Malware Analysis Report

2024-10-16 03:32

Sample ID 241005-gfg1msydpp
Target 166480b160f6013cbc67e8c1dc7a937b_JaffaCakes118
SHA256 9183b8178cc8412a505fdd0a3209afba89e67e388fef51c222f20f20d483029d
Tags
discovery evasion trojan banload downloader dropper
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9183b8178cc8412a505fdd0a3209afba89e67e388fef51c222f20f20d483029d

Threat Level: Known bad

The file 166480b160f6013cbc67e8c1dc7a937b_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

discovery evasion trojan banload downloader dropper

Banload

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Downloads MZ/PE file

Loads dropped DLL

Checks BIOS information in registry

Executes dropped EXE

Checks computer location settings

Checks whether UAC is enabled

Checks installed software on the system

Drops file in Program Files directory

System Location Discovery: System Language Discovery

Enumerates physical storage devices

NSIS installer

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Modifies system certificate store

Modifies registry class

Modifies Internet Explorer settings

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-05 05:44

Signatures

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-05 05:44

Reported

2024-10-05 05:47

Platform

win10v2004-20240802-en

Max time kernel

94s

Max time network

142s

Command Line

"C:\Users\Admin\AppData\Local\Temp\166480b160f6013cbc67e8c1dc7a937b_JaffaCakes118.exe"

Signatures

Downloads MZ/PE file

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\MSN Games\MSNGames.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\MSN Games\AdminWorker.exe N/A

Checks installed software on the system

discovery

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\MSN Games\MSNGames.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\MSN Games\pages\alert32x32.gif C:\Users\Admin\AppData\Local\Temp\nsk6051.tmp\MSNGamesSetup.exe N/A
File created C:\Program Files (x86)\MSN Games\pages\maintenance.html C:\Users\Admin\AppData\Local\Temp\nsk6051.tmp\MSNGamesSetup.exe N/A
File created C:\Program Files (x86)\MSN Games\locales\ar.pak C:\Users\Admin\AppData\Local\Temp\nsk6051.tmp\MSNGamesSetup.exe N/A
File created C:\Program Files (x86)\MSN Games\locales\sk.pak C:\Users\Admin\AppData\Local\Temp\nsk6051.tmp\MSNGamesSetup.exe N/A
File created C:\Program Files (x86)\MSN Games\locales\te.pak C:\Users\Admin\AppData\Local\Temp\nsk6051.tmp\MSNGamesSetup.exe N/A
File created C:\Program Files (x86)\MSN Games\gamepage\images\alert32x32.gif C:\Users\Admin\AppData\Local\Temp\nsk6051.tmp\MSNGamesSetup.exe N/A
File created C:\Program Files (x86)\MSN Games\gamepage\images\global\logo.gif C:\Users\Admin\AppData\Local\Temp\nsk6051.tmp\MSNGamesSetup.exe N/A
File created C:\Program Files (x86)\MSN Games\gamepage\images\ous\ous-promo-banner.jpg C:\Users\Admin\AppData\Local\Temp\nsk6051.tmp\MSNGamesSetup.exe N/A
File created C:\Program Files (x86)\MSN Games\locales\zh-CN.pak C:\Users\Admin\AppData\Local\Temp\nsk6051.tmp\MSNGamesSetup.exe N/A
File created C:\Program Files (x86)\MSN Games\WebUpdater.bmp C:\Users\Admin\AppData\Local\Temp\nsk6051.tmp\MSNGamesSetup.exe N/A
File created C:\Program Files (x86)\MSN Games\gamepage\disconnected-upsell.html C:\Users\Admin\AppData\Local\Temp\nsk6051.tmp\MSNGamesSetup.exe N/A
File created C:\Program Files (x86)\MSN Games\gamepage\images\logo.jpg C:\Users\Admin\AppData\Local\Temp\nsk6051.tmp\MSNGamesSetup.exe N/A
File created C:\Program Files (x86)\MSN Games\gamepage\images\global\logo-invis.gif C:\Users\Admin\AppData\Local\Temp\nsk6051.tmp\MSNGamesSetup.exe N/A
File created C:\Program Files (x86)\MSN Games\gamepage\images\misc\blue-bottom-triangle.gif C:\Users\Admin\AppData\Local\Temp\nsk6051.tmp\MSNGamesSetup.exe N/A
File created C:\Program Files (x86)\MSN Games\gamepage\scripts\popups.js C:\Users\Admin\AppData\Local\Temp\nsk6051.tmp\MSNGamesSetup.exe N/A
File created C:\Program Files (x86)\MSN Games\sounds\button_click.wav C:\Users\Admin\AppData\Local\Temp\nsk6051.tmp\MSNGamesSetup.exe N/A
File created C:\Program Files (x86)\MSN Games\locales\mr.pak C:\Users\Admin\AppData\Local\Temp\nsk6051.tmp\MSNGamesSetup.exe N/A
File created C:\Program Files (x86)\MSN Games\locales\ms.pak C:\Users\Admin\AppData\Local\Temp\nsk6051.tmp\MSNGamesSetup.exe N/A
File created C:\Program Files (x86)\MSN Games\locales\th.pak C:\Users\Admin\AppData\Local\Temp\nsk6051.tmp\MSNGamesSetup.exe N/A
File created C:\Program Files (x86)\MSN Games\cef.pak C:\Users\Admin\AppData\Local\Temp\nsk6051.tmp\MSNGamesSetup.exe N/A
File created C:\Program Files (x86)\MSN Games\natives_blob.bin C:\Users\Admin\AppData\Local\Temp\nsk6051.tmp\MSNGamesSetup.exe N/A
File created C:\Program Files (x86)\MSN Games\gamepage\images\buttons\close-blue-28.gif C:\Users\Admin\AppData\Local\Temp\nsk6051.tmp\MSNGamesSetup.exe N/A
File created C:\Program Files (x86)\MSN Games\sounds\slidebackin.wav C:\Users\Admin\AppData\Local\Temp\nsk6051.tmp\MSNGamesSetup.exe N/A
File created C:\Program Files (x86)\MSN Games\locales\fr.pak C:\Users\Admin\AppData\Local\Temp\nsk6051.tmp\MSNGamesSetup.exe N/A
File created C:\Program Files (x86)\MSN Games\locales\pt-BR.pak C:\Users\Admin\AppData\Local\Temp\nsk6051.tmp\MSNGamesSetup.exe N/A
File created C:\Program Files (x86)\MSN Games\locales\ta.pak C:\Users\Admin\AppData\Local\Temp\nsk6051.tmp\MSNGamesSetup.exe N/A
File created C:\Program Files (x86)\MSN Games\WebUpdater.exe C:\Users\Admin\AppData\Local\Temp\nsk6051.tmp\MSNGamesSetup.exe N/A
File created C:\Program Files (x86)\MSN Games\gamepage\success.html C:\Users\Admin\AppData\Local\Temp\nsk6051.tmp\MSNGamesSetup.exe N/A
File created C:\Program Files (x86)\MSN Games\locales\hi.pak C:\Users\Admin\AppData\Local\Temp\nsk6051.tmp\MSNGamesSetup.exe N/A
File created C:\Program Files (x86)\MSN Games\locales\ml.pak C:\Users\Admin\AppData\Local\Temp\nsk6051.tmp\MSNGamesSetup.exe N/A
File created C:\Program Files (x86)\MSN Games\libcef.dll C:\Users\Admin\AppData\Local\Temp\nsk6051.tmp\MSNGamesSetup.exe N/A
File created C:\Program Files (x86)\MSN Games\gamepage\styles\disconnected-upsell.css C:\Users\Admin\AppData\Local\Temp\nsk6051.tmp\MSNGamesSetup.exe N/A
File created C:\Program Files (x86)\MSN Games\sounds\download_completed.wav C:\Users\Admin\AppData\Local\Temp\nsk6051.tmp\MSNGamesSetup.exe N/A
File created C:\Program Files (x86)\MSN Games\locales\hr.pak C:\Users\Admin\AppData\Local\Temp\nsk6051.tmp\MSNGamesSetup.exe N/A
File created C:\Program Files (x86)\MSN Games\locales\ja.pak C:\Users\Admin\AppData\Local\Temp\nsk6051.tmp\MSNGamesSetup.exe N/A
File created C:\Program Files (x86)\MSN Games\gamepage\end.html C:\Users\Admin\AppData\Local\Temp\nsk6051.tmp\MSNGamesSetup.exe N/A
File created C:\Program Files (x86)\MSN Games\gamepage\images\ous\divider.gif C:\Users\Admin\AppData\Local\Temp\nsk6051.tmp\MSNGamesSetup.exe N/A
File created C:\Program Files (x86)\MSN Games\locales\es-419.pak C:\Users\Admin\AppData\Local\Temp\nsk6051.tmp\MSNGamesSetup.exe N/A
File created C:\Program Files (x86)\MSN Games\locales\sl.pak C:\Users\Admin\AppData\Local\Temp\nsk6051.tmp\MSNGamesSetup.exe N/A
File created C:\Program Files (x86)\MSN Games\gamepage\images\common\header-small-bg.gif C:\Users\Admin\AppData\Local\Temp\nsk6051.tmp\MSNGamesSetup.exe N/A
File created C:\Program Files (x86)\MSN Games\locales\he.pak C:\Users\Admin\AppData\Local\Temp\nsk6051.tmp\MSNGamesSetup.exe N/A
File created C:\Program Files (x86)\MSN Games\cef_extensions.pak C:\Users\Admin\AppData\Local\Temp\nsk6051.tmp\MSNGamesSetup.exe N/A
File created C:\Program Files (x86)\MSN Games\gamepage\images\global\page-header-small-bg.jpg C:\Users\Admin\AppData\Local\Temp\nsk6051.tmp\MSNGamesSetup.exe N/A
File created C:\Program Files (x86)\MSN Games\locales\nb.pak C:\Users\Admin\AppData\Local\Temp\nsk6051.tmp\MSNGamesSetup.exe N/A
File created C:\Program Files (x86)\MSN Games\AdminWorker.exe C:\Users\Admin\AppData\Local\Temp\nsk6051.tmp\MSNGamesSetup.exe N/A
File created C:\Program Files (x86)\MSN Games\sounds\start.wav C:\Users\Admin\AppData\Local\Temp\nsk6051.tmp\MSNGamesSetup.exe N/A
File created C:\Program Files (x86)\MSN Games\locales\pt-PT.pak C:\Users\Admin\AppData\Local\Temp\nsk6051.tmp\MSNGamesSetup.exe N/A
File created C:\Program Files (x86)\MSN Games\gamepage\images\buttons\yesiwantabackupcd-orange-197.gif C:\Users\Admin\AppData\Local\Temp\nsk6051.tmp\MSNGamesSetup.exe N/A
File created C:\Program Files (x86)\MSN Games\gamepage\images\plans\plan3.gif C:\Users\Admin\AppData\Local\Temp\nsk6051.tmp\MSNGamesSetup.exe N/A
File created C:\Program Files (x86)\MSN Games\sounds\animation.wav C:\Users\Admin\AppData\Local\Temp\nsk6051.tmp\MSNGamesSetup.exe N/A
File created C:\Program Files (x86)\MSN Games\MSNGames.exe C:\Users\Admin\AppData\Local\Temp\nsk6051.tmp\MSNGamesSetup.exe N/A
File created C:\Program Files (x86)\MSN Games\locales\tr.pak C:\Users\Admin\AppData\Local\Temp\nsk6051.tmp\MSNGamesSetup.exe N/A
File created C:\Program Files (x86)\MSN Games\pages\error.html C:\Users\Admin\AppData\Local\Temp\nsk6051.tmp\MSNGamesSetup.exe N/A
File created C:\Program Files (x86)\MSN Games\gamepage\images\ous\hotel-bg.gif C:\Users\Admin\AppData\Local\Temp\nsk6051.tmp\MSNGamesSetup.exe N/A
File created C:\Program Files (x86)\MSN Games\pages\iwgm.loading.jpg C:\Users\Admin\AppData\Local\Temp\nsk6051.tmp\MSNGamesSetup.exe N/A
File created C:\Program Files (x86)\MSN Games\gamepage\expired.html C:\Users\Admin\AppData\Local\Temp\nsk6051.tmp\MSNGamesSetup.exe N/A
File created C:\Program Files (x86)\MSN Games\gamepage\open.html C:\Users\Admin\AppData\Local\Temp\nsk6051.tmp\MSNGamesSetup.exe N/A
File created C:\Program Files (x86)\MSN Games\gamepage\css\offline.css C:\Users\Admin\AppData\Local\Temp\nsk6051.tmp\MSNGamesSetup.exe N/A
File created C:\Program Files (x86)\MSN Games\locales\es.pak C:\Users\Admin\AppData\Local\Temp\nsk6051.tmp\MSNGamesSetup.exe N/A
File created C:\Program Files (x86)\MSN Games\gamepage\images\product\feature.jpg C:\Users\Admin\AppData\Local\Temp\nsk6051.tmp\MSNGamesSetup.exe N/A
File created C:\Program Files (x86)\MSN Games\pages\iwin_logo.gif C:\Users\Admin\AppData\Local\Temp\nsk6051.tmp\MSNGamesSetup.exe N/A
File created C:\Program Files (x86)\MSN Games\pages\offlineBg.gif C:\Users\Admin\AppData\Local\Temp\nsk6051.tmp\MSNGamesSetup.exe N/A
File created C:\Program Files (x86)\MSN Games\locales\ro.pak C:\Users\Admin\AppData\Local\Temp\nsk6051.tmp\MSNGamesSetup.exe N/A
File created C:\Program Files (x86)\MSN Games\locales\zh-TW.pak C:\Users\Admin\AppData\Local\Temp\nsk6051.tmp\MSNGamesSetup.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\MSN Games\iWinTrusted.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\166480b160f6013cbc67e8c1dc7a937b_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\nsg7BB9.tmp\InstGameInfoHelperMSN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\MSN Games\AdminWorker.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\MSN Games\AdminWorker.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\MSN Games\iWinTrusted.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\MSN Games\MSNGames.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\MSN Games\iWinTrusted.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\nsk6051.tmp\MSNGamesSetup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\MSN Games\AdminWorker.exe N/A

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Internet Explorer\IESettingSync C:\Program Files (x86)\MSN Games\MSNGames.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" C:\Program Files (x86)\MSN Games\MSNGames.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION C:\Users\Admin\AppData\Local\Temp\nsk6051.tmp\MSNGamesSetup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\MSNGames.exe = "8000" C:\Users\Admin\AppData\Local\Temp\nsk6051.tmp\MSNGamesSetup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\MSN Games\MSNGames.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\MSN Games\MSNGames.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{44E6B68E-8DA5-4093-921B-7275E5B3906A}\1.0\HELPDIR C:\Program Files (x86)\MSN Games\iWinTrusted.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\iWinTrusted.CoiWinTrusted.1\CLSID C:\Program Files (x86)\MSN Games\iWinTrusted.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\iWinTrusted.CoiWinTrusted\CLSID\ = "{635ADC07-6F19-42a7-8043-EDD19678CE14}" C:\Program Files (x86)\MSN Games\iWinTrusted.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\iWinTrusted.CoiWinTrusted\CurVer C:\Program Files (x86)\MSN Games\iWinTrusted.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\ForseRemove C:\Program Files (x86)\MSN Games\iWinTrusted.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{635ADC07-6F19-42a7-8043-EDD19678CE14} C:\Program Files (x86)\MSN Games\iWinTrusted.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{635ADC07-6F19-42a7-8043-EDD19678CE14}\ProgID\ = "iWinTrusted.CoiWinTrusted.1" C:\Program Files (x86)\MSN Games\iWinTrusted.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{635ADC07-6F19-42a7-8043-EDD19678CE14}\ = "iWinTrusted" C:\Program Files (x86)\MSN Games\iWinTrusted.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\iWinTrusted.EXE\AppID = "{635ADC07-6F19-42a7-8043-EDD19678CE14}" C:\Program Files (x86)\MSN Games\iWinTrusted.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{635ADC07-6F19-42a7-8043-EDD19678CE14}\TypeLib C:\Program Files (x86)\MSN Games\iWinTrusted.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{44E6B68E-8DA5-4093-921B-7275E5B3906A} C:\Program Files (x86)\MSN Games\iWinTrusted.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3B16338D-AFD9-46FF-8BEE-4FEC95946937}\ = "IiWinTrusted" C:\Program Files (x86)\MSN Games\iWinTrusted.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3B16338D-AFD9-46FF-8BEE-4FEC95946937}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Program Files (x86)\MSN Games\iWinTrusted.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{635ADC07-6F19-42a7-8043-EDD19678CE14}\LocalServer32\ = "\"C:\\Program Files (x86)\\MSN Games\\iWinTrusted.exe\" /server" C:\Program Files (x86)\MSN Games\iWinTrusted.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{635ADC07-6F19-42a7-8043-EDD19678CE14}\TypeLib\ = "{44E6B68E-8DA5-4093-921B-7275E5B3906A}" C:\Program Files (x86)\MSN Games\iWinTrusted.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{44E6B68E-8DA5-4093-921B-7275E5B3906A}\1.0\FLAGS C:\Program Files (x86)\MSN Games\iWinTrusted.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{44E6B68E-8DA5-4093-921B-7275E5B3906A}\1.0\0\win32\ = "C:\\Program Files (x86)\\MSN Games\\iWinTrusted.exe" C:\Program Files (x86)\MSN Games\iWinTrusted.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3B16338D-AFD9-46FF-8BEE-4FEC95946937}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Program Files (x86)\MSN Games\iWinTrusted.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\iWinTrusted.CoiWinTrusted.1\ = "iWinTrusted Class" C:\Program Files (x86)\MSN Games\iWinTrusted.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{635ADC07-6F19-42a7-8043-EDD19678CE14}\VersionIndependentProgID\ = "iWinTrusted.CoiWinTrusted" C:\Program Files (x86)\MSN Games\iWinTrusted.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{44E6B68E-8DA5-4093-921B-7275E5B3906A}\1.0\ = "iWinTrusted 1.1 Type Library" C:\Program Files (x86)\MSN Games\iWinTrusted.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3B16338D-AFD9-46FF-8BEE-4FEC95946937}\TypeLib C:\Program Files (x86)\MSN Games\iWinTrusted.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3B16338D-AFD9-46FF-8BEE-4FEC95946937}\TypeLib\Version = "1.0" C:\Program Files (x86)\MSN Games\iWinTrusted.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3B16338D-AFD9-46FF-8BEE-4FEC95946937}\ProxyStubClsid32 C:\Program Files (x86)\MSN Games\iWinTrusted.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{635ADC07-6F19-42a7-8043-EDD19678CE14}\LocalService = "iWinTrusted" C:\Program Files (x86)\MSN Games\iWinTrusted.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{635ADC07-6F19-42a7-8043-EDD19678CE14}\VersionIndependentProgID C:\Program Files (x86)\MSN Games\iWinTrusted.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{635ADC07-6F19-42a7-8043-EDD19678CE14}\Programmable C:\Program Files (x86)\MSN Games\iWinTrusted.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{44E6B68E-8DA5-4093-921B-7275E5B3906A}\1.0\0\win32 C:\Program Files (x86)\MSN Games\iWinTrusted.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3B16338D-AFD9-46FF-8BEE-4FEC95946937}\ProxyStubClsid32 C:\Program Files (x86)\MSN Games\iWinTrusted.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3B16338D-AFD9-46FF-8BEE-4FEC95946937}\TypeLib\ = "{44E6B68E-8DA5-4093-921B-7275E5B3906A}" C:\Program Files (x86)\MSN Games\iWinTrusted.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\iWinTrusted.CoiWinTrusted.1 C:\Program Files (x86)\MSN Games\iWinTrusted.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{635ADC07-6F19-42a7-8043-EDD19678CE14}\LocalServer32 C:\Program Files (x86)\MSN Games\iWinTrusted.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{44E6B68E-8DA5-4093-921B-7275E5B3906A}\1.0 C:\Program Files (x86)\MSN Games\iWinTrusted.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{44E6B68E-8DA5-4093-921B-7275E5B3906A}\1.0\0 C:\Program Files (x86)\MSN Games\iWinTrusted.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3B16338D-AFD9-46FF-8BEE-4FEC95946937}\ = "IiWinTrusted" C:\Program Files (x86)\MSN Games\iWinTrusted.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3B16338D-AFD9-46FF-8BEE-4FEC95946937}\TypeLib\Version = "1.0" C:\Program Files (x86)\MSN Games\iWinTrusted.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3B16338D-AFD9-46FF-8BEE-4FEC95946937} C:\Program Files (x86)\MSN Games\iWinTrusted.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3B16338D-AFD9-46FF-8BEE-4FEC95946937} C:\Program Files (x86)\MSN Games\iWinTrusted.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\iWinTrusted.CoiWinTrusted.1\CLSID\ = "{635ADC07-6F19-42a7-8043-EDD19678CE14}" C:\Program Files (x86)\MSN Games\iWinTrusted.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\iWinTrusted.CoiWinTrusted C:\Program Files (x86)\MSN Games\iWinTrusted.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\iWinTrusted.CoiWinTrusted\ = "iWinTrusted Class" C:\Program Files (x86)\MSN Games\iWinTrusted.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\iWinTrusted.CoiWinTrusted\CLSID C:\Program Files (x86)\MSN Games\iWinTrusted.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{635ADC07-6F19-42a7-8043-EDD19678CE14} C:\Program Files (x86)\MSN Games\iWinTrusted.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{635ADC07-6F19-42a7-8043-EDD19678CE14}\ProgID C:\Program Files (x86)\MSN Games\iWinTrusted.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3B16338D-AFD9-46FF-8BEE-4FEC95946937}\TypeLib\ = "{44E6B68E-8DA5-4093-921B-7275E5B3906A}" C:\Program Files (x86)\MSN Games\iWinTrusted.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3B16338D-AFD9-46FF-8BEE-4FEC95946937}\TypeLib C:\Program Files (x86)\MSN Games\iWinTrusted.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\iWinTrusted.CoiWinTrusted\CurVer\ = "iWinTrusted.CoiWinTrusted.1" C:\Program Files (x86)\MSN Games\iWinTrusted.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\iWinTrusted.EXE C:\Program Files (x86)\MSN Games\iWinTrusted.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{635ADC07-6F19-42a7-8043-EDD19678CE14}\ = "iWinTrusted Class" C:\Program Files (x86)\MSN Games\iWinTrusted.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{635ADC07-6F19-42a7-8043-EDD19678CE14}\AppID = "{635ADC07-6F19-42a7-8043-EDD19678CE14}" C:\Program Files (x86)\MSN Games\iWinTrusted.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{44E6B68E-8DA5-4093-921B-7275E5B3906A}\1.0\FLAGS\ = "0" C:\Program Files (x86)\MSN Games\iWinTrusted.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{44E6B68E-8DA5-4093-921B-7275E5B3906A}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\MSN Games" C:\Program Files (x86)\MSN Games\iWinTrusted.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1500 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\166480b160f6013cbc67e8c1dc7a937b_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\nsk6051.tmp\MSNGamesSetup.exe
PID 1500 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\166480b160f6013cbc67e8c1dc7a937b_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\nsk6051.tmp\MSNGamesSetup.exe
PID 1500 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\166480b160f6013cbc67e8c1dc7a937b_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\nsk6051.tmp\MSNGamesSetup.exe
PID 2956 wrote to memory of 1736 N/A C:\Users\Admin\AppData\Local\Temp\nsk6051.tmp\MSNGamesSetup.exe C:\Users\Admin\AppData\Local\Temp\nsg7BB9.tmp\InstGameInfoHelperMSN.exe
PID 2956 wrote to memory of 1736 N/A C:\Users\Admin\AppData\Local\Temp\nsk6051.tmp\MSNGamesSetup.exe C:\Users\Admin\AppData\Local\Temp\nsg7BB9.tmp\InstGameInfoHelperMSN.exe
PID 2956 wrote to memory of 1736 N/A C:\Users\Admin\AppData\Local\Temp\nsk6051.tmp\MSNGamesSetup.exe C:\Users\Admin\AppData\Local\Temp\nsg7BB9.tmp\InstGameInfoHelperMSN.exe
PID 2956 wrote to memory of 4888 N/A C:\Users\Admin\AppData\Local\Temp\nsk6051.tmp\MSNGamesSetup.exe C:\Program Files (x86)\MSN Games\AdminWorker.exe
PID 2956 wrote to memory of 4888 N/A C:\Users\Admin\AppData\Local\Temp\nsk6051.tmp\MSNGamesSetup.exe C:\Program Files (x86)\MSN Games\AdminWorker.exe
PID 2956 wrote to memory of 4888 N/A C:\Users\Admin\AppData\Local\Temp\nsk6051.tmp\MSNGamesSetup.exe C:\Program Files (x86)\MSN Games\AdminWorker.exe
PID 2956 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\nsk6051.tmp\MSNGamesSetup.exe C:\Program Files (x86)\MSN Games\AdminWorker.exe
PID 2956 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\nsk6051.tmp\MSNGamesSetup.exe C:\Program Files (x86)\MSN Games\AdminWorker.exe
PID 2956 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\nsk6051.tmp\MSNGamesSetup.exe C:\Program Files (x86)\MSN Games\AdminWorker.exe
PID 2956 wrote to memory of 4940 N/A C:\Users\Admin\AppData\Local\Temp\nsk6051.tmp\MSNGamesSetup.exe C:\Program Files (x86)\MSN Games\iWinTrusted.exe
PID 2956 wrote to memory of 4940 N/A C:\Users\Admin\AppData\Local\Temp\nsk6051.tmp\MSNGamesSetup.exe C:\Program Files (x86)\MSN Games\iWinTrusted.exe
PID 2956 wrote to memory of 4940 N/A C:\Users\Admin\AppData\Local\Temp\nsk6051.tmp\MSNGamesSetup.exe C:\Program Files (x86)\MSN Games\iWinTrusted.exe
PID 2956 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\nsk6051.tmp\MSNGamesSetup.exe C:\Program Files (x86)\MSN Games\MSNGames.exe
PID 2956 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\nsk6051.tmp\MSNGamesSetup.exe C:\Program Files (x86)\MSN Games\MSNGames.exe
PID 2956 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\nsk6051.tmp\MSNGamesSetup.exe C:\Program Files (x86)\MSN Games\MSNGames.exe
PID 2236 wrote to memory of 1536 N/A C:\Program Files (x86)\MSN Games\MSNGames.exe C:\Program Files (x86)\MSN Games\iWinTrusted.exe
PID 2236 wrote to memory of 1536 N/A C:\Program Files (x86)\MSN Games\MSNGames.exe C:\Program Files (x86)\MSN Games\iWinTrusted.exe
PID 2236 wrote to memory of 1536 N/A C:\Program Files (x86)\MSN Games\MSNGames.exe C:\Program Files (x86)\MSN Games\iWinTrusted.exe
PID 2236 wrote to memory of 5028 N/A C:\Program Files (x86)\MSN Games\MSNGames.exe C:\Program Files (x86)\MSN Games\AdminWorker.exe
PID 2236 wrote to memory of 5028 N/A C:\Program Files (x86)\MSN Games\MSNGames.exe C:\Program Files (x86)\MSN Games\AdminWorker.exe
PID 2236 wrote to memory of 5028 N/A C:\Program Files (x86)\MSN Games\MSNGames.exe C:\Program Files (x86)\MSN Games\AdminWorker.exe
PID 5028 wrote to memory of 5000 N/A C:\Program Files (x86)\MSN Games\AdminWorker.exe C:\Program Files (x86)\MSN Games\iWinTrusted.exe
PID 5028 wrote to memory of 5000 N/A C:\Program Files (x86)\MSN Games\AdminWorker.exe C:\Program Files (x86)\MSN Games\iWinTrusted.exe
PID 5028 wrote to memory of 5000 N/A C:\Program Files (x86)\MSN Games\AdminWorker.exe C:\Program Files (x86)\MSN Games\iWinTrusted.exe

Processes

C:\Users\Admin\AppData\Local\Temp\166480b160f6013cbc67e8c1dc7a937b_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\166480b160f6013cbc67e8c1dc7a937b_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\nsk6051.tmp\MSNGamesSetup.exe

C:\Users\Admin\AppData\Local\Temp\nsk6051.tmp\MSNGamesSetup.exe

C:\Users\Admin\AppData\Local\Temp\nsg7BB9.tmp\InstGameInfoHelperMSN.exe

"C:\Users\Admin\AppData\Local\Temp\nsg7BB9.tmp\InstGameInfoHelperMSN.exe"

C:\Program Files (x86)\MSN Games\AdminWorker.exe

"C:\Program Files (x86)\MSN Games\AdminWorker.exe" AddArcadeToFireWallExceptions

C:\Program Files (x86)\MSN Games\AdminWorker.exe

"C:\Program Files (x86)\MSN Games\AdminWorker.exe" restoreShortcutsPathes

C:\Program Files (x86)\MSN Games\iWinTrusted.exe

"C:\Program Files (x86)\MSN Games\iWinTrusted.exe" -install

C:\Program Files (x86)\MSN Games\MSNGames.exe

"C:\Program Files (x86)\MSN Games\MSNGames.exe"

C:\Program Files (x86)\MSN Games\iWinTrusted.exe

"C:\Program Files (x86)\MSN Games\iWinTrusted.exe" -install

C:\Program Files (x86)\MSN Games\AdminWorker.exe

"C:\Program Files (x86)\MSN Games\AdminWorker.exe" StartProcessNoWait "C:\Program Files (x86)\MSN Games\\iWinTrusted.exe" "-install"

C:\Program Files (x86)\MSN Games\iWinTrusted.exe

"C:\Program Files (x86)\MSN Games\iWinTrusted.exe" -install

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x46c 0x4e0

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 dl.iwin.com udp
CZ 65.9.95.69:80 dl.iwin.com tcp
US 8.8.8.8:53 69.95.9.65.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 gm-msn.iwin.com udp
US 18.213.80.235:80 gm-msn.iwin.com tcp
US 8.8.8.8:53 235.80.213.18.in-addr.arpa udp
US 8.8.8.8:53 img.iwin.com udp
GB 13.224.81.89:80 img.iwin.com tcp
US 8.8.8.8:53 89.81.224.13.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 18.213.80.235:80 gm-msn.iwin.com tcp
US 18.213.80.235:80 gm-msn.iwin.com tcp
US 18.213.80.235:80 gm-msn.iwin.com tcp
US 18.213.80.235:80 gm-msn.iwin.com tcp
US 8.8.8.8:53 gm-msn.iwin.com udp
US 18.213.80.235:80 gm-msn.iwin.com tcp
US 18.213.80.235:80 gm-msn.iwin.com tcp
US 18.213.80.235:80 gm-msn.iwin.com tcp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 75.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\nsk6051.tmp\System.dll

MD5 960a5c48e25cf2bca332e74e11d825c9
SHA1 da35c6816ace5daf4c6c1d57b93b09a82ecdc876
SHA256 484f8e9f194ed9016274ef3672b2c52ed5f574fb71d3884edf3c222b758a75a2
SHA512 cc450179e2d0d56aee2ccf8163d3882978c4e9c1aa3d3a95875fe9ba9831e07ddfd377111dc67f801fa53b6f468a418f086f1de7c71e0a5b634e1ae2a67cd3da

C:\Users\Admin\AppData\Local\Temp\nsk6051.tmp\nsisdl.dll

MD5 a5a4cee2eb89d2687c05ef74299f0dba
SHA1 b9bff5987be422887f2f402357b47db2288a1a42
SHA256 cb82268b778703db75961cddef33a695a674f0dfd28b7e710b198ef2d26d3963
SHA512 f485267c6239f84d294ed4b0a82f317081e6e2e0c5613bd012bbd496b9ebccb8aca6944e80f84af51d17ac13f4d83480c34edfe37a3a9508ce0e67fc9f0b96f0

C:\Users\Admin\AppData\Local\Temp\nsk6051.tmp\MSNGamesSetup.exe

MD5 7b3ec6d1800cddc1b195d98244e98e5a
SHA1 4f1f7318c220cfca2d8631dc3398c3242bf34115
SHA256 3cb4ae53e2756e00d016427ff3e27a488376e1ce81b5a2ce4e24520e7ca8000a
SHA512 d8ff6fee981cd039499ea2b78d2565a5418a867a40eea43310051ff90a5f2a7462cd3c63c87f9e539135d91bcea0bf2dd5ceb25256201f781c8f49c344d0fb93

C:\Users\Admin\AppData\Local\Temp\nsg7BB9.tmp\System.dll

MD5 c17103ae9072a06da581dec998343fc1
SHA1 b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d
SHA256 dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f
SHA512 d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

C:\Users\Admin\AppData\Local\Temp\nsk6051.tmp\ftdownload.dat

MD5 433030c5cbb375e16cc885014191f07b
SHA1 485546229799b852d97fee65a5d899aaad757ed7
SHA256 1095affbecd87e6bc9a6a2d3ba7937a2d847480b24b2cc66458b3614beb6bed4
SHA512 c4506614047c741a2c8b039a878c7eeb387c9f136dd9be2847d1edee0848368517e18606110a5b1f225a2e937e7536420e9a68fd5bf7283e29efc41f40859091

C:\Users\Admin\AppData\Local\Temp\nsg7BB9.tmp\nsExec.dll

MD5 acc2b699edfea5bf5aae45aba3a41e96
SHA1 d2accf4d494e43ceb2cff69abe4dd17147d29cc2
SHA256 168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e
SHA512 e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

C:\Users\Admin\AppData\Local\Temp\nsg7BB9.tmp\InstGameInfoHelperMSN.exe

MD5 0025cd88501fa44e826bc9ed4bdef2fb
SHA1 c1a5d54809ba50bea7c4cac90563eb50b1d973ab
SHA256 f26ccc52aee7f6949d33a8c5eae4829bf94ad338765b04b68214cb5f375d5d59
SHA512 96a78d4d84fa9aa74f7791d01534e9c18cabf31a73b2e6711d4152527e16265163f415b43f418112652f3642192a8409383098899f84cb762c4cf6ff2c8140fd

C:\Users\Admin\AppData\Local\Temp\nsg7BB9.tmp\gametitle.txt

MD5 b95effb5cac0ebc1ea0c2e8e846e5045
SHA1 43eeed2f329347102b81baafc0cd9e62b5eae175
SHA256 3d99b189ef5a1f1fd58289b094ea89759b812efadf4cc86598cc5c207ad51859
SHA512 43c80d1713253a54b4d31a742c4afa5d0070a0f290498a71488d9d80156295438dd294496d21cb590f9ef95a1b99cf39073b026014b375d6b8d97e9b03674f2e

C:\Users\Admin\AppData\Local\Temp\nsg7BB9.tmp\tn_feat.bmp

MD5 49cd2c57170a77dfa6639da258bdcce1
SHA1 fa49d2bbcccaa5219c96ecec6ef9833ebda3af2a
SHA256 6dd1f4b52d063661e6da75d17880d8e0c0d5d5febff44824f646ac92faa7dc63
SHA512 d5b2302f83f2cf7c7f45c38508ccf2ca7762f6ce2feb50b48a5337bdb1592cff3ecd43bfd06da4c9e29d420bc319a7d5ab9555598365137d67ea4875868de4a0

C:\Program Files (x86)\MSN Games\MSNGames.exe

MD5 a723f73cafced792d6b908c70368aa5e
SHA1 76725a966bb2f0151f9cbbd7ef41b4aa59255ca3
SHA256 79b411d4ec2da73268cf304e5af339544cc516f1b9469a6722afcd72cc9aca1c
SHA512 92f49b895638473084cf2c86b94ec414fc8c6ba5a1d0dba2cee999366f4f5983dff4ae986de12ad71591242aa511b732c80e28d58ee9151477e54419b8c92759

C:\Users\Admin\AppData\Local\Temp\nsg7BB9.tmp\GameuxInstallHelper.dll

MD5 4d3ac88054df63fc810427bdaa96c458
SHA1 e4d554e03ba91f6b53a2a80253b339f56e303c94
SHA256 b07ffcd0af80f6b9fba09abe816ba2f0ff0d336639f1768fc317291bc635ece6
SHA512 d4732ad89bbb19b316dff1b9c534acf98bb985c89d1295f08e24b21531123426500b3712979dda2f0e941a5969c0cbca15bbd52f6c167653f96a494a6677ca54

C:\Program Files (x86)\MSN Games\AdminWorker.exe

MD5 6772fdec98b776314724f63be2f657b3
SHA1 6014eb84c278072a501790a9be7c061156c4b824
SHA256 8265375aa8916022cddaf5921f034b787416af5be65526f0a15e5791ebd257ed
SHA512 0bad9e075ff4df3606ae7efc3ad8e2038e0b7f69379b72bfbe2686ba6d92a7b3251b0cf021af9b9231b60b92d42a0af2f0e8a150e44b5410dab7e4b8b9a2273a

C:\Program Files (x86)\MSN Games\WebUpdater.exe

MD5 52eaaf6ea657484ccb5cc429c13d7035
SHA1 888fd64b7a242abd336556c0c2c302f6a3dc7cca
SHA256 af3b16498f5afdb202b0a23ff878fe7a8f63161f7eaa715ea3b45a71fbfa63fe
SHA512 43f0774b5e1efed45615743e5fc2396a4e19f74a4869cad7fb5afb80a4133499fe3b3a5610680538f0f3a569831219a2a8fbfbe2166919d0d98ad94ff0e87f3a

C:\Program Files (x86)\MSN Games\iWinTrusted.exe

MD5 f117e941af67e0c73327b261d03d8293
SHA1 c00aa7b9217793451b3cb5658a4f54a313ec2e36
SHA256 cf76079b5d416815c3607b309336f5d6801a9953ad3d9d87eaebdffb531b08ea
SHA512 1e5383d26544f082a0f7b20f828597c0a7004b7f71af285b40ec241fea739a96459b6899bd36ba5b216012ce87bc7b403797dc5c481aa947a63f26aeea571b1c

C:\Users\Admin\AppData\Local\Temp\nsg7BB9.tmp\tn_feat.jpg

MD5 c2965cb96a332484fd16f6f43d367cce
SHA1 ea86229b04037c6c333150235fc9f40d7675a3c6
SHA256 ac368fbb7f15ee40eb4731284dc848a454f3a01cab11c9bfbcff8ae7c0782d72
SHA512 4a499be02e4c45e00c75b8ab5b84f37c2311db6a78fcbbbc0ace6391a067aad731e23592cd4d014757e227f344575d9857c66a60a8c3dd4b6e8b11195255a147

C:\Program Files (x86)\MSN Games\pages\blank.html

MD5 9482e5ee38471e5b6a688ad0d02fe6b4
SHA1 12dfac1206e34a47b2d3f639106056c9f7ca3e7a
SHA256 a655fa3c755d22a5a95b01a91030fe889e8c37e900226a05fc32aebd04fc4e2d
SHA512 c8b1ec8ef2d48d3c8d57c2728bb1ae6d150f43bc3ccba063b819ae1e7809331b170fc764d655db5ee11c838cbb74b91abc3abd837d98830589ee5b3aa3e905a4

C:\Program Files (x86)\MSN Games\pages\iwgm.loading.jpg

MD5 bf7e93622206bd7206494a7b805c0954
SHA1 5dec728c393cafd17d55a18501770ce22f16ffae
SHA256 cabc0465f851bce0342470e5f4d81a5f4045028d4093d059225b4f76eb6297d7
SHA512 f60adc9f8086793070c9fe7b7f1aab75251a4c71622c364ff6fc0e63b5f14da3e56cbca412ce2d80322713d4e4ca6944ede640878f1d115a48b08a891305d9ce

C:\Program Files (x86)\MSN Games\pages\blank2.html

MD5 90b42fd8e93203218847a3c0a646d377
SHA1 0d485e2de867448e4853031d5714942128d92983
SHA256 aec450600b1ea9c5cd12a92ff9764092434c2cca7e56c10c7b11a63a13209c5f
SHA512 de8ab5192fbb9e1df4f1baa7436f2d21cbb94f921931d502aed87049b46affe2dba1929ef48b528f114722cff7c797d381070b35884f7bea18813df355b0ffab

C:\Program Files (x86)\MSN Games\sounds\animation.wav

MD5 3ef7618619348fbbeca7b0f772be7e5c
SHA1 d86829f29c8f22c2d3562269b3d2f0c3b822ad0c
SHA256 d361e7b9d8d6e1e3c2b4977f53a06a363183b74796b27cbba2d0277a7e19a872
SHA512 b7c339678b214ff57594f02f2953ec762584f8b31644b1f63ac55586423fd34a7afae9c3d208db7caaab6e30bcb806cc9720cdb34c58f466aabad547d3263376

C:\Program Files (x86)\MSN Games\WebUpdater.bmp

MD5 3bef430235c592989ef45d64b8995fda
SHA1 0d99277cdeec4845540bcf456531b57e0e939cdd
SHA256 624426067e03d13efcfc88d570cc593649b67bafd9bf673ab46046dab00d8d5d
SHA512 7dd5904c5ff5680be017238bb3ed96f6652d575d2eb6d85d2a3ac8045c58d836ddca12d73ebab831f22a9b57a0e410c2a56359b5abf567be5ec565a9c781af96

C:\Program Files (x86)\MSN Games\sounds\start.wav

MD5 94ab5e493c7fd8358c9a893d0a108d5f
SHA1 5dd41e775bb246ee33cbbb6bbf1a4a6b65da1173
SHA256 54e995d1600802e1dccb785ba3ea20d14c85b54e70c397d48074135f2c731b4a
SHA512 f95197a3f28d57c77ad4f40346d941ce075e83bec79531eb7000b981f9587f0ccbe962edb11390c4a122386666e0665f1572091489338760a2dcd2bba0113164

C:\Program Files (x86)\MSN Games\sounds\button_click.wav

MD5 d5c43fe0fd3f6b5c1d2d96ef21834f9d
SHA1 f8e36c4fe187396cec014bb2e733d953b3a76fdd
SHA256 ed0c4264b99666a9e59299097c2acc7549dcf7e896c2a7584d65a616aaa415e1
SHA512 e629e4cab48e75c35dbbb33b427c31babe814ecadf4357695e7bb3370ca838005c9c156a3dcb79f574cfd4b05b4fa6b55c991f249d9f3b6b072c3d87468c04cc

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-05 05:44

Reported

2024-10-05 05:47

Platform

win7-20240708-en

Max time kernel

149s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\166480b160f6013cbc67e8c1dc7a937b_JaffaCakes118.exe"

Signatures

Banload

trojan dropper downloader banload

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Games\MSN\Infinite Crosswords\GLWorker.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Games\MSN\Infinite Crosswords\GLWorker.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate C:\Games\MSN\Infinite Crosswords\GLWorker.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\166480b160f6013cbc67e8c1dc7a937b_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\166480b160f6013cbc67e8c1dc7a937b_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\166480b160f6013cbc67e8c1dc7a937b_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsoBAF7.tmp\MSNGamesSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsoBAF7.tmp\MSNGamesSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsoBAF7.tmp\MSNGamesSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsoBAF7.tmp\MSNGamesSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsoBAF7.tmp\MSNGamesSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsoBAF7.tmp\MSNGamesSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsoBAF7.tmp\MSNGamesSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsoBAF7.tmp\MSNGamesSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsoBAF7.tmp\MSNGamesSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsoBAF7.tmp\MSNGamesSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsoBAF7.tmp\MSNGamesSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsoBAF7.tmp\MSNGamesSetup.exe N/A
N/A N/A C:\Program Files (x86)\MSN Games\MSNGames.exe N/A
N/A N/A C:\Program Files (x86)\MSN Games\MSNGames.exe N/A
N/A N/A C:\Program Files (x86)\MSN Games\MSNGames.exe N/A
N/A N/A C:\Program Files (x86)\MSN Games\MSNGames.exe N/A
N/A N/A C:\Program Files (x86)\MSN Games\MSNGames.exe N/A
N/A N/A C:\Program Files (x86)\MSN Games\MSNGames.exe N/A
N/A N/A C:\Program Files (x86)\MSN Games\MSNGames.exe N/A
N/A N/A C:\Program Files (x86)\MSN Games\MSNGames.exe N/A
N/A N/A C:\Program Files (x86)\MSN Games\MSNGames.exe N/A
N/A N/A C:\Program Files (x86)\MSN Games\MSNGames.exe N/A
N/A N/A C:\Program Files (x86)\MSN Games\AdminWorker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MSNGames\Downloads\iWinGames - Infinite Crosswords.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MSNGames\Downloads\iWinGames - Infinite Crosswords.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MSNGames\Downloads\iWinGames - Infinite Crosswords.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MSNGames\Downloads\iWinGames - Infinite Crosswords.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MSNGames\Downloads\iWinGames - Infinite Crosswords.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nso5A9F.tmp\iWinInstallOptions.exe N/A
N/A N/A C:\Program Files (x86)\MSN Games\AdminWorker.exe N/A
N/A N/A C:\Program Files (x86)\MSN Games\AdminWorker.exe N/A
N/A N/A C:\Program Files (x86)\MSN Games\AdminWorker.exe N/A
N/A N/A C:\Program Files (x86)\MSN Games\MSNGames.exe N/A
N/A N/A C:\Program Files (x86)\MSN Games\MSNGames.exe N/A
N/A N/A C:\Program Files (x86)\MSN Games\MSNGames.exe N/A
N/A N/A C:\Program Files (x86)\MSN Games\MSNGames.exe N/A

Checks installed software on the system

discovery

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\MSN Games\MSNGames.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\MSN Games\gamepage\images\ous\hotel-iwin.gif C:\Users\Admin\AppData\Local\Temp\nsoBAF7.tmp\MSNGamesSetup.exe N/A
File created C:\Program Files (x86)\MSN Games\pepflashplayer.dll C:\Users\Admin\AppData\Local\Temp\nsoBAF7.tmp\MSNGamesSetup.exe N/A
File created C:\Program Files (x86)\MSN Games\gamepage\disconnected-upsell.html C:\Users\Admin\AppData\Local\Temp\nsoBAF7.tmp\MSNGamesSetup.exe N/A
File created C:\Program Files (x86)\MSN Games\gamepage\images\global\page-bg.gif C:\Users\Admin\AppData\Local\Temp\nsoBAF7.tmp\MSNGamesSetup.exe N/A
File created C:\Program Files (x86)\MSN Games\libEGL.dll C:\Users\Admin\AppData\Local\Temp\nsoBAF7.tmp\MSNGamesSetup.exe N/A
File created C:\Program Files (x86)\MSN Games\gamepage\images\global\logo.gif C:\Users\Admin\AppData\Local\Temp\nsoBAF7.tmp\MSNGamesSetup.exe N/A
File created C:\Program Files (x86)\MSN Games\gamepage\styles\shoppingcart.css C:\Users\Admin\AppData\Local\Temp\nsoBAF7.tmp\MSNGamesSetup.exe N/A
File created C:\Program Files (x86)\MSN Games\locales\fa.pak C:\Users\Admin\AppData\Local\Temp\nsoBAF7.tmp\MSNGamesSetup.exe N/A
File created C:\Program Files (x86)\MSN Games\browser_cef_dll.dll C:\Users\Admin\AppData\Local\Temp\nsoBAF7.tmp\MSNGamesSetup.exe N/A
File created C:\Program Files (x86)\MSN Games\cef.pak C:\Users\Admin\AppData\Local\Temp\nsoBAF7.tmp\MSNGamesSetup.exe N/A
File created C:\Program Files (x86)\MSN Games\gamepage\success.html C:\Users\Admin\AppData\Local\Temp\nsoBAF7.tmp\MSNGamesSetup.exe N/A
File created C:\Program Files (x86)\MSN Games\gamepage\scripts\prototype-1.6.js C:\Users\Admin\AppData\Local\Temp\nsoBAF7.tmp\MSNGamesSetup.exe N/A
File created C:\Program Files (x86)\MSN Games\pages\alert32x32.gif C:\Users\Admin\AppData\Local\Temp\nsoBAF7.tmp\MSNGamesSetup.exe N/A
File created C:\Program Files (x86)\MSN Games\locales\hi.pak C:\Users\Admin\AppData\Local\Temp\nsoBAF7.tmp\MSNGamesSetup.exe N/A
File created C:\Program Files (x86)\MSN Games\locales\it.pak C:\Users\Admin\AppData\Local\Temp\nsoBAF7.tmp\MSNGamesSetup.exe N/A
File created C:\Program Files (x86)\MSN Games\AdminWorker.exe C:\Users\Admin\AppData\Local\Temp\nsoBAF7.tmp\MSNGamesSetup.exe N/A
File created C:\Program Files (x86)\MSN Games\gamepage\images\plans\plan1.gif C:\Users\Admin\AppData\Local\Temp\nsoBAF7.tmp\MSNGamesSetup.exe N/A
File created C:\Program Files (x86)\MSN Games\locales\et.pak C:\Users\Admin\AppData\Local\Temp\nsoBAF7.tmp\MSNGamesSetup.exe N/A
File created C:\Program Files (x86)\MSN Games\gamepage\images\buttons\close-blue-28.gif C:\Users\Admin\AppData\Local\Temp\nsoBAF7.tmp\MSNGamesSetup.exe N/A
File created C:\Program Files (x86)\MSN Games\gamepage\images\misc\information.gif C:\Users\Admin\AppData\Local\Temp\nsoBAF7.tmp\MSNGamesSetup.exe N/A
File created C:\Program Files (x86)\MSN Games\locales\ja.pak C:\Users\Admin\AppData\Local\Temp\nsoBAF7.tmp\MSNGamesSetup.exe N/A
File created C:\Program Files (x86)\MSN Games\locales\ko.pak C:\Users\Admin\AppData\Local\Temp\nsoBAF7.tmp\MSNGamesSetup.exe N/A
File created C:\Program Files (x86)\MSN Games\locales\pl.pak C:\Users\Admin\AppData\Local\Temp\nsoBAF7.tmp\MSNGamesSetup.exe N/A
File created C:\Program Files (x86)\MSN Games\locales\te.pak C:\Users\Admin\AppData\Local\Temp\nsoBAF7.tmp\MSNGamesSetup.exe N/A
File created C:\Program Files (x86)\MSN Games\gamepage\images\common\header-small-bg.gif C:\Users\Admin\AppData\Local\Temp\nsoBAF7.tmp\MSNGamesSetup.exe N/A
File created C:\Program Files (x86)\MSN Games\ftdownload.dat C:\Users\Admin\AppData\Local\Temp\nsoBAF7.tmp\MSNGamesSetup.exe N/A
File created C:\Program Files (x86)\MSN Games\locales\ca.pak C:\Users\Admin\AppData\Local\Temp\nsoBAF7.tmp\MSNGamesSetup.exe N/A
File created C:\Program Files (x86)\MSN Games\locales\el.pak C:\Users\Admin\AppData\Local\Temp\nsoBAF7.tmp\MSNGamesSetup.exe N/A
File created C:\Program Files (x86)\MSN Games\pages\login.html C:\Users\Admin\AppData\Local\Temp\nsoBAF7.tmp\MSNGamesSetup.exe N/A
File created C:\Program Files (x86)\MSN Games\gamepage\images\product\feature.jpg C:\Users\Admin\AppData\Local\Temp\nsoBAF7.tmp\MSNGamesSetup.exe N/A
File created C:\Program Files (x86)\MSN Games\locales\tr.pak C:\Users\Admin\AppData\Local\Temp\nsoBAF7.tmp\MSNGamesSetup.exe N/A
File created C:\Program Files (x86)\MSN Games\cef_200_percent.pak C:\Users\Admin\AppData\Local\Temp\nsoBAF7.tmp\MSNGamesSetup.exe N/A
File created C:\Program Files (x86)\MSN Games\natives_blob.bin C:\Users\Admin\AppData\Local\Temp\nsoBAF7.tmp\MSNGamesSetup.exe N/A
File created C:\Program Files (x86)\MSN Games\gamepage\images\ous\opal.gif C:\Users\Admin\AppData\Local\Temp\nsoBAF7.tmp\MSNGamesSetup.exe N/A
File created C:\Program Files (x86)\MSN Games\gamepage\scripts\disconnected-upsell.js C:\Users\Admin\AppData\Local\Temp\nsoBAF7.tmp\MSNGamesSetup.exe N/A
File created C:\Program Files (x86)\MSN Games\pages\error404.css C:\Users\Admin\AppData\Local\Temp\nsoBAF7.tmp\MSNGamesSetup.exe N/A
File created C:\Program Files (x86)\MSN Games\locales\en-GB.pak C:\Users\Admin\AppData\Local\Temp\nsoBAF7.tmp\MSNGamesSetup.exe N/A
File created C:\Program Files (x86)\MSN Games\locales\fi.pak C:\Users\Admin\AppData\Local\Temp\nsoBAF7.tmp\MSNGamesSetup.exe N/A
File created C:\Program Files (x86)\MSN Games\gamepage\images\alert32x32.gif C:\Users\Admin\AppData\Local\Temp\nsoBAF7.tmp\MSNGamesSetup.exe N/A
File created C:\Program Files (x86)\MSN Games\locales\ar.pak C:\Users\Admin\AppData\Local\Temp\nsoBAF7.tmp\MSNGamesSetup.exe N/A
File created C:\Program Files (x86)\MSN Games\locales\sw.pak C:\Users\Admin\AppData\Local\Temp\nsoBAF7.tmp\MSNGamesSetup.exe N/A
File created C:\Program Files (x86)\MSN Games\cef_100_percent.pak C:\Users\Admin\AppData\Local\Temp\nsoBAF7.tmp\MSNGamesSetup.exe N/A
File created C:\Program Files (x86)\MSN Games\gamepage\scripts\popups.js C:\Users\Admin\AppData\Local\Temp\nsoBAF7.tmp\MSNGamesSetup.exe N/A
File created C:\Program Files (x86)\MSN Games\pages\iwgm.loading.jpg C:\Users\Admin\AppData\Local\Temp\nsoBAF7.tmp\MSNGamesSetup.exe N/A
File created C:\Program Files (x86)\MSN Games\locales\bg.pak C:\Users\Admin\AppData\Local\Temp\nsoBAF7.tmp\MSNGamesSetup.exe N/A
File created C:\Program Files (x86)\MSN Games\locales\fr.pak C:\Users\Admin\AppData\Local\Temp\nsoBAF7.tmp\MSNGamesSetup.exe N/A
File created C:\Program Files (x86)\MSN Games\locales\ru.pak C:\Users\Admin\AppData\Local\Temp\nsoBAF7.tmp\MSNGamesSetup.exe N/A
File created C:\Program Files (x86)\MSN Games\locales\am.pak C:\Users\Admin\AppData\Local\Temp\nsoBAF7.tmp\MSNGamesSetup.exe N/A
File created C:\Program Files (x86)\MSN Games\gamepage\images\ous\hotel-bg.gif C:\Users\Admin\AppData\Local\Temp\nsoBAF7.tmp\MSNGamesSetup.exe N/A
File created C:\Program Files (x86)\MSN Games\sounds\slideout.wav C:\Users\Admin\AppData\Local\Temp\nsoBAF7.tmp\MSNGamesSetup.exe N/A
File created C:\Program Files (x86)\MSN Games\locales\fil.pak C:\Users\Admin\AppData\Local\Temp\nsoBAF7.tmp\MSNGamesSetup.exe N/A
File created C:\Program Files (x86)\MSN Games\locales\ml.pak C:\Users\Admin\AppData\Local\Temp\nsoBAF7.tmp\MSNGamesSetup.exe N/A
File created C:\Program Files (x86)\MSN Games\locales\zh-CN.pak C:\Users\Admin\AppData\Local\Temp\nsoBAF7.tmp\MSNGamesSetup.exe N/A
File created C:\Program Files (x86)\MSN Games\cef_extensions.pak C:\Users\Admin\AppData\Local\Temp\nsoBAF7.tmp\MSNGamesSetup.exe N/A
File created C:\Program Files (x86)\MSN Games\gamepage\images\global\page-header-small-bg.jpg C:\Users\Admin\AppData\Local\Temp\nsoBAF7.tmp\MSNGamesSetup.exe N/A
File created C:\Program Files (x86)\MSN Games\pages\offline.css C:\Users\Admin\AppData\Local\Temp\nsoBAF7.tmp\MSNGamesSetup.exe N/A
File created C:\Program Files (x86)\MSN Games\locales\lt.pak C:\Users\Admin\AppData\Local\Temp\nsoBAF7.tmp\MSNGamesSetup.exe N/A
File created C:\Program Files (x86)\MSN Games\gamepage\styles\base.css C:\Users\Admin\AppData\Local\Temp\nsoBAF7.tmp\MSNGamesSetup.exe N/A
File created C:\Program Files (x86)\MSN Games\gamepage\end.html C:\Users\Admin\AppData\Local\Temp\nsoBAF7.tmp\MSNGamesSetup.exe N/A
File created C:\Program Files (x86)\MSN Games\gamepage\images\logo.jpg C:\Users\Admin\AppData\Local\Temp\nsoBAF7.tmp\MSNGamesSetup.exe N/A
File created C:\Program Files (x86)\MSN Games\gamepage\images\ous\opalbox.jpg C:\Users\Admin\AppData\Local\Temp\nsoBAF7.tmp\MSNGamesSetup.exe N/A
File created C:\Program Files (x86)\MSN Games\pages\iwin_logo.gif C:\Users\Admin\AppData\Local\Temp\nsoBAF7.tmp\MSNGamesSetup.exe N/A
File created C:\Program Files (x86)\MSN Games\locales\de.pak C:\Users\Admin\AppData\Local\Temp\nsoBAF7.tmp\MSNGamesSetup.exe N/A
File created C:\Program Files (x86)\MSN Games\locales\nb.pak C:\Users\Admin\AppData\Local\Temp\nsoBAF7.tmp\MSNGamesSetup.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\nsoE59F.tmp\InstGameInfoHelperMSN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\MSN Games\iWinTrusted.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\MSN Games\AdminWorker.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\nso5A9F.tmp\iWinInstallOptions.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\166480b160f6013cbc67e8c1dc7a937b_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\MSN Games\AdminWorker.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\MSN Games\MSNGames.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\MSNGames\Downloads\iWinGames - Infinite Crosswords.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\MSN Games\AdminWorker.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\MSN Games\iWinTrusted.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\nsoBAF7.tmp\MSNGamesSetup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\MSN Games\AdminWorker.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\MSN Games\iWinTrusted.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Games\MSN\Infinite Crosswords\GLWorker.exe N/A

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION\MSNGames.exe = "8000" C:\Users\Admin\AppData\Local\Temp\nsoBAF7.tmp\MSNGamesSetup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\MSN Games\MSNGames.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\MSN Games\MSNGames.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\MSN Games\MSNGames.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\DOMStorage\iwin.com C:\Program Files (x86)\MSN Games\MSNGames.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\DOMStorage C:\Program Files (x86)\MSN Games\MSNGames.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\DOMStorage\iwin.com\NumberOfSubdomains = "1" C:\Program Files (x86)\MSN Games\MSNGames.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION C:\Users\Admin\AppData\Local\Temp\nsoBAF7.tmp\MSNGamesSetup.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\iWinTrusted.CoiWinTrusted.1\CLSID C:\Program Files (x86)\MSN Games\iWinTrusted.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{44E6B68E-8DA5-4093-921B-7275E5B3906A}\1.0 C:\Program Files (x86)\MSN Games\iWinTrusted.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F155C40F-4FF8-0928-4EF2-F3B10A8361EB}\InprocServer32\2.0.0.0 C:\Games\MSN\Infinite Crosswords\GLWorker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F155C40F-4FF8-0928-4EF2-F3B10A8361EB}\InprocServer32\2.0.0.0\Assembly = "mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" C:\Games\MSN\Infinite Crosswords\GLWorker.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{635ADC07-6F19-42a7-8043-EDD19678CE14}\Programmable C:\Program Files (x86)\MSN Games\iWinTrusted.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3B16338D-AFD9-46FF-8BEE-4FEC95946937} C:\Program Files (x86)\MSN Games\iWinTrusted.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F155C40F-4FF8-0928-4EF2-F3B10A8361EB}\InprocServer32\RuntimeVersion = "v1.1.4322" C:\Games\MSN\Infinite Crosswords\GLWorker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F155C40F-4FF8-0928-4EF2-F3B10A8361EB}\InprocServer32\2.0.0.0\Class = "System.Security.Policy.AllMembershipCondition" C:\Games\MSN\Infinite Crosswords\GLWorker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\iWinTrusted.CoiWinTrusted.1\CLSID\ = "{635ADC07-6F19-42a7-8043-EDD19678CE14}" C:\Program Files (x86)\MSN Games\iWinTrusted.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\iWinTrusted.CoiWinTrusted\ = "iWinTrusted Class" C:\Program Files (x86)\MSN Games\iWinTrusted.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3B16338D-AFD9-46FF-8BEE-4FEC95946937}\ProxyStubClsid32 C:\Program Files (x86)\MSN Games\iWinTrusted.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3B16338D-AFD9-46FF-8BEE-4FEC95946937}\TypeLib\ = "{44E6B68E-8DA5-4093-921B-7275E5B3906A}" C:\Program Files (x86)\MSN Games\iWinTrusted.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F155C40F-4FF8-0928-4EF2-F3B10A8361EB}\InprocServer32\ThreadingModel = "Both" C:\Games\MSN\Infinite Crosswords\GLWorker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\iWinTrusted.CoiWinTrusted\CLSID\ = "{635ADC07-6F19-42a7-8043-EDD19678CE14}" C:\Program Files (x86)\MSN Games\iWinTrusted.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{635ADC07-6F19-42a7-8043-EDD19678CE14}\ = "iWinTrusted" C:\Program Files (x86)\MSN Games\iWinTrusted.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{635ADC07-6F19-42a7-8043-EDD19678CE14} C:\Program Files (x86)\MSN Games\iWinTrusted.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{44E6B68E-8DA5-4093-921B-7275E5B3906A}\1.0\ = "iWinTrusted 1.1 Type Library" C:\Program Files (x86)\MSN Games\iWinTrusted.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{44E6B68E-8DA5-4093-921B-7275E5B3906A}\1.0\FLAGS\ = "0" C:\Program Files (x86)\MSN Games\iWinTrusted.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{635ADC07-6F19-42a7-8043-EDD19678CE14}\VersionIndependentProgID C:\Program Files (x86)\MSN Games\iWinTrusted.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{44E6B68E-8DA5-4093-921B-7275E5B3906A}\1.0\0\win32\ = "C:\\Program Files (x86)\\MSN Games\\iWinTrusted.exe" C:\Program Files (x86)\MSN Games\iWinTrusted.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3B16338D-AFD9-46FF-8BEE-4FEC95946937}\ = "IiWinTrusted" C:\Program Files (x86)\MSN Games\iWinTrusted.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{44E6B68E-8DA5-4093-921B-7275E5B3906A}\1.0\FLAGS C:\Program Files (x86)\MSN Games\iWinTrusted.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{44E6B68E-8DA5-4093-921B-7275E5B3906A}\1.0\HELPDIR C:\Program Files (x86)\MSN Games\iWinTrusted.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3B16338D-AFD9-46FF-8BEE-4FEC95946937} C:\Program Files (x86)\MSN Games\iWinTrusted.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3B16338D-AFD9-46FF-8BEE-4FEC95946937}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Program Files (x86)\MSN Games\iWinTrusted.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3B16338D-AFD9-46FF-8BEE-4FEC95946937}\TypeLib\ = "{44E6B68E-8DA5-4093-921B-7275E5B3906A}" C:\Program Files (x86)\MSN Games\iWinTrusted.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{635ADC07-6F19-42a7-8043-EDD19678CE14}\ = "iWinTrusted Class" C:\Program Files (x86)\MSN Games\iWinTrusted.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3B16338D-AFD9-46FF-8BEE-4FEC95946937}\ = "IiWinTrusted" C:\Program Files (x86)\MSN Games\iWinTrusted.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\iWinTrusted.EXE\AppID = "{635ADC07-6F19-42a7-8043-EDD19678CE14}" C:\Program Files (x86)\MSN Games\iWinTrusted.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F155C40F-4FF8-0928-4EF2-F3B10A8361EB}\Implemented Categories C:\Games\MSN\Infinite Crosswords\GLWorker.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F155C40F-4FF8-0928-4EF2-F3B10A8361EB}\Implemented Categories\{62C8FE65-4EBB-45E7-B440-6E39B2CDBF29} C:\Games\MSN\Infinite Crosswords\GLWorker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F155C40F-4FF8-0928-4EF2-F3B10A8361EB}\InprocServer32\2.0.0.0\RuntimeVersion = "v2.0.50727" C:\Games\MSN\Infinite Crosswords\GLWorker.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\iWinTrusted.CoiWinTrusted\CLSID C:\Program Files (x86)\MSN Games\iWinTrusted.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{635ADC07-6F19-42a7-8043-EDD19678CE14}\LocalService = "iWinTrusted" C:\Program Files (x86)\MSN Games\iWinTrusted.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{635ADC07-6F19-42a7-8043-EDD19678CE14} C:\Program Files (x86)\MSN Games\iWinTrusted.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{635ADC07-6F19-42a7-8043-EDD19678CE14}\TypeLib\ = "{44E6B68E-8DA5-4093-921B-7275E5B3906A}" C:\Program Files (x86)\MSN Games\iWinTrusted.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3B16338D-AFD9-46FF-8BEE-4FEC95946937}\TypeLib C:\Program Files (x86)\MSN Games\iWinTrusted.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F155C40F-4FF8-0928-4EF2-F3B10A8361EB}\InprocServer32 C:\Games\MSN\Infinite Crosswords\GLWorker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F155C40F-4FF8-0928-4EF2-F3B10A8361EB}\InprocServer32\ = "mscoree.dll" C:\Games\MSN\Infinite Crosswords\GLWorker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F155C40F-4FF8-0928-4EF2-F3B10A8361EB}\InprocServer32\Assembly = "mscorlib, Version=1.0.5000.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" C:\Games\MSN\Infinite Crosswords\GLWorker.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\iWinTrusted.CoiWinTrusted\CurVer C:\Program Files (x86)\MSN Games\iWinTrusted.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{635ADC07-6F19-42a7-8043-EDD19678CE14}\AppID = "{635ADC07-6F19-42a7-8043-EDD19678CE14}" C:\Program Files (x86)\MSN Games\iWinTrusted.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3B16338D-AFD9-46FF-8BEE-4FEC95946937}\ProxyStubClsid32 C:\Program Files (x86)\MSN Games\iWinTrusted.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3B16338D-AFD9-46FF-8BEE-4FEC95946937}\TypeLib\Version = "1.0" C:\Program Files (x86)\MSN Games\iWinTrusted.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F155C40F-4FF8-0928-4EF2-F3B10A8361EB} C:\Games\MSN\Infinite Crosswords\GLWorker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{44E6B68E-8DA5-4093-921B-7275E5B3906A}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\MSN Games" C:\Program Files (x86)\MSN Games\iWinTrusted.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F155C40F-4FF8-0928-4EF2-F3B10A8361EB}\ProgId C:\Games\MSN\Infinite Crosswords\GLWorker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{635ADC07-6F19-42a7-8043-EDD19678CE14}\ProgID\ = "iWinTrusted.CoiWinTrusted.1" C:\Program Files (x86)\MSN Games\iWinTrusted.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{635ADC07-6F19-42a7-8043-EDD19678CE14}\VersionIndependentProgID\ = "iWinTrusted.CoiWinTrusted" C:\Program Files (x86)\MSN Games\iWinTrusted.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{635ADC07-6F19-42a7-8043-EDD19678CE14}\LocalServer32 C:\Program Files (x86)\MSN Games\iWinTrusted.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{635ADC07-6F19-42a7-8043-EDD19678CE14}\LocalServer32\ = "\"C:\\Program Files (x86)\\MSN Games\\iWinTrusted.exe\" /server" C:\Program Files (x86)\MSN Games\iWinTrusted.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{44E6B68E-8DA5-4093-921B-7275E5B3906A} C:\Program Files (x86)\MSN Games\iWinTrusted.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{44E6B68E-8DA5-4093-921B-7275E5B3906A}\1.0\0 C:\Program Files (x86)\MSN Games\iWinTrusted.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3B16338D-AFD9-46FF-8BEE-4FEC95946937}\TypeLib\Version = "1.0" C:\Program Files (x86)\MSN Games\iWinTrusted.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3B16338D-AFD9-46FF-8BEE-4FEC95946937}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Program Files (x86)\MSN Games\iWinTrusted.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\iWinTrusted.CoiWinTrusted.1 C:\Program Files (x86)\MSN Games\iWinTrusted.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\iWinTrusted.CoiWinTrusted.1\ = "iWinTrusted Class" C:\Program Files (x86)\MSN Games\iWinTrusted.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\iWinTrusted.CoiWinTrusted\CurVer\ = "iWinTrusted.CoiWinTrusted.1" C:\Program Files (x86)\MSN Games\iWinTrusted.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\ForseRemove C:\Program Files (x86)\MSN Games\iWinTrusted.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\iWinTrusted.EXE C:\Program Files (x86)\MSN Games\iWinTrusted.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F155C40F-4FF8-0928-4EF2-F3B10A8361EB}\ = "System.Security.Policy.AllMembershipCondition" C:\Games\MSN\Infinite Crosswords\GLWorker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F155C40F-4FF8-0928-4EF2-F3B10A8361EB}\InprocServer32\Class = "System.Security.Policy.AllMembershipCondition" C:\Games\MSN\Infinite Crosswords\GLWorker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F155C40F-4FF8-0928-4EF2-F3B10A8361EB}\ProgId\ = "System.Security.Policy.AllMembershipCondition" C:\Games\MSN\Infinite Crosswords\GLWorker.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\iWinTrusted.CoiWinTrusted C:\Program Files (x86)\MSN Games\iWinTrusted.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81\Blob = 0f000000010000001400000085fef11b4f47fe3952f98301c9f98976fefee0ce09000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000002500000030233021060b6086480186f8450107300130123010060a2b0601040182373c0101030200c01400000001000000140000007b5b45cfafcecb7afd31921a6ab6f346eb5748501d00000001000000100000005b3b67000eeb80022e42605b6b3b72400b000000010000000e000000740068006100770074006500000003000000010000001400000091c6d6ee3e8ac86384e548c299295c756c817b812000000001000000240400003082042030820308a0030201020210344ed55720d5edec49f42fce37db2b6d300d06092a864886f70d01010505003081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f74204341301e170d3036313131373030303030305a170d3336303731363233353935395a3081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100aca0f0fb8059d49cc7a4cf9da159730910450c0d2c6e68f16c5b4868495937fc0b3319c2777fcc102d95341ce6eb4d09a71cd2b8c9973602b789d4245f06c0cc4494948d02626feb5add118d289a5c8490107a0dbd74662f6a38a0e2d55444eb1d079f07ba6feee9fd4e0b29f53e84a001f19cabf81c7e89a4e8a1d871650da3517beebcd222600db95b9ddfbafc515b0baf98b2e92ee904e86287de2bc8d74ec14c641eddcf8758ba4a4fca68071d1c9d4ac6d52f91cc7c71721cc5c067eb32fdc9925c94da85c09bbf537d2b09f48c9d911f976a52cbde0936a477d87b875044d53e6e2969fb3949261e09a5807b402debe82785c9fe61fd7ee67c971dd59d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604147b5b45cfafcecb7afd31921a6ab6f346eb574850300d06092a864886f70d010105050003820101007911c04bb391b6fcf0e967d40d6e45be55e893d2ce033fedda25b01d57cb1e3a76a04cec5076e864720ca4a9f1b88bd6d68784bb32e54111c077d9b3609deb1bd5d16e4444a9a601ec55621d77b85c8e48497c9c3b5711acad73378e2f785c906847d96060e6fc073d222017c4f716e9c4d872f9c8737cdf162f15a93efd6a27b6a1eb5aba981fd5e34d640a9d13c861baf5391c87bab8bd7b227ff6feac4079e5ac106f3d8f1b79768bc437b3211884e53600eb632099b9e9fe3304bb41c8c102f94463209e81ce42d3d63f2c76d3639c59dd8fa6e10ea02e41f72e9547cfbcfd33f3f60b617e7e912b8147c22730eea7105d378f5c392be404f07b8d568c68 C:\Users\Admin\AppData\Local\Temp\nsoBAF7.tmp\MSNGamesSetup.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81\Blob = 190000000100000010000000dc73f9b71e16d51d26527d32b11a6a3d03000000010000001400000091c6d6ee3e8ac86384e548c299295c756c817b810b000000010000000e00000074006800610077007400650000001d00000001000000100000005b3b67000eeb80022e42605b6b3b72401400000001000000140000007b5b45cfafcecb7afd31921a6ab6f346eb57485053000000010000002500000030233021060b6086480186f8450107300130123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b060105050703030f000000010000001400000085fef11b4f47fe3952f98301c9f98976fefee0ce2000000001000000240400003082042030820308a0030201020210344ed55720d5edec49f42fce37db2b6d300d06092a864886f70d01010505003081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f74204341301e170d3036313131373030303030305a170d3336303731363233353935395a3081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100aca0f0fb8059d49cc7a4cf9da159730910450c0d2c6e68f16c5b4868495937fc0b3319c2777fcc102d95341ce6eb4d09a71cd2b8c9973602b789d4245f06c0cc4494948d02626feb5add118d289a5c8490107a0dbd74662f6a38a0e2d55444eb1d079f07ba6feee9fd4e0b29f53e84a001f19cabf81c7e89a4e8a1d871650da3517beebcd222600db95b9ddfbafc515b0baf98b2e92ee904e86287de2bc8d74ec14c641eddcf8758ba4a4fca68071d1c9d4ac6d52f91cc7c71721cc5c067eb32fdc9925c94da85c09bbf537d2b09f48c9d911f976a52cbde0936a477d87b875044d53e6e2969fb3949261e09a5807b402debe82785c9fe61fd7ee67c971dd59d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604147b5b45cfafcecb7afd31921a6ab6f346eb574850300d06092a864886f70d010105050003820101007911c04bb391b6fcf0e967d40d6e45be55e893d2ce033fedda25b01d57cb1e3a76a04cec5076e864720ca4a9f1b88bd6d68784bb32e54111c077d9b3609deb1bd5d16e4444a9a601ec55621d77b85c8e48497c9c3b5711acad73378e2f785c906847d96060e6fc073d222017c4f716e9c4d872f9c8737cdf162f15a93efd6a27b6a1eb5aba981fd5e34d640a9d13c861baf5391c87bab8bd7b227ff6feac4079e5ac106f3d8f1b79768bc437b3211884e53600eb632099b9e9fe3304bb41c8c102f94463209e81ce42d3d63f2c76d3639c59dd8fa6e10ea02e41f72e9547cfbcfd33f3f60b617e7e912b8147c22730eea7105d378f5c392be404f07b8d568c68 C:\Users\Admin\AppData\Local\Temp\nsoBAF7.tmp\MSNGamesSetup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 C:\Program Files (x86)\MSN Games\MSNGames.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Program Files (x86)\MSN Games\MSNGames.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Program Files (x86)\MSN Games\MSNGames.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81 C:\Users\Admin\AppData\Local\Temp\nsoBAF7.tmp\MSNGamesSetup.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\MSN Games\MSNGames.exe N/A
N/A N/A C:\Program Files (x86)\MSN Games\MSNGames.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 33 N/A C:\Games\MSN\Infinite Crosswords\GLWorker.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Games\MSN\Infinite Crosswords\GLWorker.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\MSN Games\MSNGames.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2972 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\166480b160f6013cbc67e8c1dc7a937b_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\nsoBAF7.tmp\MSNGamesSetup.exe
PID 2972 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\166480b160f6013cbc67e8c1dc7a937b_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\nsoBAF7.tmp\MSNGamesSetup.exe
PID 2972 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\166480b160f6013cbc67e8c1dc7a937b_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\nsoBAF7.tmp\MSNGamesSetup.exe
PID 2972 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\166480b160f6013cbc67e8c1dc7a937b_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\nsoBAF7.tmp\MSNGamesSetup.exe
PID 2972 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\166480b160f6013cbc67e8c1dc7a937b_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\nsoBAF7.tmp\MSNGamesSetup.exe
PID 2972 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\166480b160f6013cbc67e8c1dc7a937b_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\nsoBAF7.tmp\MSNGamesSetup.exe
PID 2972 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\166480b160f6013cbc67e8c1dc7a937b_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\nsoBAF7.tmp\MSNGamesSetup.exe
PID 2332 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\nsoBAF7.tmp\MSNGamesSetup.exe C:\Users\Admin\AppData\Local\Temp\nsoE59F.tmp\InstGameInfoHelperMSN.exe
PID 2332 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\nsoBAF7.tmp\MSNGamesSetup.exe C:\Users\Admin\AppData\Local\Temp\nsoE59F.tmp\InstGameInfoHelperMSN.exe
PID 2332 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\nsoBAF7.tmp\MSNGamesSetup.exe C:\Users\Admin\AppData\Local\Temp\nsoE59F.tmp\InstGameInfoHelperMSN.exe
PID 2332 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\nsoBAF7.tmp\MSNGamesSetup.exe C:\Users\Admin\AppData\Local\Temp\nsoE59F.tmp\InstGameInfoHelperMSN.exe
PID 2332 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\nsoBAF7.tmp\MSNGamesSetup.exe C:\Users\Admin\AppData\Local\Temp\nsoE59F.tmp\InstGameInfoHelperMSN.exe
PID 2332 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\nsoBAF7.tmp\MSNGamesSetup.exe C:\Users\Admin\AppData\Local\Temp\nsoE59F.tmp\InstGameInfoHelperMSN.exe
PID 2332 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\nsoBAF7.tmp\MSNGamesSetup.exe C:\Users\Admin\AppData\Local\Temp\nsoE59F.tmp\InstGameInfoHelperMSN.exe
PID 2332 wrote to memory of 292 N/A C:\Users\Admin\AppData\Local\Temp\nsoBAF7.tmp\MSNGamesSetup.exe C:\Windows\ehome\RegisterMCEApp.exe
PID 2332 wrote to memory of 292 N/A C:\Users\Admin\AppData\Local\Temp\nsoBAF7.tmp\MSNGamesSetup.exe C:\Windows\ehome\RegisterMCEApp.exe
PID 2332 wrote to memory of 292 N/A C:\Users\Admin\AppData\Local\Temp\nsoBAF7.tmp\MSNGamesSetup.exe C:\Windows\ehome\RegisterMCEApp.exe
PID 2332 wrote to memory of 292 N/A C:\Users\Admin\AppData\Local\Temp\nsoBAF7.tmp\MSNGamesSetup.exe C:\Windows\ehome\RegisterMCEApp.exe
PID 2332 wrote to memory of 1048 N/A C:\Users\Admin\AppData\Local\Temp\nsoBAF7.tmp\MSNGamesSetup.exe C:\Program Files (x86)\MSN Games\AdminWorker.exe
PID 2332 wrote to memory of 1048 N/A C:\Users\Admin\AppData\Local\Temp\nsoBAF7.tmp\MSNGamesSetup.exe C:\Program Files (x86)\MSN Games\AdminWorker.exe
PID 2332 wrote to memory of 1048 N/A C:\Users\Admin\AppData\Local\Temp\nsoBAF7.tmp\MSNGamesSetup.exe C:\Program Files (x86)\MSN Games\AdminWorker.exe
PID 2332 wrote to memory of 1048 N/A C:\Users\Admin\AppData\Local\Temp\nsoBAF7.tmp\MSNGamesSetup.exe C:\Program Files (x86)\MSN Games\AdminWorker.exe
PID 2332 wrote to memory of 884 N/A C:\Users\Admin\AppData\Local\Temp\nsoBAF7.tmp\MSNGamesSetup.exe C:\Program Files (x86)\MSN Games\AdminWorker.exe
PID 2332 wrote to memory of 884 N/A C:\Users\Admin\AppData\Local\Temp\nsoBAF7.tmp\MSNGamesSetup.exe C:\Program Files (x86)\MSN Games\AdminWorker.exe
PID 2332 wrote to memory of 884 N/A C:\Users\Admin\AppData\Local\Temp\nsoBAF7.tmp\MSNGamesSetup.exe C:\Program Files (x86)\MSN Games\AdminWorker.exe
PID 2332 wrote to memory of 884 N/A C:\Users\Admin\AppData\Local\Temp\nsoBAF7.tmp\MSNGamesSetup.exe C:\Program Files (x86)\MSN Games\AdminWorker.exe
PID 2332 wrote to memory of 1868 N/A C:\Users\Admin\AppData\Local\Temp\nsoBAF7.tmp\MSNGamesSetup.exe C:\Program Files (x86)\MSN Games\iWinTrusted.exe
PID 2332 wrote to memory of 1868 N/A C:\Users\Admin\AppData\Local\Temp\nsoBAF7.tmp\MSNGamesSetup.exe C:\Program Files (x86)\MSN Games\iWinTrusted.exe
PID 2332 wrote to memory of 1868 N/A C:\Users\Admin\AppData\Local\Temp\nsoBAF7.tmp\MSNGamesSetup.exe C:\Program Files (x86)\MSN Games\iWinTrusted.exe
PID 2332 wrote to memory of 1868 N/A C:\Users\Admin\AppData\Local\Temp\nsoBAF7.tmp\MSNGamesSetup.exe C:\Program Files (x86)\MSN Games\iWinTrusted.exe
PID 2332 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\nsoBAF7.tmp\MSNGamesSetup.exe C:\Program Files (x86)\MSN Games\MSNGames.exe
PID 2332 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\nsoBAF7.tmp\MSNGamesSetup.exe C:\Program Files (x86)\MSN Games\MSNGames.exe
PID 2332 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\nsoBAF7.tmp\MSNGamesSetup.exe C:\Program Files (x86)\MSN Games\MSNGames.exe
PID 2332 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\nsoBAF7.tmp\MSNGamesSetup.exe C:\Program Files (x86)\MSN Games\MSNGames.exe
PID 1716 wrote to memory of 2708 N/A C:\Program Files (x86)\MSN Games\MSNGames.exe C:\Program Files (x86)\MSN Games\iWinTrusted.exe
PID 1716 wrote to memory of 2708 N/A C:\Program Files (x86)\MSN Games\MSNGames.exe C:\Program Files (x86)\MSN Games\iWinTrusted.exe
PID 1716 wrote to memory of 2708 N/A C:\Program Files (x86)\MSN Games\MSNGames.exe C:\Program Files (x86)\MSN Games\iWinTrusted.exe
PID 1716 wrote to memory of 2708 N/A C:\Program Files (x86)\MSN Games\MSNGames.exe C:\Program Files (x86)\MSN Games\iWinTrusted.exe
PID 1716 wrote to memory of 2704 N/A C:\Program Files (x86)\MSN Games\MSNGames.exe C:\Program Files (x86)\MSN Games\AdminWorker.exe
PID 1716 wrote to memory of 2704 N/A C:\Program Files (x86)\MSN Games\MSNGames.exe C:\Program Files (x86)\MSN Games\AdminWorker.exe
PID 1716 wrote to memory of 2704 N/A C:\Program Files (x86)\MSN Games\MSNGames.exe C:\Program Files (x86)\MSN Games\AdminWorker.exe
PID 1716 wrote to memory of 2704 N/A C:\Program Files (x86)\MSN Games\MSNGames.exe C:\Program Files (x86)\MSN Games\AdminWorker.exe
PID 2704 wrote to memory of 2688 N/A C:\Program Files (x86)\MSN Games\AdminWorker.exe C:\Program Files (x86)\MSN Games\iWinTrusted.exe
PID 2704 wrote to memory of 2688 N/A C:\Program Files (x86)\MSN Games\AdminWorker.exe C:\Program Files (x86)\MSN Games\iWinTrusted.exe
PID 2704 wrote to memory of 2688 N/A C:\Program Files (x86)\MSN Games\AdminWorker.exe C:\Program Files (x86)\MSN Games\iWinTrusted.exe
PID 2704 wrote to memory of 2688 N/A C:\Program Files (x86)\MSN Games\AdminWorker.exe C:\Program Files (x86)\MSN Games\iWinTrusted.exe
PID 1716 wrote to memory of 1872 N/A C:\Program Files (x86)\MSN Games\MSNGames.exe C:\Program Files (x86)\MSN Games\AdminWorker.exe
PID 1716 wrote to memory of 1872 N/A C:\Program Files (x86)\MSN Games\MSNGames.exe C:\Program Files (x86)\MSN Games\AdminWorker.exe
PID 1716 wrote to memory of 1872 N/A C:\Program Files (x86)\MSN Games\MSNGames.exe C:\Program Files (x86)\MSN Games\AdminWorker.exe
PID 1716 wrote to memory of 1872 N/A C:\Program Files (x86)\MSN Games\MSNGames.exe C:\Program Files (x86)\MSN Games\AdminWorker.exe
PID 1872 wrote to memory of 1736 N/A C:\Program Files (x86)\MSN Games\AdminWorker.exe C:\Users\Admin\AppData\Local\Temp\MSNGames\Downloads\iWinGames - Infinite Crosswords.exe
PID 1872 wrote to memory of 1736 N/A C:\Program Files (x86)\MSN Games\AdminWorker.exe C:\Users\Admin\AppData\Local\Temp\MSNGames\Downloads\iWinGames - Infinite Crosswords.exe
PID 1872 wrote to memory of 1736 N/A C:\Program Files (x86)\MSN Games\AdminWorker.exe C:\Users\Admin\AppData\Local\Temp\MSNGames\Downloads\iWinGames - Infinite Crosswords.exe
PID 1872 wrote to memory of 1736 N/A C:\Program Files (x86)\MSN Games\AdminWorker.exe C:\Users\Admin\AppData\Local\Temp\MSNGames\Downloads\iWinGames - Infinite Crosswords.exe
PID 1736 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\MSNGames\Downloads\iWinGames - Infinite Crosswords.exe C:\Users\Admin\AppData\Local\Temp\nso5A9F.tmp\iWinInstallOptions.exe
PID 1736 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\MSNGames\Downloads\iWinGames - Infinite Crosswords.exe C:\Users\Admin\AppData\Local\Temp\nso5A9F.tmp\iWinInstallOptions.exe
PID 1736 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\MSNGames\Downloads\iWinGames - Infinite Crosswords.exe C:\Users\Admin\AppData\Local\Temp\nso5A9F.tmp\iWinInstallOptions.exe
PID 1736 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\MSNGames\Downloads\iWinGames - Infinite Crosswords.exe C:\Users\Admin\AppData\Local\Temp\nso5A9F.tmp\iWinInstallOptions.exe
PID 1736 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\MSNGames\Downloads\iWinGames - Infinite Crosswords.exe C:\Users\Admin\AppData\Local\Temp\nso5A9F.tmp\iWinInstallOptions.exe
PID 1736 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\MSNGames\Downloads\iWinGames - Infinite Crosswords.exe C:\Users\Admin\AppData\Local\Temp\nso5A9F.tmp\iWinInstallOptions.exe
PID 1736 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\MSNGames\Downloads\iWinGames - Infinite Crosswords.exe C:\Users\Admin\AppData\Local\Temp\nso5A9F.tmp\iWinInstallOptions.exe
PID 1716 wrote to memory of 2736 N/A C:\Program Files (x86)\MSN Games\MSNGames.exe C:\Games\MSN\Infinite Crosswords\GLWorker.exe
PID 1716 wrote to memory of 2736 N/A C:\Program Files (x86)\MSN Games\MSNGames.exe C:\Games\MSN\Infinite Crosswords\GLWorker.exe
PID 1716 wrote to memory of 2736 N/A C:\Program Files (x86)\MSN Games\MSNGames.exe C:\Games\MSN\Infinite Crosswords\GLWorker.exe

Processes

C:\Users\Admin\AppData\Local\Temp\166480b160f6013cbc67e8c1dc7a937b_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\166480b160f6013cbc67e8c1dc7a937b_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\nsoBAF7.tmp\MSNGamesSetup.exe

C:\Users\Admin\AppData\Local\Temp\nsoBAF7.tmp\MSNGamesSetup.exe

C:\Users\Admin\AppData\Local\Temp\nsoE59F.tmp\InstGameInfoHelperMSN.exe

"C:\Users\Admin\AppData\Local\Temp\nsoE59F.tmp\InstGameInfoHelperMSN.exe"

C:\Windows\ehome\RegisterMCEApp.exe

"C:\Windows\ehome\RegisterMCEApp.exe" /allusers "C:\Program Files (x86)\MSN Games\MSNGames-MCE.xml"

C:\Program Files (x86)\MSN Games\AdminWorker.exe

"C:\Program Files (x86)\MSN Games\AdminWorker.exe" AddArcadeToFireWallExceptions

C:\Program Files (x86)\MSN Games\AdminWorker.exe

"C:\Program Files (x86)\MSN Games\AdminWorker.exe" restoreShortcutsPathes

C:\Program Files (x86)\MSN Games\iWinTrusted.exe

"C:\Program Files (x86)\MSN Games\iWinTrusted.exe" -install

C:\Program Files (x86)\MSN Games\MSNGames.exe

"C:\Program Files (x86)\MSN Games\MSNGames.exe"

C:\Program Files (x86)\MSN Games\iWinTrusted.exe

"C:\Program Files (x86)\MSN Games\iWinTrusted.exe" -install

C:\Program Files (x86)\MSN Games\AdminWorker.exe

"C:\Program Files (x86)\MSN Games\AdminWorker.exe" StartProcessNoWait "C:\Program Files (x86)\MSN Games\\iWinTrusted.exe" "-install"

C:\Program Files (x86)\MSN Games\iWinTrusted.exe

"C:\Program Files (x86)\MSN Games\iWinTrusted.exe" -install

C:\Program Files (x86)\MSN Games\AdminWorker.exe

"C:\Program Files (x86)\MSN Games\AdminWorker.exe" StartProcessAndWait "C:\Users\Admin\AppData\Local\Temp\MSNGames\Downloads\iWinGames - Infinite Crosswords.exe" "/S" "6577137636012359169" "6577137643961526784" "" "" "price|999|gameSKU|6577137643961526784";PogoInstall;Infinite Crosswords

C:\Users\Admin\AppData\Local\Temp\MSNGames\Downloads\iWinGames - Infinite Crosswords.exe

"C:\Users\Admin\AppData\Local\Temp\MSNGames\Downloads\iWinGames - Infinite Crosswords.exe" /S

C:\Users\Admin\AppData\Local\Temp\nso5A9F.tmp\iWinInstallOptions.exe

"C:\Users\Admin\AppData\Local\Temp\nso5A9F.tmp\iWinInstallOptions.exe" /S

C:\Games\MSN\Infinite Crosswords\GLWorker.exe

"C:\Games\MSN\Infinite Crosswords\GLWorker.exe" ALTUSERNAME;DAYSLEFT;TIMELEFTTOTAL;gid6577137636012359169

Network

Country Destination Domain Proto
US 8.8.8.8:53 dl.iwin.com udp
CZ 65.9.95.77:80 dl.iwin.com tcp
US 8.8.8.8:53 gm-msn.iwin.com udp
US 35.175.160.151:80 gm-msn.iwin.com tcp
US 8.8.8.8:53 img.iwin.com udp
GB 13.224.81.124:80 img.iwin.com tcp
US 35.175.160.151:80 gm-msn.iwin.com tcp
US 35.175.160.151:80 gm-msn.iwin.com tcp
US 35.175.160.151:80 gm-msn.iwin.com tcp
US 35.175.160.151:80 gm-msn.iwin.com tcp
US 8.8.8.8:53 gm-msn.iwin.com udp
US 35.175.160.151:80 gm-msn.iwin.com tcp
US 35.175.160.151:80 gm-msn.iwin.com tcp
US 8.8.8.8:53 static.iwincdn.com udp
US 8.8.8.8:53 connect.facebook.net udp
GB 163.70.151.21:80 connect.facebook.net tcp
US 35.175.160.151:80 gm-msn.iwin.com tcp
FR 68.232.35.54:80 static.iwincdn.com tcp
FR 68.232.35.54:80 static.iwincdn.com tcp
GB 216.58.204.72:80 www.googletagmanager.com tcp
GB 163.70.151.21:443 connect.facebook.net tcp
US 8.8.8.8:53 c.pki.goog udp
GB 172.217.169.3:80 c.pki.goog tcp
US 8.8.8.8:53 download.iwincdn.com udp
US 8.8.8.8:53 o.pki.goog udp
PL 93.184.221.131:80 download.iwincdn.com tcp
GB 172.217.169.3:80 o.pki.goog tcp
US 8.8.8.8:53 ws-msn.iwin.com udp
US 18.213.80.235:80 ws-msn.iwin.com tcp
US 18.213.80.235:80 ws-msn.iwin.com tcp
PL 93.184.221.131:80 download.iwincdn.com tcp
US 18.213.80.235:80 ws-msn.iwin.com tcp
US 18.213.80.235:80 ws-msn.iwin.com tcp
CZ 65.9.95.77:80 dl.iwin.com tcp
US 35.175.160.151:80 ws-msn.iwin.com tcp
US 35.175.160.151:80 ws-msn.iwin.com tcp
US 8.8.8.8:53 cimg.iwin.com udp
GB 13.224.81.123:80 cimg.iwin.com tcp
GB 13.224.81.123:80 cimg.iwin.com tcp
GB 13.224.81.123:80 cimg.iwin.com tcp
GB 13.224.81.123:80 cimg.iwin.com tcp
US 8.8.8.8:53 crl.microsoft.com udp
GB 2.19.117.22:80 crl.microsoft.com tcp
US 8.8.8.8:53 www.microsoft.com udp
GB 92.123.241.137:80 www.microsoft.com tcp

Files

\Users\Admin\AppData\Local\Temp\nsoBAF7.tmp\System.dll

MD5 960a5c48e25cf2bca332e74e11d825c9
SHA1 da35c6816ace5daf4c6c1d57b93b09a82ecdc876
SHA256 484f8e9f194ed9016274ef3672b2c52ed5f574fb71d3884edf3c222b758a75a2
SHA512 cc450179e2d0d56aee2ccf8163d3882978c4e9c1aa3d3a95875fe9ba9831e07ddfd377111dc67f801fa53b6f468a418f086f1de7c71e0a5b634e1ae2a67cd3da

\Users\Admin\AppData\Local\Temp\nsoBAF7.tmp\nsisdl.dll

MD5 a5a4cee2eb89d2687c05ef74299f0dba
SHA1 b9bff5987be422887f2f402357b47db2288a1a42
SHA256 cb82268b778703db75961cddef33a695a674f0dfd28b7e710b198ef2d26d3963
SHA512 f485267c6239f84d294ed4b0a82f317081e6e2e0c5613bd012bbd496b9ebccb8aca6944e80f84af51d17ac13f4d83480c34edfe37a3a9508ce0e67fc9f0b96f0

\Users\Admin\AppData\Local\Temp\nsoBAF7.tmp\MSNGamesSetup.exe

MD5 7b3ec6d1800cddc1b195d98244e98e5a
SHA1 4f1f7318c220cfca2d8631dc3398c3242bf34115
SHA256 3cb4ae53e2756e00d016427ff3e27a488376e1ce81b5a2ce4e24520e7ca8000a
SHA512 d8ff6fee981cd039499ea2b78d2565a5418a867a40eea43310051ff90a5f2a7462cd3c63c87f9e539135d91bcea0bf2dd5ceb25256201f781c8f49c344d0fb93

\Users\Admin\AppData\Local\Temp\nsoE59F.tmp\System.dll

MD5 c17103ae9072a06da581dec998343fc1
SHA1 b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d
SHA256 dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f
SHA512 d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

C:\Users\Admin\AppData\Local\Temp\nsoBAF7.tmp\ftdownload.dat

MD5 433030c5cbb375e16cc885014191f07b
SHA1 485546229799b852d97fee65a5d899aaad757ed7
SHA256 1095affbecd87e6bc9a6a2d3ba7937a2d847480b24b2cc66458b3614beb6bed4
SHA512 c4506614047c741a2c8b039a878c7eeb387c9f136dd9be2847d1edee0848368517e18606110a5b1f225a2e937e7536420e9a68fd5bf7283e29efc41f40859091

\Users\Admin\AppData\Local\Temp\nsoE59F.tmp\nsExec.dll

MD5 acc2b699edfea5bf5aae45aba3a41e96
SHA1 d2accf4d494e43ceb2cff69abe4dd17147d29cc2
SHA256 168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e
SHA512 e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

\Users\Admin\AppData\Local\Temp\nsoE59F.tmp\InstGameInfoHelperMSN.exe

MD5 0025cd88501fa44e826bc9ed4bdef2fb
SHA1 c1a5d54809ba50bea7c4cac90563eb50b1d973ab
SHA256 f26ccc52aee7f6949d33a8c5eae4829bf94ad338765b04b68214cb5f375d5d59
SHA512 96a78d4d84fa9aa74f7791d01534e9c18cabf31a73b2e6711d4152527e16265163f415b43f418112652f3642192a8409383098899f84cb762c4cf6ff2c8140fd

C:\Users\Admin\AppData\Local\Temp\nsoE59F.tmp\gametitle.txt

MD5 b95effb5cac0ebc1ea0c2e8e846e5045
SHA1 43eeed2f329347102b81baafc0cd9e62b5eae175
SHA256 3d99b189ef5a1f1fd58289b094ea89759b812efadf4cc86598cc5c207ad51859
SHA512 43c80d1713253a54b4d31a742c4afa5d0070a0f290498a71488d9d80156295438dd294496d21cb590f9ef95a1b99cf39073b026014b375d6b8d97e9b03674f2e

C:\Users\Admin\AppData\Local\Temp\nsoE59F.tmp\tn_feat.bmp

MD5 49cd2c57170a77dfa6639da258bdcce1
SHA1 fa49d2bbcccaa5219c96ecec6ef9833ebda3af2a
SHA256 6dd1f4b52d063661e6da75d17880d8e0c0d5d5febff44824f646ac92faa7dc63
SHA512 d5b2302f83f2cf7c7f45c38508ccf2ca7762f6ce2feb50b48a5337bdb1592cff3ecd43bfd06da4c9e29d420bc319a7d5ab9555598365137d67ea4875868de4a0

\Program Files (x86)\MSN Games\MSNGames.exe

MD5 a723f73cafced792d6b908c70368aa5e
SHA1 76725a966bb2f0151f9cbbd7ef41b4aa59255ca3
SHA256 79b411d4ec2da73268cf304e5af339544cc516f1b9469a6722afcd72cc9aca1c
SHA512 92f49b895638473084cf2c86b94ec414fc8c6ba5a1d0dba2cee999366f4f5983dff4ae986de12ad71591242aa511b732c80e28d58ee9151477e54419b8c92759

\Users\Admin\AppData\Local\Temp\nsoE59F.tmp\GameuxInstallHelper.dll

MD5 4d3ac88054df63fc810427bdaa96c458
SHA1 e4d554e03ba91f6b53a2a80253b339f56e303c94
SHA256 b07ffcd0af80f6b9fba09abe816ba2f0ff0d336639f1768fc317291bc635ece6
SHA512 d4732ad89bbb19b316dff1b9c534acf98bb985c89d1295f08e24b21531123426500b3712979dda2f0e941a5969c0cbca15bbd52f6c167653f96a494a6677ca54

C:\Users\Admin\AppData\Local\Temp\Cab35A5.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Program Files (x86)\MSN Games\AdminWorker.exe

MD5 6772fdec98b776314724f63be2f657b3
SHA1 6014eb84c278072a501790a9be7c061156c4b824
SHA256 8265375aa8916022cddaf5921f034b787416af5be65526f0a15e5791ebd257ed
SHA512 0bad9e075ff4df3606ae7efc3ad8e2038e0b7f69379b72bfbe2686ba6d92a7b3251b0cf021af9b9231b60b92d42a0af2f0e8a150e44b5410dab7e4b8b9a2273a

\Program Files (x86)\MSN Games\iWinTrusted.exe

MD5 f117e941af67e0c73327b261d03d8293
SHA1 c00aa7b9217793451b3cb5658a4f54a313ec2e36
SHA256 cf76079b5d416815c3607b309336f5d6801a9953ad3d9d87eaebdffb531b08ea
SHA512 1e5383d26544f082a0f7b20f828597c0a7004b7f71af285b40ec241fea739a96459b6899bd36ba5b216012ce87bc7b403797dc5c481aa947a63f26aeea571b1c

C:\Program Files (x86)\MSN Games\MSNGames-MCE.xml

MD5 db3daf15dfd20f564e59e58d6ffae077
SHA1 71ed8b468bf72c45edecb5884216e47acacd8ffb
SHA256 1d1a8db2b6d41d0c3692a5b058b92a4b08665b3577974c6ec824d1f38e030e52
SHA512 71827b95d42d361aea51a40ec71e24bdd933ed97310cfc6dfd7e83c767e0a3c4f66ce19d55db56521e58d66c7b1ea817d3379c89d9fbc900574979c3feff9502

C:\Users\Admin\AppData\Local\Temp\nsoE59F.tmp\tn_feat.jpg

MD5 c2965cb96a332484fd16f6f43d367cce
SHA1 ea86229b04037c6c333150235fc9f40d7675a3c6
SHA256 ac368fbb7f15ee40eb4731284dc848a454f3a01cab11c9bfbcff8ae7c0782d72
SHA512 4a499be02e4c45e00c75b8ab5b84f37c2311db6a78fcbbbc0ace6391a067aad731e23592cd4d014757e227f344575d9857c66a60a8c3dd4b6e8b11195255a147

C:\Program Files (x86)\MSN Games\pages\blank.html

MD5 9482e5ee38471e5b6a688ad0d02fe6b4
SHA1 12dfac1206e34a47b2d3f639106056c9f7ca3e7a
SHA256 a655fa3c755d22a5a95b01a91030fe889e8c37e900226a05fc32aebd04fc4e2d
SHA512 c8b1ec8ef2d48d3c8d57c2728bb1ae6d150f43bc3ccba063b819ae1e7809331b170fc764d655db5ee11c838cbb74b91abc3abd837d98830589ee5b3aa3e905a4

C:\Program Files (x86)\MSN Games\pages\iwgm.loading.jpg

MD5 bf7e93622206bd7206494a7b805c0954
SHA1 5dec728c393cafd17d55a18501770ce22f16ffae
SHA256 cabc0465f851bce0342470e5f4d81a5f4045028d4093d059225b4f76eb6297d7
SHA512 f60adc9f8086793070c9fe7b7f1aab75251a4c71622c364ff6fc0e63b5f14da3e56cbca412ce2d80322713d4e4ca6944ede640878f1d115a48b08a891305d9ce

C:\Program Files (x86)\MSN Games\pages\blank2.html

MD5 90b42fd8e93203218847a3c0a646d377
SHA1 0d485e2de867448e4853031d5714942128d92983
SHA256 aec450600b1ea9c5cd12a92ff9764092434c2cca7e56c10c7b11a63a13209c5f
SHA512 de8ab5192fbb9e1df4f1baa7436f2d21cbb94f921931d502aed87049b46affe2dba1929ef48b528f114722cff7c797d381070b35884f7bea18813df355b0ffab

C:\Program Files (x86)\MSN Games\sounds\animation.wav

MD5 3ef7618619348fbbeca7b0f772be7e5c
SHA1 d86829f29c8f22c2d3562269b3d2f0c3b822ad0c
SHA256 d361e7b9d8d6e1e3c2b4977f53a06a363183b74796b27cbba2d0277a7e19a872
SHA512 b7c339678b214ff57594f02f2953ec762584f8b31644b1f63ac55586423fd34a7afae9c3d208db7caaab6e30bcb806cc9720cdb34c58f466aabad547d3263376

C:\Program Files (x86)\MSN Games\WebUpdater.bmp

MD5 3bef430235c592989ef45d64b8995fda
SHA1 0d99277cdeec4845540bcf456531b57e0e939cdd
SHA256 624426067e03d13efcfc88d570cc593649b67bafd9bf673ab46046dab00d8d5d
SHA512 7dd5904c5ff5680be017238bb3ed96f6652d575d2eb6d85d2a3ac8045c58d836ddca12d73ebab831f22a9b57a0e410c2a56359b5abf567be5ec565a9c781af96

C:\Program Files (x86)\MSN Games\sounds\start.wav

MD5 94ab5e493c7fd8358c9a893d0a108d5f
SHA1 5dd41e775bb246ee33cbbb6bbf1a4a6b65da1173
SHA256 54e995d1600802e1dccb785ba3ea20d14c85b54e70c397d48074135f2c731b4a
SHA512 f95197a3f28d57c77ad4f40346d941ce075e83bec79531eb7000b981f9587f0ccbe962edb11390c4a122386666e0665f1572091489338760a2dcd2bba0113164

C:\Program Files (x86)\MSN Games\sounds\button_click.wav

MD5 d5c43fe0fd3f6b5c1d2d96ef21834f9d
SHA1 f8e36c4fe187396cec014bb2e733d953b3a76fdd
SHA256 ed0c4264b99666a9e59299097c2acc7549dcf7e896c2a7584d65a616aaa415e1
SHA512 e629e4cab48e75c35dbbb33b427c31babe814ecadf4357695e7bb3370ca838005c9c156a3dcb79f574cfd4b05b4fa6b55c991f249d9f3b6b072c3d87468c04cc

C:\Users\Admin\AppData\Local\Temp\Tar497F.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

\Users\Admin\AppData\Local\Temp\MSNGames\Downloads\iWinGames - Infinite Crosswords.exe

MD5 814bfe8f14c329e1442c3e3a8d8293b5
SHA1 d453cdd5ca2819bda9c0a31bffaa9978503b6094
SHA256 86ae8e00b375b9d576c8b2c859c3971cae7ff17c6133c79b1821fb76586041a4
SHA512 a1516e11eac7f57cebbbf7fcca9f9a932f4d92841f655a7c63b56aca73903c3faa48ebb4cb357afde963abac84959277c080ae288da0833a303152e9246c47bf

\Games\MSN\Infinite Crosswords\InfiniteCrosswords.ifn

MD5 d9491b48ad8ba2e01bb4c2227319c55c
SHA1 f3fb231ee2c9c941a20911bb5c97db15938be785
SHA256 32956cf2acbd4fea7663af2177c5323d0397b285e4096e150e8ae1ffb8f1d1d1
SHA512 7ac18e7aefede8d0697273fba47d28089739bd3cdf1f1d27f2560a0dd2739e9cf12db8c787186ee33e23022a24ca4cbea5952bb361839287ac27f11a1e36ba47

memory/1736-457-0x0000000020000000-0x00000000204B6000-memory.dmp

memory/1736-456-0x0000000020000000-0x00000000204B6000-memory.dmp

\Users\Admin\AppData\Local\Temp\nso5A9F.tmp\iWinInstallOptions.exe

MD5 8003a3286495deed791c357cb8fc4e82
SHA1 c3c602b0c69f1dc66c4f1e498c67e003f6f2d1e6
SHA256 556f052e6bc898af76c81ce5d00493fd0c1364fdaf2c1567409154d10ffc2cc3
SHA512 79fc49ed2fdbb4babe79937cb3c4a1db92a0ce0e948b083708d643b935cec57ea4feba3998e7530ea22aedc2eb71cfc061d259ba1d90234de968f0dfe66eecbd

C:\Users\Admin\AppData\Local\Temp\nsj5FFC.tmp\System.dll

MD5 56a321bd011112ec5d8a32b2f6fd3231
SHA1 df20e3a35a1636de64df5290ae5e4e7572447f78
SHA256 bb6df93369b498eaa638b0bcdc4bb89f45e9b02ca12d28bcedf4629ea7f5e0f1
SHA512 5354890cbc53ce51081a78c64ba9c4c8c4dc9e01141798c1e916e19c5776dac7c82989fad0f08c73e81aaba332dad81205f90d0663119af45550b97b338b9cc3

memory/1716-483-0x000000000A7F0000-0x000000000A9FC000-memory.dmp

memory/2736-486-0x0000000002620000-0x0000000002820000-memory.dmp

memory/1716-492-0x000000000A7F0000-0x000000000A9FC000-memory.dmp

memory/2736-490-0x0000000002620000-0x0000000002820000-memory.dmp

memory/2736-491-0x0000000000400000-0x000000000060C000-memory.dmp

memory/1716-485-0x000000000A7F0000-0x000000000A9FC000-memory.dmp

memory/1716-484-0x000000000A7F0000-0x000000000A9FC000-memory.dmp

memory/2736-498-0x0000000000400000-0x000000000060C000-memory.dmp

memory/2736-500-0x0000000002620000-0x0000000002820000-memory.dmp

memory/2736-499-0x0000000000400000-0x000000000060C000-memory.dmp

memory/2736-497-0x0000000000400000-0x000000000060C000-memory.dmp

memory/2736-504-0x0000000000400000-0x000000000060C000-memory.dmp

memory/2736-502-0x0000000002620000-0x0000000002820000-memory.dmp

memory/1716-515-0x000000000A7F0000-0x000000000A9FC000-memory.dmp

memory/1716-516-0x000000000A7F0000-0x000000000A9FC000-memory.dmp