHA1
71ed8b468bf72c45edecb5884216e47acacd8ffb

SHA256
1d1a8db2b6d41d0c3692a5b058b92a4b08665b3577974c6ec824d1f38e030e52

SHA512
71827b95d42d361aea51a40ec71e24bdd933ed97310cfc6dfd7e83c767e0a3c4f66ce19d55db56521e58d66c7b1ea817d3379c89d9fbc900574979c3feff9502

Download Submit
C:\Program Files (x86)\MSN Games\WebUpdater.bmp

Filesize
47KB

MD5
3bef430235c592989ef45d64b8995fda

SHA1
0d99277cdeec4845540bcf456531b57e0e939cdd

SHA256
624426067e03d13efcfc88d570cc593649b67bafd9bf673ab46046dab00d8d5d

SHA512
7dd5904c5ff5680be017238bb3ed96f6652d575d2eb6d85d2a3ac8045c58d836ddca12d73ebab831f22a9b57a0e410c2a56359b5abf567be5ec565a9c781af96

Download Submit
C:\Program Files (x86)\MSN Games\pages\blank.html

Filesize
104B

MD5
9482e5ee38471e5b6a688ad0d02fe6b4

SHA1
12dfac1206e34a47b2d3f639106056c9f7ca3e7a

SHA256
a655fa3c755d22a5a95b01a91030fe889e8c37e900226a05fc32aebd04fc4e2d

SHA512
c8b1ec8ef2d48d3c8d57c2728bb1ae6d150f43bc3ccba063b819ae1e7809331b170fc764d655db5ee11c838cbb74b91abc3abd837d98830589ee5b3aa3e905a4

Download Submit
C:\Program Files (x86)\MSN Games\pages\blank2.html

Filesize
74B

MD5
90b42fd8e93203218847a3c0a646d377

SHA1
0d485e2de867448e4853031d5714942128d92983

SHA256
aec450600b1ea9c5cd12a92ff9764092434c2cca7e56c10c7b11a63a13209c5f

SHA512
de8ab5192fbb9e1df4f1baa7436f2d21cbb94f921931d502aed87049b46affe2dba1929ef48b528f114722cff7c797d381070b35884f7bea18813df355b0ffab

Download Submit
C:\Program Files (x86)\MSN Games\pages\iwgm.loading.jpg

Filesize
40KB

MD5
bf7e93622206bd7206494a7b805c0954

SHA1
5dec728c393cafd17d55a18501770ce22f16ffae

SHA256
cabc0465f851bce0342470e5f4d81a5f4045028d4093d059225b4f76eb6297d7

SHA512
f60adc9f8086793070c9fe7b7f1aab75251a4c71622c364ff6fc0e63b5f14da3e56cbca412ce2d80322713d4e4ca6944ede640878f1d115a48b08a891305d9ce

Download Submit
C:\Program Files (x86)\MSN Games\sounds\animation.wav

Filesize
77KB

MD5
3ef7618619348fbbeca7b0f772be7e5c

SHA1
d86829f29c8f22c2d3562269b3d2f0c3b822ad0c

SHA256
d361e7b9d8d6e1e3c2b4977f53a06a363183b74796b27cbba2d0277a7e19a872

SHA512
b7c339678b214ff57594f02f2953ec762584f8b31644b1f63ac55586423fd34a7afae9c3d208db7caaab6e30bcb806cc9720cdb34c58f466aabad547d3263376

Download Submit
C:\Program Files (x86)\MSN Games\sounds\button_click.wav

Filesize
8KB

MD5
d5c43fe0fd3f6b5c1d2d96ef21834f9d

SHA1
f8e36c4fe187396cec014bb2e733d953b3a76fdd

SHA256
ed0c4264b99666a9e59299097c2acc7549dcf7e896c2a7584d65a616aaa415e1

SHA512
e629e4cab48e75c35dbbb33b427c31babe814ecadf4357695e7bb3370ca838005c9c156a3dcb79f574cfd4b05b4fa6b55c991f249d9f3b6b072c3d87468c04cc

Download Submit
C:\Program Files (x86)\MSN Games\sounds\start.wav

Filesize
57KB

MD5
94ab5e493c7fd8358c9a893d0a108d5f

SHA1
5dd41e775bb246ee33cbbb6bbf1a4a6b65da1173

SHA256
54e995d1600802e1dccb785ba3ea20d14c85b54e70c397d48074135f2c731b4a

SHA512
f95197a3f28d57c77ad4f40346d941ce075e83bec79531eb7000b981f9587f0ccbe962edb11390c4a122386666e0665f1572091489338760a2dcd2bba0113164

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab35A5.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar497F.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj5FFC.tmp\System.dll

Filesize
10KB

MD5
56a321bd011112ec5d8a32b2f6fd3231

SHA1
df20e3a35a1636de64df5290ae5e4e7572447f78

SHA256
bb6df93369b498eaa638b0bcdc4bb89f45e9b02ca12d28bcedf4629ea7f5e0f1

SHA512
5354890cbc53ce51081a78c64ba9c4c8c4dc9e01141798c1e916e19c5776dac7c82989fad0f08c73e81aaba332dad81205f90d0663119af45550b97b338b9cc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsoBAF7.tmp\ftdownload.dat

Filesize
512B

MD5
433030c5cbb375e16cc885014191f07b

SHA1
485546229799b852d97fee65a5d899aaad757ed7

SHA256
1095affbecd87e6bc9a6a2d3ba7937a2d847480b24b2cc66458b3614beb6bed4

SHA512
c4506614047c741a2c8b039a878c7eeb387c9f136dd9be2847d1edee0848368517e18606110a5b1f225a2e937e7536420e9a68fd5bf7283e29efc41f40859091

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsoE59F.tmp\gametitle.txt

Filesize
19B

MD5
b95effb5cac0ebc1ea0c2e8e846e5045

SHA1
43eeed2f329347102b81baafc0cd9e62b5eae175

SHA256
3d99b189ef5a1f1fd58289b094ea89759b812efadf4cc86598cc5c207ad51859

SHA512
43c80d1713253a54b4d31a742c4afa5d0070a0f290498a71488d9d80156295438dd294496d21cb590f9ef95a1b99cf39073b026014b375d6b8d97e9b03674f2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsoE59F.tmp\tn_feat.bmp

Filesize
4KB

MD5
49cd2c57170a77dfa6639da258bdcce1

SHA1
fa49d2bbcccaa5219c96ecec6ef9833ebda3af2a

SHA256
6dd1f4b52d063661e6da75d17880d8e0c0d5d5febff44824f646ac92faa7dc63

SHA512
d5b2302f83f2cf7c7f45c38508ccf2ca7762f6ce2feb50b48a5337bdb1592cff3ecd43bfd06da4c9e29d420bc319a7d5ab9555598365137d67ea4875868de4a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsoE59F.tmp\tn_feat.jpg

Filesize
1KB

MD5
c2965cb96a332484fd16f6f43d367cce

SHA1
ea86229b04037c6c333150235fc9f40d7675a3c6

SHA256
ac368fbb7f15ee40eb4731284dc848a454f3a01cab11c9bfbcff8ae7c0782d72

SHA512
4a499be02e4c45e00c75b8ab5b84f37c2311db6a78fcbbbc0ace6391a067aad731e23592cd4d014757e227f344575d9857c66a60a8c3dd4b6e8b11195255a147

Download Submit
\Games\MSN\Infinite Crosswords\InfiniteCrosswords.ifn

Filesize
4.5MB

MD5
d9491b48ad8ba2e01bb4c2227319c55c

SHA1
f3fb231ee2c9c941a20911bb5c97db15938be785

SHA256
32956cf2acbd4fea7663af2177c5323d0397b285e4096e150e8ae1ffb8f1d1d1

SHA512
7ac18e7aefede8d0697273fba47d28089739bd3cdf1f1d27f2560a0dd2739e9cf12db8c787186ee33e23022a24ca4cbea5952bb361839287ac27f11a1e36ba47

Download Submit
\Program Files (x86)\MSN Games\MSNGames.exe

Filesize
10.7MB

MD5
a723f73cafced792d6b908c70368aa5e

SHA1
76725a966bb2f0151f9cbbd7ef41b4aa59255ca3

SHA256
79b411d4ec2da73268cf304e5af339544cc516f1b9469a6722afcd72cc9aca1c

SHA512
92f49b895638473084cf2c86b94ec414fc8c6ba5a1d0dba2cee999366f4f5983dff4ae986de12ad71591242aa511b732c80e28d58ee9151477e54419b8c92759

Download Submit
\Program Files (x86)\MSN Games\iWinTrusted.exe

Filesize
218KB

MD5
f117e941af67e0c73327b261d03d8293

SHA1
c00aa7b9217793451b3cb5658a4f54a313ec2e36

SHA256
cf76079b5d416815c3607b309336f5d6801a9953ad3d9d87eaebdffb531b08ea

SHA512
1e5383d26544f082a0f7b20f828597c0a7004b7f71af285b40ec241fea739a96459b6899bd36ba5b216012ce87bc7b403797dc5c481aa947a63f26aeea571b1c

Download Submit
\Users\Admin\AppData\Local\Temp\MSNGames\Downloads\iWinGames - Infinite Crosswords.exe

Filesize
5.6MB

MD5
814bfe8f14c329e1442c3e3a8d8293b5

SHA1
d453cdd5ca2819bda9c0a31bffaa9978503b6094

SHA256
86ae8e00b375b9d576c8b2c859c3971cae7ff17c6133c79b1821fb76586041a4

SHA512
a1516e11eac7f57cebbbf7fcca9f9a932f4d92841f655a7c63b56aca73903c3faa48ebb4cb357afde963abac84959277c080ae288da0833a303152e9246c47bf

Download Submit
\Users\Admin\AppData\Local\Temp\nso5A9F.tmp\iWinInstallOptions.exe

Filesize
84KB

MD5
8003a3286495deed791c357cb8fc4e82

SHA1
c3c602b0c69f1dc66c4f1e498c67e003f6f2d1e6

SHA256
556f052e6bc898af76c81ce5d00493fd0c1364fdaf2c1567409154d10ffc2cc3

SHA512
79fc49ed2fdbb4babe79937cb3c4a1db92a0ce0e948b083708d643b935cec57ea4feba3998e7530ea22aedc2eb71cfc061d259ba1d90234de968f0dfe66eecbd

Download Submit
\Users\Admin\AppData\Local\Temp\nsoBAF7.tmp\MSNGamesSetup.exe

Filesize
45.6MB

MD5
7b3ec6d1800cddc1b195d98244e98e5a

SHA1
4f1f7318c220cfca2d8631dc3398c3242bf34115

SHA256
3cb4ae53e2756e00d016427ff3e27a488376e1ce81b5a2ce4e24520e7ca8000a

SHA512
d8ff6fee981cd039499ea2b78d2565a5418a867a40eea43310051ff90a5f2a7462cd3c63c87f9e539135d91bcea0bf2dd5ceb25256201f781c8f49c344d0fb93

Download Submit
\Users\Admin\AppData\Local\Temp\nsoBAF7.tmp\System.dll

Filesize
11KB

MD5
960a5c48e25cf2bca332e74e11d825c9

SHA1
da35c6816ace5daf4c6c1d57b93b09a82ecdc876

SHA256
484f8e9f194ed9016274ef3672b2c52ed5f574fb71d3884edf3c222b758a75a2

SHA512
cc450179e2d0d56aee2ccf8163d3882978c4e9c1aa3d3a95875fe9ba9831e07ddfd377111dc67f801fa53b6f468a418f086f1de7c71e0a5b634e1ae2a67cd3da

Download Submit
\Users\Admin\AppData\Local\Temp\nsoBAF7.tmp\nsisdl.dll

Filesize
14KB

MD5
a5a4cee2eb89d2687c05ef74299f0dba

SHA1
b9bff5987be422887f2f402357b47db2288a1a42

SHA256
cb82268b778703db75961cddef33a695a674f0dfd28b7e710b198ef2d26d3963

SHA512
f485267c6239f84d294ed4b0a82f317081e6e2e0c5613bd012bbd496b9ebccb8aca6944e80f84af51d17ac13f4d83480c34edfe37a3a9508ce0e67fc9f0b96f0

Download Submit
\Users\Admin\AppData\Local\Temp\nsoE59F.tmp\GameuxInstallHelper.dll

Filesize
94KB

MD5
4d3ac88054df63fc810427bdaa96c458

SHA1
e4d554e03ba91f6b53a2a80253b339f56e303c94

SHA256
b07ffcd0af80f6b9fba09abe816ba2f0ff0d336639f1768fc317291bc635ece6

SHA512
d4732ad89bbb19b316dff1b9c534acf98bb985c89d1295f08e24b21531123426500b3712979dda2f0e941a5969c0cbca15bbd52f6c167653f96a494a6677ca54

Download Submit
\Users\Admin\AppData\Local\Temp\nsoE59F.tmp\InstGameInfoHelperMSN.exe

Filesize
455KB

MD5
0025cd88501fa44e826bc9ed4bdef2fb

SHA1
c1a5d54809ba50bea7c4cac90563eb50b1d973ab

SHA256
f26ccc52aee7f6949d33a8c5eae4829bf94ad338765b04b68214cb5f375d5d59

SHA512
96a78d4d84fa9aa74f7791d01534e9c18cabf31a73b2e6711d4152527e16265163f415b43f418112652f3642192a8409383098899f84cb762c4cf6ff2c8140fd

Download Submit
\Users\Admin\AppData\Local\Temp\nsoE59F.tmp\System.dll

Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
\Users\Admin\AppData\Local\Temp\nsoE59F.tmp\nsExec.dll

Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
memory/1716-516-0x000000000A7F0000-0x000000000A9FC000-memory.dmp

Filesize
2.0MB

Download
memory/1716-485-0x000000000A7F0000-0x000000000A9FC000-memory.dmp

Filesize
2.0MB

Download
memory/1716-483-0x000000000A7F0000-0x000000000A9FC000-memory.dmp

Filesize
2.0MB

Download
memory/1716-515-0x000000000A7F0000-0x000000000A9FC000-memory.dmp

Filesize
2.0MB

Download
memory/1716-492-0x000000000A7F0000-0x000000000A9FC000-memory.dmp

Filesize
2.0MB

Download
memory/1716-484-0x000000000A7F0000-0x000000000A9FC000-memory.dmp

Filesize
2.0MB

Download
memory/1736-457-0x0000000020000000-0x00000000204B6000-memory.dmp

Filesize
4.7MB

Download
memory/1736-456-0x0000000020000000-0x00000000204B6000-memory.dmp

Filesize
4.7MB

Download
memory/2736-491-0x0000000000400000-0x000000000060C000-memory.dmp

Filesize
2.0MB

Download
memory/2736-490-0x0000000002620000-0x0000000002820000-memory.dmp

Filesize
2.0MB

Download
memory/2736-498-0x0000000000400000-0x000000000060C000-memory.dmp

Filesize
2.0MB

Download
memory/2736-500-0x0000000002620000-0x0000000002820000-memory.dmp

Filesize
2.0MB

Download
memory/2736-499-0x0000000000400000-0x000000000060C000-memory.dmp

Filesize
2.0MB

Download
memory/2736-497-0x0000000000400000-0x000000000060C000-memory.dmp

Filesize
2.0MB

Download
memory/2736-504-0x0000000000400000-0x000000000060C000-memory.dmp

Filesize
2.0MB

Download
memory/2736-502-0x0000000002620000-0x0000000002820000-memory.dmp

Filesize
2.0MB

Download
memory/2736-486-0x0000000002620000-0x0000000002820000-memory.dmp

Filesize
2.0MB

Download